Top Ten Cyber Security Menaces for 2008

The SANS Institute announced that during December 2007 twelve cyber security veterans with significant knowledge about emerging attack patterns worked together to compile a list of the attacks most likely to cause substantial damage during 2008.

Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities -- Especially on Trusted Web Sites -- Web site attacks on browsers are increasingly targeting components, such as Flash and QuickTime, that are not automatically patched when the browser is patched. At the same time, Web site attacks have migrated from simple ones to more sophisticated attacks that increasingly utilize packaged modules that can effectively disguise their payloads. Placing better attack tools on trusted sites is giving attackers a huge advantage over the unwary public.

Increasing Sophistication and Effectiveness in Botnets -- The so-called Storm worm (which was not really a worm at all) started spreading in January, 2007, with an e-mail saying, "230 dead as storm batters Europe," and was followed by subsequent variants. Within a week, it accounted for one out of every twelve infections on the Internet, installing rootkits and making each infected system a member of a new type of botnet. Previous botnets used centralized command and control; the Storm worm uses peer-to-peer control, so there is no central controller to take down. Additional variants have used messages with different subjects and improved the capabilities of the rootkit. In 2008, additional variants and continually increasing sophistication will keep this worm and other even more sophisticated worms near the top of any list of menaces.

Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data Particularly Using Targeted Phishing -- One of the biggest security stories of 2007 was disclosure in Congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states. In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking.

Mobile Phone Threats, Especially Against iPhones and Android-Based Phones; Plus VOIP -- Mobile phones are general purpose computers, so worms, viruses, and other malware will increasingly target them. Google's recent announcement of "android" and the formation of the "open handset alliance" is a watershed moment for the mobile industry. A truly open mobile platform will usher in completely unforeseen security nightmares. The developer toolkits provide easy access for hackers. And, hackers are taking note. Attacks on VoIP systems are on the horizon and may surge in 2008. VoIP phones and the IP PBXs have had numerous published vulnerabilities. Attack tools exploiting these vulnerabilities have been written and are available on the Internet. In short, the VoIP attack surface is enormous.

Insider Attacks -- Insider attacks are initiated by rogue employees, consultants, and/or contractors of an organization. Insider-related risk has long been exacerbated by the fact that insiders usually have been granted some degree of physical and logical access to systems, databases, and networks that they attack, giving them a significant head start in attacks that they launch. More recently, however, security perimeters have broken down, something that allows insiders to attack both from the inside and from outside an organization's network boundaries. Insider-related risk (as well as outsider risk) has thus skyrocketed. Organizations need to put into place substantial defenses against this kind of risk, one of the most basic of which is limiting