Top of SANS 2007 Internet Threats List: The Gullible

Humans have replaced buggy software to become the primary target of online crime, according to the SANS Institute.

Humans have replaced buggy software to become the primary target of online crime, the SANS Institute concluded in its annual list of Internet security threats, released Nov. 27.

"This year for the first time were reporting that one of the most critical risks is attacks against people, where attackers focus on executives," said Alan Paller, director of the SANS Institute, in a call with media following the posting of the list. In fact, spear-phishing executives and rich people even rated a new term in 2007: Its called "whaling," drawing on the Las Vegas habit of referring to rich gamblers as "whales."

Spear phishing is a highly targeted phishing attack where criminals include information about staff or current organizational issues to lend e-mail an air of credence. The e-mail come-ons may include requests for user names or passwords, or they might tell recipients to download malicious attachments. Attackers can use the information to break in to organizational systems and steal sensitive military information, trade secrets, or sensitive financial or other personal information.

According to Paller and the team of security experts SANS assembled to produce this years report, spear-phishing expeditions launched against military targets in the United States and other developed countries have proved frighteningly successful over the past year, with a success rate of 80 percent, making this Internet-borne threat the top-rated priority for military agencies.

Having a yearly security awareness teach-in just wont cut it when it comes to solving the pervasive problem of gullibility underlying spear-phishings success, Paller said. In fact, the only thing that seems to work is finding out just how gullible some employees are with attack-like tests.

For example, some military agencies that the SANS group wasnt at liberty to identify have begun to use a security awareness technique called "Inoculation." According to Ed Skoudis, founder of Intelguardians and director of SANS Incident Handling and Hacker Exploits course, this method entails running benign versions of attacks against employees. Those who fall for a particular gambit find themselves in for "a little education" on their unwise online hygiene, he said.

Another notable finding of this years list: Client-side attacks have surged in prominence over server attacks.

"All together, client-side vulnerabilities are posing a big risk to enterprises," said Rohit Dhamankar, project manager for the SANS list and senior manager of Security Research at TippingPoint. "There are a lot of compromised sites hosting exploits targeting these flaws. Any time a desktop user goes to these sites his or her system can easily get compromised."


Tens of thousands of malware-serving pages are showing up in the first page of returns from Google, Yahoo and Live. Click here to read more.

Microsoft statistics tell the story: There were 32 critical client-side Microsoft vulnerabilities in 2007, with only six on the server side.

"We have seen a huge jump in the vulnerabilities in Microsoft Office products," said Amol Sawarte, manager of Vulnerability Labs at Qualys. Growth was almost 300 percent from 2006 to 2007, primarily in new Excel vulnerabilities that can easily be exploited by luring victims into opening Excel files sent as e-mail attachments and via instant messaging, Sawarte said.

Qualys, as in past years, is rolling out a free network scanning service to help companies find and eliminate vulnerabilities listed in SANS Top 20 list.

This is the full SANS list of Internet threats for 2007:

  • Client-side Vulnerabilities in: Web Browsers
  • Client-side Vulnerabilities in: Office Software
  • Client-side Vulnerabilities in: E-Mail Clients
  • Client-side Vulnerabilities in: Media Players
  • Server-side Vulnerabilities in: Web Applications
  • Server-side Vulnerabilities in: Windows Services
  • Server-side Vulnerabilities in: Unix and Mac OS Services
  • Server-side Vulnerabilities in: Backup Software
  • Server-side Vulnerabilities in: Anti-virus Software
  • Server-side Vulnerabilities in: Management Servers
  • Excessive User Rights and Unauthorized Devices
  • Phishing/Spear Phishing
  • Unencrypted Laptops and Removable Media
  • Application Abuse: Instant Messaging
  • Application Abuse: Peer-to-Peer Programs
  • Network Devices: VOIP Servers and Phones
  • Zero-Day Attacks

For details on which operating systems are affected, specific CVE entries, methods for detecting infection and for protection, check SANS full list.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.