Top 18 Internet Security Risks

Call it the Internet's version of a cold war. Chief information officers and chief security officers have made important strides in recent years in successfully implementing a wide range of security measures, from firewalls, to antivirus and antispam filters, to intrusion detection tools.

Pitted against these tougher defenses, however, attackers have been forced to alter their strategies. They have focused their attention on two areas they believe to be the most vulnerable: emails that are custom-built to tempt certain users such as executives to open at-risk attachments or links and custom-built Web applications that have been written without secure coding built-in, says a report from the SANS Institute, an industry-sponsored research group and computer security training body.

"For most large and sensitive organizations, the newest risks are the ones causing the most trouble," says Alan Paller, director of research at the SANS Institute. "They take a level of commitment to continuous monitoring and adherence to policy with real penalties, that up to now only the largest banks or sensitive government agencies have been willing to implement."

The SANS Institute recently released a list of the top 18 internet security risks for 2007, and while the risks pertain to those identified in 2007, they serve as an early warning system for what CIOs should be on guard against in 2008.

The ranking of top security vulnerabilities is an annual undertaking by the SANS Institute. This year, it was led by Rohit Dhamankar, senior manager of security research for Tipping Point, a vendor of intrusion prevention systems. It represents the combined input of 43 security experts from government, industry, and academia.

Top of the list: the gullible employee. And not just any employee - for the first time there has been a noticeable increase in activity where attackers have zeroed-in on executives. This form of attack was deemed the most serious because it remains the easiest way for hackers to break into corporate systems and implant spyware or malicious software.

In fact, the practice of spear-phishing executives who may have access to sensitive systems, has garnered a new term: "whaling," coined after the con-artist practice of going after people with large amounts of money, or "whales." Phishing, a play on the word fishing, is the act of sending an email falsely claiming to be an established or legitimate enterprise in an attempt to get the receiver to surrender information or click on a link. Attackers who are "whaling" typically research the names of key individuals at organizations, such as the CEO, CFO, or chief marketing officer. They then write an email directly tied to their role at the company, looking to increase the odds that the executive will open a link or attachment. The link may take the executive to a site where a small program is downloaded that can then track their keystrokes.

Security systems vendor MessageLabs reported earlier this year of one such instance where messages were reportedly sent from the Better Business Bureau to executives. It preyed on their innate sensitivity to protecting the company's reputation. In June MessageLabs said it caught some 500 emails sent to executives in organizations over a two hour period. In September, 1,100 whaling attacks were detected over a 15 hour period.

Paller says employees at companies have to some degree become too comfortable with the level of protection provided by various antivirus and intrusion detection systems. They often think that if a message has made it through the company's defenses, it must be safe. For that reason, the SANS Institute and its members are advising CIOs to adopt a rather extreme measure. They recommend sending out fake messages to trap employees. Rather than use the word trap, however, they prefer the term "inoculation."

"It has become necessary to change the way companies educate people about spear-phishing," says Paller. The institute recommends sending out periodic phishing emails to employees with benign traps. If the employee falls for it the first time, they might need an education on the dangers of opening such emails. If they are successfully tempted a second time, they might receive a formal warning. Fail a third time, and they might get their plug to the Internet pulled - or worse.

"Companies may not like having to take this step, but they have to realize that any one employee can put the entire organization at risk," says Paller.

The second major source of new attacks is coming from Web sites that have been compromised by malicious code. According to Dhamankar of TippingPoint, close to half of the total vulnerabilities reported in 2007 were related to Web applications.

In fact, a study of Microsoft Office products, such as Word and Excel, showed a nearly 300% increase in new vulnerabilities that could be exploited by getting unsuspecting users to open files sent by email and instant message. Dhamankar has called on the industry as a whole to step up efforts to ensure that programmers and programming students in university are properly trained in what it takes to build a secure Web application.

The following is a list of the top 18 Internet security risks for 2007. For detailed descriptions of each risk, follow this link:

Client-side Vulnerabilities in:

C1. Web Browsers
C2. Office Software
C3. Email Clients
C4. Media Players

Server-side Vulnerabilities in:

S1. Web Applications
S2. Windows Services
S3. Unix and Mac OS Services
S4. Backup Software
S5. Anti-virus Software
S6. Management Servers
S7. Database Software

Security Policy and Personnel:

H1. Excessive User Rights and Unauthorized Devices
H2. Phishing/Spear Phishing
H3. Unencrypted Laptops and Removable Media

Application Abuse:

A1. Instant Messaging
A2. Peer-to-Peer Programs

Network Devices:

N1. VoIP Servers and Phones

Zero Day Attacks:

Z1. Zero Day Attacks

Enjoyed the article?

Sign-up for our free newsletter to kick off your day with the latest technology insights, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.

E-mail address

Rate this blog entry:
Editorial has not set their biography yet