Security menaces for 2008
- By Joab Jackson
- Jan 17, 2008
NEW ORLEANS--As the security professionals gear up for 2008, here are a few things they should keep in mind: The perimeter is dead and their Web applications are probably not adequately secured. Also, their mobile phones may get hacked.
Earlier this week, the SANS Institute released its list of attacks that are most likely to cause substantial damage for the upcoming year. Expect to see more targeted phishing, or "spear phishing," as well as a growing recognition that most Web applications have serious security flaws, according to Alan Paller, director of research for SANS Institute. Paller spoke at the SANS Security 2008 conference, being held this week in New Orleans.
Paller pointed out how spear phishing has grown more sophisticated. Last year malicious hackers purloined a Salesforce.com customer database, populated mostly with business managers, and sent the individuals e-mails pretending to be from the Federal Trade Commission. The e-mails asked them to respond to an attached letter within a set period of time.
"You're an executive. You get a note from the FTC. What are you going to do? Throw it away? I don't think so," Paller said. Of course, the attachment contained a virus.
It is these kinds off highly sophisticated attacks that lead Paller to believe the perimeter is dead.
"Even if you would have built a better perimeter, one of your [users] would have fallen for that," Paller said. "You can get your perimeter almost perfect, but if one [of these attachments get clicked upon], it's gone."
Because such attacks are highly targeted, the usual perimeter-based security defenses, such as anti-virus software, can do little to help mitigate such attacks.
Another area of concern is the growing focus on Web applications. Over the past few years, malicious hackers have shifted their attentions from attacking the network to probing applications for vulnerabilities. In particular, the nefarious have turned their sites to Web applications, which tend to be more unsecured. Vulnerabilities such as cross-site scripting and SQL injection have been around for several years, although only more recently have they garnered more attention thanks in part to the influx of Web 2.0 applications.
"The biggest job opportunity [for IT professionals] this year is application security penetration testing," Paller said.
The 10 SANS vulnerabilities, in order of estimated seriousness are:
- Sophisticated Web site attacks exploiting browser vulnerabilities
- Increasingly sophisticated botnets
- Cyber espionage by well-resourced organizations
- Mobile phone threats
- Insider attacks
- Advanced identity theft from persistent bots
- Increasingly malicious spyware
- Web application security exploits
- Blended social engineering and phishing attacks
- Supply chain attacks infecting consumer devices such as USB thumb drives, photo frames, and MP3 players.
For exploration of each of these menaces visit the SANS Web site.
Founded in 1989, SANS Institute is cooperative research and education organization offering training and documentation for IT security professionals. It also runs the Internet Storm Center
, a free analysis early warning service for Internet users.
Joab Jackson is the senior technology editor for Government Computer News.