Since attacks are no longer tied solely to a set of software flaws,
the SANS Institute has renamed its annual
Top 20 vulnerabilities list this year to the "Top 20 Attack
Targets."
 | | | | | Attackers are using quieter, more
targeted tactics that have given them much more success.
Allan Paller,
research directorSANS Institute |
| | | | | |
| |
|
Product vulnerabilities continue to top the Bethesda, Md.-based
institute's list of threats, but human error has also made the
list, given users' susceptibility to
phishing scams.
"Smart people are falling for phishing because attackers are
coming up with more sophisticated techniques," said Allan Paller,
research director at the SANS Institute. For example, he said, "If
a company is making plans to go public, phishers can send emails to
employees that look like a progress report on the IPO, including
the name of the CEO. The email looks the way it's supposed to and
it's trusted."
Among this year's top 20 are six major attack trends:
- A surge in zero-day attacks that go beyond Internet Explorer to
target other Microsoft software.
- A rapid growth in attacks exploiting vulnerabilities in
ubiquitous Microsoft Office products such as PowerPoint and
Excel.
- A continued growth in targeted attacks.
- Increased phishing attacks against military and government
contractor sites.
- A surge in VOIP (Voice over Internet Protocol) attacks in which
attackers can intercept and sell company meeting minutes, inject
misleading messages or create massive outages in the old phone
network.
- Ever-increasing attacks against Web application
flaws.
Paller said IT security officers shouldn't underestimate the
ability of hackers to exploit
VoIP for financial gain.
"Law enforcement has told me they're dealing with multiple
active cases where someone took over a company's VoIP system, stole
the minutes, then they turned around and sold them," he said. "VoIP
systems are a front door into a program that runs entire phone
systems. Attackers can exploit VoIP to change what you hear and can
cause huge outages."
He said another big trend this year is the increased penetration
of government systems through targeted attacks that use phishing
and other tactics.
"People think things are better because they haven't seen many
worm attacks," Paller said. "But in reality, attackers are using
quieter, more targeted tactics that have given them much more
success. As targeted attacks become the main economic threat,
phishing really comes into play."
Human error made it onto the top 20 because of all the
successful attacks that required involvement from the user, he
said. Meanwhile, last year's big trend of increased
attacks against Web application flaws continued this year.
In a written statement, SANS said changes to this year's list
doesn't mean attackers have stopped using tactics and flaws
announced in earlier reports. For example, Apple computers are
being increasingly targeted, as was previously predicted. "In
reality, few attack patterns are ever discarded," Paller said. "The
attacks are automated and continue to be used, but many
organizations have established defensive strategies to minimize the
risk from the older attack patterns."
Going forward, he said, attacks will increase against cell
phones and appliances such as digital printers.
Paller said IT administrators should use the SANS list to adjust
their network defenses and get upper management support for new
security procedures and investments.
"Your first stop should be the CEO's office," Paller said. "Show
them the information and tell them you don't have the capacity to
beat this. Ask them to get together with other CEOs and really put
pressure on the industry to bake security into their products."