Criminals are increasingly usingsocial engineering attacksto
penetrate corporate IT defences, the Sans Institute has
warned.
The security training organisation's latest
annual list of the top 20
attack targets reveals that hackers have stepped up their use
of
phishing and other social engineering attacks as network
defences become more robust.
Alan Paller, research director at the Sans Institute, said
anti-malware technology now offered "reasonable countermeasures"
for corporate networks. As a result, criminals are turning to
indirect attacks, such as tricking staff into revealing passwords,
or planting malicious code on websites.
Paller said the most successful attacks came from
"spearphishing" and
"whaling". This involves attackers sending phishing e-mails to
individuals with known job titles - especially senior staff - and
using social engineering techniques to con their way into networks
or obtain sensitive information.
"The new attacks are much harder to defend against, and they are
morphing and adding sophistication weekly, and sometimes daily,"
Paller said. "There is no technical defence against a social
engineering attack because defeating it requires a change in human
behaviour."
The Sans research found an increase in hackers planting
malicious code on corporate websites. The code installs backdoor
Trojans on the PCs of those visiting the site.
The websites of public sector bodies and small firms, which may
be less defended or hosted by third parties, are most at risk, said
Paller.
He said the web was becoming riddled with infected sites that
could spark outbreaks of malware attacks. "The new issue is how to
find the bad guys when they are getting better at hiding."
Guy Bunker, chief scientist at security firm Symantec, said
web-based attacks could seriously harm a company's reputation. In
September,
malware hidden on the Bank of India's website caused customers'
PCs to be infected with some of the most destructive pieces of
malware in circulation, he said.
The Sans Institute advised businesses to use penetration testers
to test their websites and to use products that automate tests.
"Fixing the architecture is very hard," Paller said. "You may have
to redevelop the applications completely."
Countermeasures and best practice
● Protect databases with a firewall
● Deploy intrusion detection and prevention systems
● Change default user IDs and passwords
● Encrypt customer data
● Audit database accesses
● Keep software patches up to date
● Assess your vulnerability regularly
● Pay close attention to SQL injection in web applications.
Source: NGS