The SANS Institute just released a list of the worst security threats companies will face this year.
This is the first time the research group has looked ahead at coming threats. In the past, they've recapped the top 20 threats for the past year; Click here for a rundown of 2007's worst threats.
CISOs and security officers are aware of these threats, but some are clearly more prevalent than others.
Here's a look at SANS' predictions:
1. Attacks on browser vulnerabilities
Attackers are getting more savvy with exploit codes, and more and more are targeted trusted Web sites.
2. Botnets
Bots made headlines throughout 2007, and botmasters are getting increasingly sophisticated in their tactics.
3. Cyber espionage
Well resourced organizations--namely, nation-states--will use phishing and other attacks to gain economic advantage.
4.Attacks on mobile devices
The introduction of new mobile computing platforms will lead to increased attacks, and VoIP systems are also vulnerable.
5.Insider attacks
The threat of an internal strike forces security pros to clamp down on access and set more rigorous policies.
6.Identity theft from persistent bots
Some bots stay on computers for months, all the while collecting personal data that can be used for extortion and identify theft.
7. Spyware
More sophisticated tactics will evade anti-virus, anti-spyware and anti-rootkit tools, leading to more persistent problems.
8. Web application exploits
Programming errors in applications like Web 2.0 tools are seen as increasingly vulnerable, giving attackers a new venue.
9. Blended social engineering
Criminals are using targeted attacks--like a phishing e-mail on job offers for Monster.com users--combined with VoIP to amplify their impact.
10. Supply chain attacks
USB connections from vendors or conferences increasingly contain dangerous software.
|
Comments (1)
None of the SANS Top 10 are really "new" threats, although as stated, the details change and become more sophisticated over time. Responding to any one of these points in a vacuum is fruitless and a well-thought-out security program should, if followed, provide a reasonable response and appropriate controls.
If organizations try to stem out each and every threat reported by SANS individually, they will get lost in a maze of activities and technical controls. It will be more of 'curing the symptom' than addressing the real problem. the problem becomes exponentially complex for larger, silo'ed organizations.
Answer: Technical controls and Infosec activities based on a well defined Information Security Management System... and PDCA model. I am not just talking of ISO certification, but a real life, functional management system which defines the priorities, assets, risks and how to manage those risks on day-to-day basis using the infosec activities and automating these with technical controls.
Posted by Robert Forbes and Arun Sivaraman | January 22, 2008 10:16 AM