Internet attacks grow more sophisticated

Targeted attacks on computers and vulnerabilities in Web applications topped the list of threats to government and industry information systems in 2007, according to a new report from the SANS Institute. While proper security measures can help lock down agency systems, employees are easily duped by the increasingly sophisticated methods of hackers.

The institute, an information security organization in Bethesda, Md., on Wednesday will release a list of its top 20 cybersecurity threats, devised with input from 43 security experts from government, industry and academia. While most of the threats have existed for a number of years -- such as botnets and malware attacks -- new means of intrusion have emerged that are far more difficult to detect.

"This is an arms race; each time we set up a defense, the people who are attacking raise the sophistication of the attack," said Alan Paller, director of research at the SANS Institute. "For a lot of years, the sophistication was in how well they could find vulnerabilities in the system. What's different is that as they have been blocked in most simple vulnerabilities, they've come up with two completely new ones that most federal agencies aren't even thinking about."

One emerging threat lies with Web applications, which accounted for half the total vulnerabilities reported in 2007, according to TippingPoint, an intrusion prevention systems vendor in Austin, Texas. And that figure doesn't include custom-developed Web applications, which are particularly prevalent in government. Similarly, security vendor Symantec Corp. reported that in the first six months of 2007, 61 percent of all vulnerabilities disclosed involved Web applications, with more than 237 detected in Web browser plug-ins.

Malicious intruders gain access by exploiting vulnerabilities in Web browsers, office applications and media players, and often face few obstacles in accessing sensitive information from back-end databases. Part of the problem, Paller said, is that developers don't emphasize security.

In recent years, "governments and enterprises have focused heavily on protecting their servers via firewalls," said Rohit Dhamankar, project manager of the SANS top 20 list and senior manager of security research at TippingPoint. "But this year, the spotlight [is] on client-side vulnerabilities. One sees hundreds of thousands of attacks on the Web applications every day. These compromised servers are then being used to host Web browser exploits and phishing scams. The wedding between Web application vulnerabilities and Web browser vulnerabilities is really proving to be profitable for the evil folks."

Typically, a simple lack of emphasis on security by application developers results in the vulnerabilities that intruders exploit, according to the report. Web application firewalls, security scanners, source code testing tools, penetration testing services and a formal policy that requires a valid secure development life cycle can prevent malicious access.

The second emerging threat is far more difficult to control: the computer user. As attackers grow increasingly calculating and their strikes more targeted, phishing e-mails become tougher to spot. These scams no longer involve mass e-mails asking for bank account information. Rather, they appear as a message from a sender that users might think is a colleague or acquaintance making what appears to be a legitimate request. An agency executive, for example, might receives a message he thinks is from his assistant, informing him that registration for an event the following week requires a credit card number. He thinks nothing of the request.

"Criminal elements are now behind many of today's attacks, which are silent and highly targeted [and often] seek personal and financial information for serious financial gain," said Dean Turner, director of the Symantec Global Intelligence Network. "Public agencies typically hold vast quantities of personal information, which makes them targets for identity thieves as well as organizations and nation-states that desire mission-critical government and military data."

Given that the threat lies at the user level, targeted attacks are particularly difficult to prevent. Besides security awareness training and monitoring of network traffic, the SANS Institute also recommends "inoculation," in which all users are sent periodic "spear phishing" e-mails that are benign. Much like a fire drill that tests employees' knowledge of how to exit in a hurry, these tests provide an opportunity to better educate users.