Expect increased attacks on Web browsers, more botnets, and sophisticated cyberespionage, according to the annual SANS Institute report.
The SANS Institute on Monday released its take on the top 10 cybersecurity threats for 2008. Leading the list is a rise in the number of attacks on Web browsers, the proliferation of botnets, and sophisticated cyberespionage.
Twelve noted cybersecurity experts -- Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller -- helped compile the list. Released in conjunction with the SANS Security 2008 conference in New Orleans, the list represents a collective assessment of the online attack vectors most likely to cause damage in the year ahead.
Attacks on Web browsers, particularly plug-in components like Flash and QuickTime, represent the top threat. The reason these browser components are being targeted is that they're widely distributed and they're not automatically updated when the browser is updated, leaving a longer window of vulnerability on affected systems. Additionally, cybercriminals have been automating their attacks so that they check for a variety of possible vulnerabilities and disguising them so that each new assay is different from the last. One of the hacking kits now available to attackers, MPack, "produces a claimed 10% to 25% success rate in exploiting browsers that visit sites infected with the module," according to the SANS report. Attackers also have been more successful in placing malicious payloads on trusted sites, making reputation-based defenses less effective.
The increasing sophistication and effectiveness of botnets -- coordinated groups of compromised PCs -- takes the second spot on the SANS list. The Storm Trojan, which began spreading through e-mail in January 2007, was responsible for one out of every 12 computer virus infections only a week after its release. Both Storm and an upcoming rival, Nugache, operate through encrypted peer-to-peer channels, which means there's no central server to shut down and botnet communication is difficult to block.
Third on the list is cyberespionage. "One of the biggest security stories of 2007 was disclosure in congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states," the SANS report said. "In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers."
Attacks on high-value targets are often conducted through spear-phishing, in which personalized messages rely on social engineering to trick recipients into taking some action that compromises their computer -- opening a file that exploits an undisclosed Microsoft Office vulnerability, for example.
Threats to mobile phones, particularly to the iPhone, upcoming Google Android phones, and VoIP systems, rank fourth on the SANS list. "A truly open mobile platform will usher in completely unforeseen security nightmares," the SANS report said. "The developer toolkits provide easy access for hackers."
Apple CEO Steve Jobs on Tuesday is widely expected to provide additional details about the upcoming Apple iPhone software development kit (SDK), about how iPhone applications will be made available (presumably through Apple's iTunes), and about how iPhone applications will be made secure.
Insider attacks rank fifth on the list. While rogue employees and contractors have long been a concern of corporate security managers, the various experts contributing to the SANS report see the risk posed by malicious insiders rising due to the interconnectedness of systems today and the rising value of data in general. The flurry of acquisitions in the data leak prevention space over the past year suggests that security companies hear worries about this from corporate clients and are investing accordingly.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.