Malware outmaneuvers security

GCN Insider

The SANS Top 20 Internet Security Risks of 2007


Web browsers.

Office software.

E-mail clients.

Media players.


Web applications.

Windows services.

Unix and Mac OS services.

Backup software.

Antivirus software.

Management servers.

Database software.


Instant messaging.

Peer-to-peer programs.


VOIP servers and phones.


Excessive user rights and unauthorized devices.

Phishing/spear phishing.

Unencrypted laptop PCs and removable media.

Zero-day attacks.

As online attacks become more targeted and increasingly stealthy, traditional security measures of updating patches and complying with regulatory mandates are failing many government agencies, said Alan Paller, director of research at the SANS Institute.

'The federal government has a compliance-based approach to security,' Paller said at the unveiling of the latest list of the top 20 Internet security risks. 'That model can't last, because the attackers change the attacks at such a rate that the model is broken.'

Two major trends in this year's list of threats are social engineering to dupe individual executives, information technology staff and others with privileged access so that high-value computers can be compromised; and the targeting of custom-built Web applications that can expose data on the server side and infect additional computers on the client side.

'The browser today is the main gateway for malware,' said Gerhard Eschelbeck, chief technology officer at Webroot Software.

Variants of malicious code are changing so quickly that signature- based antivirus engines cannot keep up and attacks targeted at individuals often cannot be stopped by signature recognition, Paller said.

Half the total vulnerabilities reported in 2007 have been in Web applications, according to Rohit Dhamankar, senior manager of security research at TippingPoint Technologies. In addition to Web application vulnerabilities, there has been a sharp jump in vulnerabilities found in Microsoft Office products, including Excel, Word and Visio. Twenty-three critical vulnerabilities have been identified in the suite so far in 2007, up from six in 2006.

An emerging threat is a type of spear-phishing attack being called whaling, because it is aimed at individual high-value targets, such as senior executives or IT administrators. An e-mail message crafted to gain the confidence of the individual persuades the person to execute an attachment or go to a compromised site so that the computer is infected.

The complete list with details on each vulnerability is available at You will notice that there are only 18 vulnerabilities on the list, but SANS kept the Top 20 title for consistency.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected