Criminals are increasingly using social engineering attacks to penetrate corporate IT defences, the Sans Institute has warned.
The security training organisation's latest annual list of the top 20 attack targets reveals that hackers have stepped up their use of phishing and other social engineering attacks as network defences become more robust.
Alan Paller, research director at the Sans Institute, said anti-malware technology now offered "reasonable countermeasures" for corporate networks. As a result, criminals are turning to indirect attacks, such as tricking staff into revealing passwords, or planting malicious code on websites.
Paller said the most successful attacks came from "spearphishing" and "whaling". This involves attackers sending phishing e-mails to individuals with known job titles - especially senior staff - and using social engineering techniques to con their way into networks or obtain sensitive information.
"The new attacks are much harder to defend against, and they are morphing and adding sophistication weekly, and sometimes daily," Paller said. "There is no technical defence against a social engineering attack because defeating it requires a change in human behaviour."
The Sans research found an increase in hackers planting malicious code on corporate websites. The code installs backdoor Trojans on the PCs of those visiting the site.
The websites of public sector bodies and small firms, which may be less defended or hosted by third parties, are most at risk, said Paller.
He said the web was becoming riddled with infected sites that could spark outbreaks of malware attacks. "The new issue is how to find the bad guys when they are getting better at hiding."
Guy Bunker, chief scientist at security firm Symantec, said web-based attacks could seriously harm a company's reputation. In September, malware hidden on the Bank of India's website caused customers' PCs to be infected with some of the most destructive pieces of malware in circulation, he said.
The Sans Institute advised businesses to use penetration testers to test their websites and to use products that automate tests. "Fixing the architecture is very hard," Paller said. "You may have to redevelop the applications completely."
Countermeasures and best practice
● Protect databases with a firewall
● Deploy intrusion detection and prevention systems
● Change default user IDs and passwords
● Encrypt customer data
● Audit database accesses
● Keep software patches up to date
● Assess your vulnerability regularly
● Pay close attention to SQL injection in web applications.