Hackers are increasingly using corporate websites to
distribute malware and steal company information, security
researchers surveyed by theSans Institutehave warned.
The US educational body's list of the 10 most dangerous cyber
threats reveals growing technical expertise and professionalism
among hackers acting for financially or politically motivated
paymasters.
IT bosses need to respond by
setting up cyber defences in depth, limiting access to information
on a need-to-know basis, and educating users, said Timothy
Mullen, vice-president of consulting services at UK-based NGS
Software.
Alan Paller, research director at the Sans Institute, said
attackers were targeting popular, trusted websites where users have
an expectation of effective security.
Criminals are using insecure websites to infect the browsers of
visitors with viruses, Trojans and keyloggers. These malicious
programs use browser components such as Flash and QuickTime, which
are seldom patched automatically, to install themselves in the
browser.
"One of the latest such modules,
mpack, claims a 10% to 25% success rate in exploiting browsers
that visit sites it has infected. Such tools give attackers a huge
advantage over the unwary public," Paller said.
As companies have improved their defences, so criminals are
turning to new avenues of attack.
Security specialists have even reported malware in digital
devices shrink-wrapped at the factory. These include disc drives,
USB data sticks, global positioning systems and digital photo
frames, said former White House security adviser and survey
contributor Howard Schmidt.
Schmidt said manufacturers and suppliers of digital devices with
memory might have to reassess how they treat security. "Security is
now one of the top five things designers and manufacturers must
address," he said.
Schmidt cited the Federal Aviation Authority's requirement last
week that
Boeing redesign its onboard data networks to prevent hackers
accessing the avionics in its new Dreamliner aircraft. "I'll bet as
soon as the story broke there wasn't one CEO not on the phone
asking, 'Do we have this problem and how do we fix it?'" Schmidt
said.
Sans Institute Top 10 Cyber Threats for
2008
1. Increasingly sophisticated website attacks that exploit
browser vulnerabilities
2. Increasing sophistication and effectiveness in botnets
3. Cyber espionage efforts by well-resourced organisations to
extract large amounts of data for economic and political
purposes
4. Mobile phone threats, especially against iPhones, Google's
Android phones, and voice over IP systems
5. Insider attacks
6. Advanced identity theft from persistent bots
7. Increasingly malicious spyware
8. Web application security exploits
9. Increasingly sophisticated social engineering to provoke
insecure behaviour
10. Supply chain attacks that infect consumer devices
Timothy Mullen's advice on combating the Sans Top 10 Threats
>>