Humans have replaced buggy software to become the primary target of online crime, according to the SANS Institute.
Humans have replaced buggy software to become the primary target of online crime, the SANS Institute concluded in its annual list of Internet security threats, released Nov. 27.
"This year for the first time were reporting that one of the most critical risks is attacks against people, where attackers focus on executives," said Alan Paller, director of the SANS Institute, in a call with media following the posting of the list. In fact, spear-phishing executives and rich people even rated a new term in 2007: Its called "whaling," drawing on the Las Vegas habit of referring to rich gamblers as "whales."
Spear phishing is a highly targeted phishing attack where criminals include information about staff or current organizational issues to lend e-mail an air of credence. The e-mail come-ons may include requests for user names or passwords, or they might tell recipients to download malicious attachments. Attackers can use the information to break in to organizational systems and steal sensitive military information, trade secrets, or sensitive financial or other personal information.
According to Paller and the team of security experts SANS assembled to produce this years report, spear-phishing expeditions launched against military targets in the United States and other developed countries have proved frighteningly successful over the past year, with a success rate of 80 percent, making this Internet-borne threat the top-rated priority for military agencies.
Having a yearly security awareness teach-in just wont cut it when it comes to solving the pervasive problem of gullibility underlying spear-phishings success, Paller said. In fact, the only thing that seems to work is finding out just how gullible some employees are with attack-like tests.
For example, some military agencies that the SANS group wasnt at liberty to identify have begun to use a security awareness technique called "Inoculation." According to Ed Skoudis, founder of Intelguardians and director of SANS Incident Handling and Hacker Exploits course, this method entails running benign versions of attacks against employees. Those who fall for a particular gambit find themselves in for "a little education" on their unwise online hygiene, he said.
Another notable finding of this years list: Client-side attacks have surged in prominence over server attacks.
"All together, client-side vulnerabilities are posing a big risk to enterprises," said Rohit Dhamankar, project manager for the SANS list and senior manager of Security Research at TippingPoint. "There are a lot of compromised sites hosting exploits targeting these flaws. Any time a desktop user goes to these sites his or her system can easily get compromised."
Tens of thousands of malware-serving pages are showing up in the first page of returns from Google, Yahoo and Live. Click here to read more.
Microsoft statistics tell the story: There were 32 critical client-side Microsoft vulnerabilities in 2007, with only six on the server side.
"We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawarte, manager of Vulnerability Labs at Qualys. Growth was almost 300 percent from 2006 to 2007, primarily in new Excel vulnerabilities that can easily be exploited by luring victims into opening Excel files sent as e-mail attachments and via instant messaging, Sawarte said.
Qualys, as in past years, is rolling out a free network scanning service to help companies find and eliminate vulnerabilities listed in SANS Top 20 list.
This is the full SANS list of Internet threats for 2007:
Client-side Vulnerabilities in: Web Browsers
Client-side Vulnerabilities in: Office Software
Client-side Vulnerabilities in: E-Mail Clients
Client-side Vulnerabilities in: Media Players
Server-side Vulnerabilities in: Web Applications
Server-side Vulnerabilities in: Windows Services
Server-side Vulnerabilities in: Unix and Mac OS Services
For details on which operating systems are affected, specific CVE entries, methods for detecting infection and for protection, check SANS full list.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.