SANS Flags Browsers, Botnets as Top Security 'Menaces'
Research and education organization the SANS Institute this week revealed its list of the top menaces facing IT in the coming year. Echoing earlier reports from security watchdog organizations, the group's "Top-10 Cyber Security Menaces for 2008" cited Web 2.0 technologies, converged devices, botnets, and browser addons among the worst, with a heavy emphasis on consumerized technologies and the vulnerabilities they present.
These "consumerized" technologies include a wide range of Web applications, online media, and consumer devices (like the iPhone) designed to take advantage of them. They're the sorts of technologies over which IT has very little control, as students, faculty, and staff bring their personal electronics to campus and otherwise insinuate themselves in the enterprise.
Top-10 Security Menaces of '08
1. Browser Exploits
3. Espionage via Targeted Phishing
4. Mobile Devices and VoIP
5. Insider Attacks
6. Identity Theft via Persistent Bots
7. Increasingly Malicious Spyware
8. Web 2.0/Web Application Exploits
9. Blended Approaches to Phishing
10. Infected Consumer Devices
Source: The SANS Institute, January 2008
At the tops of the SANS Institute's list comes one of these technologies: digital media and other related technologies that users access through browser addons: Flash, QuickTime, etc.
Said the report, "Web site attacks on browsers are increasingly targeting components, such as Flash and QuickTime, that are not automatically patched when the browser is patched. At the same time, Web site attacks have migrated from simple ones based on one or two exploits posted on a Web site, to more sophisticated attacks based on scripts that cycle through multiple exploits, to even more sophisticated attacks that increasingly utilize packaged modules that can effectively disguise their payloads."
Converged consumer communications devices, like the iPhone and other types of smart phones, coming at at No. 4. Other types of consumer electronics, such as USB thumb drives, GPS systems, and others, come in at No. 10 on the list.
And, like other recent reports, SANS also names Web 2.0 and other types of Web applications as major culprits.
Back in October, Georgia Tech's Information Security Center released a report entitled "GTISC Emerging Cyber Threats Report for 2008," in which Web 2.0 was cited first as one of the threats to watch in 2008. And earlier this month, the UK's KPMG released a report for the business sector called "Risk concerns stall uptake of Web 2.0 technology in the workplace," in which more than half of the executives surveyed for the report cited security fears as major barriers to institutional adoption of Web 2.0 technologies.
So Web 2.0 is definitely on the minds of security-conscious admins.
In the SANS report, Web 2.0 came in at No. 8 in the list.
"Web 2.0 applications are vulnerable because user-supplied data cannot be trusted; your script running in the users' browser still constitutes 'user supplied data.' In 2008, Web 2.0 vulnerabilities will be added to more traditional programming flaws and Web application attacks will grow substantially," the report said.
Botnets, Phishing, Espionage, and 'Blended' Threats
The SANS report also warned of increasing sophistication of more traditional data security threats. The institute said botnets will become more effective over the course of this year, as new variants of 2007's Storm worm emerge. Botnets were listed as 2008's No. 2 threat.
Espionage and "insider attacks" also made the top 5 in the SANS list. Espionage in this context is targeted mainly toward government and military, while insider attacks affect any organization. Insider attacks have been compounded, according to the institute, by the breakdown of security barriers, allowing insiders "to attack both from the inside and from outside an organization's network boundaries."
Persistent bots and increasingly malicious spyware are also threats to watch. Persistent bots reside on computers for months collecting data, including passwords. Spyware is becoming increasingly sophisticated, attacking or dodging anti-virus and other software, making investigations and detection increasingly difficult.
Finally, the group also warned of a new menace to security: blended and event-based approaches to phishing.
"Blended approaches will amplify the impact of many more common attacks," the report said. "For example, the success of phishing is being radically increased by first stealing IDs of users of other technologies. Even if it is non-targeted, event phishing is gaining in sophistication. Tax filing scams and scams based on the U.S. Presidential elections will be widely used this year, and many of them will succeed. A note with the subject 'Hillary drops out of the race' or 'Rudy and female staffer caught on film' could generate huge new botnets of people who are interested in politics but may not have patched their systems fully."
The report was compiled by the SANS Institute from input from a dozen security veterans. Further information can be found at the link below.