SANS: VoIP, zero-day threats surge

Attackers are using quieter, more targeted tactics that have given them much more success. Allan Paller, research directorSANS Institute

Product vulnerabilities continue to top the Bethesda, Md.-based institute's list of threats, but human error has also made the list, given users' susceptibility to phishing scams.

"Smart people are falling for phishing because attackers are coming up with more sophisticated techniques," said Allan Paller, research director at the SANS Institute. For example, he said, "If a company is making plans to go public, phishers can send emails to employees that look like a progress report on the IPO, including the name of the CEO. The email looks the way it's supposed to and it's trusted."

Among this year's top 20 are six major attack trends:

• A surge in zero-day attacks that go beyond Internet Explorer to target other Microsoft software.
• A rapid growth in attacks exploiting vulnerabilities in ubiquitous Microsoft Office products such as PowerPoint and Excel.
• A continued growth in targeted attacks.
• Increased phishing attacks against military and government contractor sites.
• A surge in VOIP (Voice over Internet Protocol) attacks in which attackers can intercept and sell company meeting minutes, inject misleading messages or create massive outages in the old phone network.
• Ever-increasing attacks against Web application flaws.

Paller said IT security officers shouldn't underestimate the ability of hackers to exploit VoIP for financial gain.

"Law enforcement has told me they're dealing with multiple active cases where someone took over a company's VoIP system, stole the minutes, then they turned around and sold them," he said. "VoIP systems are a front door into a program that runs entire phone systems. Attackers can exploit VoIP to change what you hear and can cause huge outages."

SANS top 20 internet security attack targets: Operating Systems: 1. Internet Explorer 2. Windows libraries 3. Microsoft Office 4. Windows services 5. Windows configuration weaknesses 6. Mac OS X 7. UNIX configuration weaknesses  Cross-Platform Applications:   8. Web applications 9. Database software 10. P2P file sharing applications 11. Instant messaging 12. Media players 13. DNS servers 14. Backup software 15. Security, enterprise, and directory management servers   Network Devices: 16. VoIP servers and phones 17. Network and other devices common configuration weaknesses   Security Policy and Personnel: 18. Excessive user rights and unauthorized devices 19. Users (phishing/spear phishing)   Special Section: 20. Zero-day attacks   For more information, visit the SANS Institute Web site.

He said another big trend this year is the increased penetration of government systems through targeted attacks that use phishing and other tactics.

"People think things are better because they haven't seen many worm attacks," Paller said. "But in reality, attackers are using quieter, more targeted tactics that have given them much more success. As targeted attacks become the main economic threat, phishing really comes into play."

Human error made it onto the top 20 because of all the successful attacks that required involvement from the user, he said. Meanwhile, last year's big trend of increased attacks against Web application flaws continued this year.

In a written statement, SANS said changes to this year's list doesn't mean attackers have stopped using tactics and flaws announced in earlier reports. For example, Apple computers are being increasingly targeted, as was previously predicted. "In reality, few attack patterns are ever discarded," Paller said. "The attacks are automated and continue to be used, but many organizations have established defensive strategies to minimize the risk from the older attack patterns."

Going forward, he said, attacks will increase against cell phones and appliances such as digital printers.

Paller said IT administrators should use the SANS list to adjust their network defenses and get upper management support for new security procedures and investments.

"Your first stop should be the CEO's office," Paller said. "Show them the information and tell them you don't have the capacity to beat this. Ask them to get together with other CEOs and really put pressure on the industry to bake security into their products."