Home > Security News > SANS: VoIP, zero-day threats surge
Security News:
EMAIL THIS LICENSING & REPRINTS

SANS: VoIP, zero-day threats surge

By Bill Brenner, Senior News Writer
15 Nov 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Since attacks are no longer tied solely to a set of software flaws, the SANS Institute has renamed its annual Top 20 vulnerabilities list this year to the "Top 20 Attack Targets."

Attackers are using quieter, more targeted tactics that have given them much more success.
Allan Paller,
research director, SANS Institute

Product vulnerabilities continue to top the Bethesda, Md.-based institute's list of threats, but human error has also made the list, given users' susceptibility to phishing scams.

"Smart people are falling for phishing because attackers are coming up with more sophisticated techniques," said Allan Paller, research director at the SANS Institute. For example, he said, "If a company is making plans to go public, phishers can send emails to employees that look like a progress report on the IPO, including the name of the CEO. The email looks the way it's supposed to and it's trusted."

Among this year's top 20 are six major attack trends:

  • A surge in zero-day attacks that go beyond Internet Explorer to target other Microsoft software.
  • A rapid growth in attacks exploiting vulnerabilities in ubiquitous Microsoft Office products such as PowerPoint and Excel.
  • A continued growth in targeted attacks.
  • Increased phishing attacks against military and government contractor sites.
  • A surge in VOIP (Voice over Internet Protocol) attacks in which attackers can intercept and sell company meeting minutes, inject misleading messages or create massive outages in the old phone network.
  • Ever-increasing attacks against Web application flaws.

Paller said IT security officers shouldn't underestimate the ability of hackers to exploit VoIP for financial gain.

"Law enforcement has told me they're dealing with multiple active cases where someone took over a company's VoIP system, stole the minutes, then they turned around and sold them," he said. "VoIP systems are a front door into a program that runs entire phone systems. Attackers can exploit VoIP to change what you hear and can cause huge outages."

SANS top 20 internet security attack targets:

Operating Systems:
1. Internet Explorer
2. Windows libraries
3. Microsoft Office
4. Windows services
5. Windows configuration weaknesses
6. Mac OS X
7. UNIX configuration weaknesses 

Cross-Platform Applications:  
8. Web applications
9. Database software
10. P2P file sharing applications 11. Instant messaging
12. Media players
13. DNS servers
14. Backup software
15. Security, enterprise, and directory management servers  

Network Devices:
16. VoIP servers and phones
17. Network and other devices common configuration weaknesses  

Security Policy and Personnel:
18. Excessive user rights and unauthorized devices
19. Users (phishing/spear phishing)  

Special Section:
20. Zero-day attacks  

For more information, visit the SANS Institute Web site.

He said another big trend this year is the increased penetration of government systems through targeted attacks that use phishing and other tactics.

"People think things are better because they haven't seen many worm attacks," Paller said. "But in reality, attackers are using quieter, more targeted tactics that have given them much more success. As targeted attacks become the main economic threat, phishing really comes into play."

Human error made it onto the top 20 because of all the successful attacks that required involvement from the user, he said. Meanwhile, last year's big trend of increased attacks against Web application flaws continued this year.

In a written statement, SANS said changes to this year's list doesn't mean attackers have stopped using tactics and flaws announced in earlier reports. For example, Apple computers are being increasingly targeted, as was previously predicted. "In reality, few attack patterns are ever discarded," Paller said. "The attacks are automated and continue to be used, but many organizations have established defensive strategies to minimize the risk from the older attack patterns."

Going forward, he said, attacks will increase against cell phones and appliances such as digital printers.

Paller said IT administrators should use the SANS list to adjust their network defenses and get upper management support for new security procedures and investments.

"Your first stop should be the CEO's office," Paller said. "Show them the information and tell them you don't have the capacity to beat this. Ask them to get together with other CEOs and really put pressure on the industry to bake security into their products."

Sound Off! -   Be the first to post a message to Sound Off!


Tags: VoIP SecurityWeb Application Security (Also see Web Access Control)PhishingVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts