Security menaces for 2008

NEW ORLEANS--As the security professionals gear up for 2008, here are a few things they should keep in mind: The perimeter is dead and their Web applications are probably not adequately secured. Also, their mobile phones may get hacked.

Earlier this week, the SANS Institute released its list of attacks that are most likely to cause substantial damage for the upcoming year. Expect to see more targeted phishing, or "spear phishing," as well as a growing recognition that most Web applications have serious security flaws, according to Alan Paller, director of research for SANS Institute. Paller spoke at the SANS Security 2008 conference, being held this week in New Orleans.

Paller pointed out how spear phishing has grown more sophisticated. Last year malicious hackers purloined a customer database, populated mostly with business managers, and sent the individuals e-mails pretending to be from the Federal Trade Commission. The e-mails asked them to respond to an attached letter within a set period of time.

"You're an executive. You get a note from the FTC. What are you going to do? Throw it away? I don't think so," Paller said. Of course, the attachment contained a virus.

It is these kinds off highly sophisticated attacks that lead Paller to believe the perimeter is dead.

"Even if you would have built a better perimeter, one of your [users] would have fallen for that," Paller said. "You can get your perimeter almost perfect, but if one [of these attachments get clicked upon], it's gone."

Because such attacks are highly targeted, the usual perimeter-based security defenses, such as anti-virus software, can do little to help mitigate such attacks.

Another area of concern is the growing focus on Web applications. Over the past few years, malicious hackers have shifted their attentions from attacking the network to probing applications for vulnerabilities. In particular, the nefarious have turned their sites to Web applications, which tend to be more unsecured. Vulnerabilities such as cross-site scripting and SQL injection have been around for several years, although only more recently have they garnered more attention thanks in part to the influx of Web 2.0 applications.

"The biggest job opportunity [for IT professionals] this year is application security penetration testing," Paller said.

The 10 SANS vulnerabilities, in order of estimated seriousness are:
  1. Sophisticated Web site attacks exploiting browser vulnerabilities
  2. Increasingly sophisticated botnets
  3. Cyber espionage by well-resourced organizations
  4. Mobile phone threats
  5. Insider attacks
  6. Advanced identity theft from persistent bots
  7. Increasingly malicious spyware
  8. Web application security exploits
  9. Blended social engineering and phishing attacks
  10. Supply chain attacks infecting consumer devices such as USB thumb drives, photo frames, and MP3 players.

For exploration of each of these menaces visit the SANS Web site.

Founded in 1989, SANS Institute is cooperative research and education organization offering training and documentation for IT security professionals. It also runs the Internet Storm Center, a free analysis early warning service for Internet users.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected