Top 10 Cybersecurity Menaces For 2008 ListedTop 10 Cybersecurity Menaces For 2008 Listed

The SANS Institute on Monday released its take on the top 10 cybersecurity threats for 2008. Leading the list is a rise in the number of attacks on Web browsers, the proliferation of botnets, and sophisticated cyberespionage.

Twelve noted cybersecurity experts -- Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller -- helped compile the list. Released in conjunction with the SANS Security 2008 conference in New Orleans, the list represents a collective assessment of the online attack vectors most likely to cause damage in the year ahead.

Attacks on Web browsers, particularly plug-in components like Flash and QuickTime, represent the top threat. The reason these browser components are being targeted is that they're widely distributed and they're not automatically updated when the browser is updated, leaving a longer window of vulnerability on affected systems. Additionally, cybercriminals have been automating their attacks so that they check for a variety of possible vulnerabilities and disguising them so that each new assay is different from the last. One of the hacking kits now available to attackers, MPack, "produces a claimed 10% to 25% success rate in exploiting browsers that visit sites infected with the module," according to the SANS report. Attackers also have been more successful in placing malicious payloads on trusted sites, making reputation-based defenses less effective.

The increasing sophistication and effectiveness of botnets -- coordinated groups of compromised PCs -- takes the second spot on the SANS list. The Storm Trojan, which began spreading through e-mail in January 2007, was responsible for one out of every 12 computer virus infections only a week after its release. Both Storm and an upcoming rival, Nugache, operate through encrypted peer-to-peer channels, which means there's no central server to shut down and botnet communication is difficult to block.

Third on the list is cyberespionage. "One of the biggest security stories of 2007 was disclosure in congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states," the SANS report said. "In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers."

Attacks on high-value targets are often conducted through spear-phishing, in which personalized messages rely on social engineering to trick recipients into taking some action that compromises their computer -- opening a file that exploits an undisclosed Microsoft Office vulnerability, for example.

Threats to mobile phones, particularly to the iPhone, upcoming Google Android phones, and VoIP systems, rank fourth on the SANS list. "A truly open mobile platform will usher in completely unforeseen security nightmares," the SANS report said. "The developer toolkits provide easy access for hackers."

Apple CEO Steve Jobs on Tuesday is widely expected to provide additional details about the upcoming Apple iPhone software development kit (SDK), about how iPhone applications will be made available (presumably through Apple's iTunes), and about how iPhone applications will be made secure.

Insider attacks rank fifth on the list. While rogue employees and contractors have long been a concern of corporate security managers, the various experts contributing to the SANS report see the risk posed by malicious insiders rising due to the interconnectedness of systems today and the rising value of data in general. The flurry of acquisitions in the data leak prevention space over the past year suggests that security companies hear worries about this from corporate clients and are investing accordingly. Advanced identity theft bots appear sixth on the SANS list. "A new generation of identity theft is being powered by bots that stay on machines for three to five months collecting passwords, bank account information, surfing history, frequently used e-mail addresses, and more," the SANS report said. "They'll gather enough data to enable extortion attempts (against people who surf child porn sites, for example) and advanced identify theft attempts where criminals have enough data to pass basic security checks."

A Trojan program, Trojan.Silentbanker, described on Monday in a Symantec blog post represents one such bot. "The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying," said Symantec researcher Liam OMurchu. "The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead."

The sophistication of Trojan.Silentbanker and other malware like Storm and Nugache reflects the seventh-ranked item on the SANS list: The increasing maliciousness of malware. Malware is not only becoming more insidious, but more aggressive in its quest for self-preservation. The SANS researchers see malware increasingly taking the offensive against malware fighters and their systems. They also see malware becoming increasingly stealthy, hiding its malicious nature to strike more effectively. This also is happening at a network level, where fast-flux DNS techniques are being refined to better conceal malware server infrastructure.

Web application vulnerabilities, such as cross-site scripting and SQL injection attacks, rank eighth on the list. "Until 2007, few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to economic or information access advantage," the SANS report said. "Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from Web programming errors as new ways of penetrating important organizations."

As if to prove the point, a massive SQL attack was reported last week. And the security experts who participated in this SANS report expect more such attacks in 2008.

Coming in at number nine, the SANS report anticipates a rise in blended and event-based attacks. Such attacks might rely on a provocative fake headline to entice recipients to open a malicious message. Or they might combine a phishing attack with an inducement to reveal personal information over the phone. An example of such an attack is the phony Federal Trade Commission e-mail notice sent Saleforce.com users last October that installed malware when the message was opened.

Last, the SANS report cites the rising risk of supply chain attacks affecting consumer devices. "The widespread adoption of the USB standard combined with cheap memory and consumer demand for more computer peripherals makes this vector a simple target for a sophisticated attacker," explained Marc Sachs, executive director of government affairs for national security policy at Verizon and director of the SANS Institute's Internet Storm Center, in an e-mail last week. "Pranksters like it, too. It's a simple matter to purchase an item at Best Buy or Target, bring it home, infect it as a joke, and return it. Most large stores have a 'no questions asked' return policy within a week or two of purchase. Even worse, most stores will quickly test a returned item and ,if it appears to work, will reshrink-wrap it, put a price sticker on it, and return it to the shelf."

Despite recent reports of malware-infected digital picture frames and other devices, such attacks aren't likely to match the broad impact of the Storm Trojan. Nonetheless, they're well-suited for targeted attacks, and those tend to be more damaging than less discriminating attacks.