SANS: VoIP, zero-day threats surge

By Bill Brenner, Senior News Writer 15 Nov 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers are using quieter, more targeted tactics that have given them much more success. Allan Paller, research director, SANS Institute

Product vulnerabilities continue to top the Bethesda, Md.-based institute's list of threats, but human error has also made the list, given users' susceptibility to phishing scams.

"Smart people are falling for phishing because attackers are coming up with more sophisticated techniques," said Allan Paller, research director at the SANS Institute. For example, he said, "If a company is making plans to go public, phishers can send emails to employees that look like a progress report on the IPO, including the name of the CEO. The email looks the way it's supposed to and it's trusted."

Among this year's top 20 are six major attack trends:

• A surge in zero-day attacks that go beyond Internet Explorer to target other Microsoft software.
• A rapid growth in attacks exploiting vulnerabilities in ubiquitous Microsoft Office products such as PowerPoint and Excel.
• A continued growth in targeted attacks.
• Increased phishing attacks against military and government contractor sites.
• A surge in VOIP (Voice over Internet Protocol) attacks in which attackers can intercept and sell company meeting minutes, inject misleading messages or create massive outages in the old phone network.
• Ever-increasing attacks against Web application flaws.

Paller said IT security officers shouldn't underestimate the ability of hackers to exploit VoIP for financial gain.

"Law enforcement has told me they're dealing with multiple active cases where someone took over a company's VoIP system, stole the minutes, then they turned around and sold them," he said. "VoIP systems are a front door into a program that runs entire phone systems. Attackers can exploit VoIP to change what you hear and can cause huge outages."

SANS top 20 internet security attack targets: Operating Systems: 1. Internet Explorer 2. Windows libraries 3. Microsoft Office 4. Windows services 5. Windows configuration weaknesses 6. Mac OS X 7. UNIX configuration weaknesses  Cross-Platform Applications:   8. Web applications 9. Database software 10. P2P file sharing applications 11. Instant messaging 12. Media players 13. DNS servers 14. Backup software 15. Security, enterprise, and directory management servers   Network Devices: 16. VoIP servers and phones 17. Network and other devices common configuration weaknesses   Security Policy and Personnel: 18. Excessive user rights and unauthorized devices 19. Users (phishing/spear phishing)   Special Section: 20. Zero-day attacks   For more information, visit the SANS Institute Web site.

He said another big trend this year is the increased penetration of government systems through targeted attacks that use phishing and other tactics.

"People think things are better because they haven't seen many worm attacks," Paller said. "But in reality, attackers are using quieter, more targeted tactics that have given them much more success. As targeted attacks become the main economic threat, phishing really comes into play."

Human error made it onto the top 20 because of all the successful attacks that required involvement from the user, he said. Meanwhile, last year's big trend of increased attacks against Web application flaws continued this year.

In a written statement, SANS said changes to this year's list doesn't mean attackers have stopped using tactics and flaws announced in earlier reports. For example, Apple computers are being increasingly targeted, as was previously predicted. "In reality, few attack patterns are ever discarded," Paller said. "The attacks are automated and continue to be used, but many organizations have established defensive strategies to minimize the risk from the older attack patterns."

Going forward, he said, attacks will increase against cell phones and appliances such as digital printers.

Paller said IT administrators should use the SANS list to adjust their network defenses and get upper management support for new security procedures and investments.

"Your first stop should be the CEO's office," Paller said. "Show them the information and tell them you don't have the capacity to beat this. Ask them to get together with other CEOs and really put pressure on the industry to bake security into their products."

Tags: Web Application Security,  Network Protocols and Security,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks Network Protocols and Security Kaminsky interview: DNSSEC addresses cross-organizational trust and security PCI compliance requirement 4: Encrypt transmissions Balancing security and performance: Protecting layer 7 on the network Swedish hacker indicted for Cisco Systems, NASA breach How to implement PCI network segmentation How should service providers address VoIP security issues and threats? How to create a secure network through a shared Internet connection Cyberattack mapping could alter security defense strategy The case against UTM: Is there a better alternative? What is the best operating system for an FTP server implementation? Email and Messaging Threats (spam, phishing, instant messaging) Unified communications: Securing a converged infrastructure Chained Exploits: How to prevent phishing attacks from corporate spies 3FN.net ISP shutdown interrupts spam campaigns Swine flu outbreak results in spam pandemic What does 'invoked by uid 78' mean? Economy fuels malware, spam Internet Explorer 8 includes a bevy of security features Adobe JBIG2 exploits being spammed, IBM warns Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary