Top 10 Cybersecurity Menaces For 2008 Listed - InformationWeek
Software // Enterprise Applications
05:44 PM
Connect Directly

Top 10 Cybersecurity Menaces For 2008 Listed

Expect increased attacks on Web browsers, more botnets, and sophisticated cyberespionage, according to the annual SANS Institute report.

Advanced identity theft bots appear sixth on the SANS list. "A new generation of identity theft is being powered by bots that stay on machines for three to five months collecting passwords, bank account information, surfing history, frequently used e-mail addresses, and more," the SANS report said. "They'll gather enough data to enable extortion attempts (against people who surf child porn sites, for example) and advanced identify theft attempts where criminals have enough data to pass basic security checks."

A Trojan program, Trojan.Silentbanker, described on Monday in a Symantec blog post represents one such bot. "The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying," said Symantec researcher Liam OMurchu. "The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead."

The sophistication of Trojan.Silentbanker and other malware like Storm and Nugache reflects the seventh-ranked item on the SANS list: The increasing maliciousness of malware. Malware is not only becoming more insidious, but more aggressive in its quest for self-preservation. The SANS researchers see malware increasingly taking the offensive against malware fighters and their systems. They also see malware becoming increasingly stealthy, hiding its malicious nature to strike more effectively. This also is happening at a network level, where fast-flux DNS techniques are being refined to better conceal malware server infrastructure.

Web application vulnerabilities, such as cross-site scripting and SQL injection attacks, rank eighth on the list. "Until 2007, few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to economic or information access advantage," the SANS report said. "Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from Web programming errors as new ways of penetrating important organizations."

As if to prove the point, a massive SQL attack was reported last week. And the security experts who participated in this SANS report expect more such attacks in 2008.

Coming in at number nine, the SANS report anticipates a rise in blended and event-based attacks. Such attacks might rely on a provocative fake headline to entice recipients to open a malicious message. Or they might combine a phishing attack with an inducement to reveal personal information over the phone. An example of such an attack is the phony Federal Trade Commission e-mail notice sent users last October that installed malware when the message was opened.

Last, the SANS report cites the rising risk of supply chain attacks affecting consumer devices. "The widespread adoption of the USB standard combined with cheap memory and consumer demand for more computer peripherals makes this vector a simple target for a sophisticated attacker," explained Marc Sachs, executive director of government affairs for national security policy at Verizon and director of the SANS Institute's Internet Storm Center, in an e-mail last week. "Pranksters like it, too. It's a simple matter to purchase an item at Best Buy or Target, bring it home, infect it as a joke, and return it. Most large stores have a 'no questions asked' return policy within a week or two of purchase. Even worse, most stores will quickly test a returned item and ,if it appears to work, will reshrink-wrap it, put a price sticker on it, and return it to the shelf."

Despite recent reports of malware-infected digital picture frames and other devices, such attacks aren't likely to match the broad impact of the Storm Trojan. Nonetheless, they're well-suited for targeted attacks, and those tend to be more damaging than less discriminating attacks.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Annual IT Salary Report 
Base pay for IT professionals has remained flat this year with a median annual salary of $88,000 for staff and $112,000 for management. However, 58% of staff and 62% of managers who responded to our survey say they're satisfied with their compensation. Download this report to find out which positions earn the highest compensation.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll