SANS Top 10 Security Threats for 2008

SANS has released it's list of the Top 10 Security Threats for 2008. Since I didn't make my own list of predictions (you can't really count the one I did) I decided to comment on theirs.

1. Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites
   This is the thing that scares me the most. It has gotten amazingly easy for the bad guys to infect our machines. Historically we had to do something to get infected with malware (click on a link, run an .exe, etc). Now all you have to do is visit a site that has been compromised. Even better worse that site itself may not be compromised but maybe the site that hosts the banner ads on it has been compromised. It's almost a no win situation. Even those who are very careful may end up getting pwned. The best defense is to stay on your guard and make sure that you keep your system patched. That means all parts of it. Operating System, Applications and browser addons. (See "Will Malware Kill the Internet?" for more tips.)

2. Increasing Sophistication And Effectiveness In Botnets
   This is another scary one. Storm work and others like it are almost smart. It's almost like this thing thinks on it's own. The techniques that they use to keep a botnet up and running make it almost impossible to defeat. At least the good news (as far as I know) is that you have to do something to get it.

3. Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data - Particularly Using Targeted Phishing
   I wish I was as good a fisherman as these guys are. Phishing emails have come a long, long way. No longer are they (the good ones) filled with bad spelling and grammar. No longer do they look fake. Now they look, sound and even feel real. Then to add insult to injury the bad guys are making the emails very personal. They often mention things about you and your company that all but ensure that they are illegitimate messages. These types of attacks will force us to pay closer attention to our emails. If we are to prevent a possible major catastrophe we will be forced to make User Awareness Training a higher priority and we will require that the be relevant, effective and interesting.

4. Mobile Phone Threats, Especially Against iPhones And Android-Based Phones; Plus VOIP
   For the last few years we have been hearing warnings about how we had better get a handle on mobile devices before they become commonplace. I'm afraid that most organizations have ignored this warning. This means that now instead of being ahead of the curve and having a policy and plan in place to deal with them companies are having to play catchup. What is going to make this even more difficult is that now the users are used to having them and connecting them to the network. They are used to doing as they please and we have the fun job of telling them to stop. This does not go over well in most organizations and in even more management gives in and allows it to continue.
   As for VOIP it to will become a headache because, as in most things, security wasn't built in and taken into consideration from the early stages. Now we are having to figure out how to secure it after the fact. Another factor in this is that many organizations are deploying it and thinking that there are no security concerns with it. They approach it like they have traditional voice in the past. It's not the same and it has lots of potential to be trouble if not implemented and managed correctly.

5. Insider Attacks
   We've already seen several examples of insider attacks this year. The bank in France that was defrauded out of $7 BILLION dollars by a rogue trader who worked for the bank and the Administrative Assistant who deleted $2.5 million dollars worth of documents because she thought that she was going to be replaced. The sad part of this is that these are just those who are trying to do bad things to our networks and companies. Another front that we have to secure against is the insider mistake. While this isn't an attack per se it can still have a devastating effect on our systems. Ensure that your employees don't have more rights than they need to do their jobs and we have to put controls in place to prevent their mistakes from becoming our nightmare.

6. Advanced Identity Theft from Persistent Bots
   Getting a keystroke logger or rootkit on your machine is never fun. Especially if it leads to identity theft or extortion. This is a fairly new attack vector where the goal is still financial gain for the bad guy but they seem to have an additional motive of playing games. Maybe they learn enough about you to impersonate you online because they have all of your social media credentials or they send nasty emails to others on your behalf (of course w/o your knowledge or permission). Then it usually comes down to trying to get more money from you. If they can't have fun while doing it through extortion or such they will just take it out of your account.

7. Increasingly Malicious Spyware
   So far I've never seen malware get less malicious and easier to detect and remove so there is no reason that it will start this year. The thing about this is that it is now a business just like legitimate software sales. The bad guys are offering support and various levels of use. Since they are making money from using it themselves and selling it they will work harder and harder to make it better and more effective.

8. Web Application Security Exploits
   Again these get worse every year and more prevalent. This will require that our Web dev teams take security seriously and learn how to not only code securely but to think about security while coding. Then of course the rest of IT has to play it's part. The DBA's have to ensure that the databases are secured and the network team has to ensure that the firewalls, IPS and the rest of the infrastructure does their part.

9. Increasingly Sophisticated Social Engineering Including Blending Phishing with VOIP and Event Phishing
   Social engineering is another area where the bad guys are getting better and unfortunately this is an area where technology is limited. We can put the controls in place but if the users give out the information over the phone or click on the link or send the data in an email then there is little we can do. You can say that there is technology to stop most of this but it's too expensive for most companies to deploy all of it and if they do they don't have the staff to support it. Our best bet here again is better User Awareness Training. We have to constantly update our message to keep it fresh and ensure that the users are hearing us.

10. Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations
    This is an area that I think will continue to grow as a malware distribution point. As we get more and more "connected" in all we do we are plugging everything we get into our computers. About the only way to ensure that it doesn't happen to you is to have a system that you check all of these devices on before you put it on your main system. Of course you and I may do that but I can assure you that my in-laws won't. I quit using the USB keys that I get at conferences for this very reason. Not that I don't trust the vendor who gave it to me but I don't trust where they got it.

There you have it. My thoughts on this Top 10. I hope you found it helpful.