Sans releases top 20 Net risks list
Malicious attackers are honing in on custom-built applications and targeted phishing attacks, pushing the two areas onto the Sans Top 20 Internet Security Risks list this year.
Malicious attackers are increasingly setting their sights on targeted phishing attacks, or "spear" phishing, and custom-built applications, pushing these two areas into Sans' Top 20 Internet Security Risks of 2007.
The report, released Tuesday, provides a glimpse into the nefarious activities of online attackers and the issues faced by security firms.
"Spear phishing has had its most critical and damaging impact in military and civilian government organizations and military contractors who build weapons and more," said Alan Paller, Sans Institute research director.
He estimated that 90 percent of the attacks that caused the greatest damage over the past 18 months targeted the military and government entities, as well as defense contractors. Corporate executives are also increasingly finding themselves as targets of spear phishing.
"It's done as an act of espionage, and not so much for economic gain," Paller said during a press conference with other security experts to release the report.
A chief information officer at a midsize federal agency, for example, discovered his own computer was sending out data to China, unbeknownst to him, according to a composite cited in the report.
And in an effort to tackle the the weakest security link in an organization, one federal agency has taken the unusual step of sending out a benign version of a phishing attack to its employees and further educating those who bite on security measures they should be taking.
Phishing is used for economic gain, as a means to lure users into giving up their log-on and passwords, as well as such sensitive information as Social Security numbers and bank accounts.
Custom-built applications have also gained favor with malicious attackers, due to developers' lackadaisical approach in designing security into the software. Previously, attackers used to concentrate their efforts on widespread software.
Other frequent attack targets cited on the list include Web browsers, Office software, e-mail clients and media players on the client side, while Windows services, Unix and Mac OS services and database software were listed on the server side of the equation.
Unencrypted laptops and removable media, as well as VoIP servers and phones, also made it on the list.