Once again SANS has released it’s “Top 20” security risks for 2007. This is always a good report and I recommend all security professionals read it. This year they give highlight to two increasing attack vectors, users who are easily misled (aka: Social Engineering) and custom built web applications.
Either of these should be of no surprise. I know I have seen a major increase over the last year in “spear phishing” types of targeted attacks in my organization as well as your typical PayPal and Ebay phishes. Until users become more security aware I am not sure how this will decrease. All an attacker needs to do is get a user to click a link or visit a web site and it’s pretty much game over!
Custom built web applications is not a huge surprise either. Most of the time internal developers are not using secure coding practices and usually have no idea their applications are even vulnerable to simple things like SQL injections. Again, it all starts with education and making users and developers more security aware.
Two scenarios they mention highlight this risk. From the executive overview:
“Scenario 1: The Chief Information Security Officer of a medium sized, but sensitive, federal agency learned that his computer was sending data to computers in China. He had been the victim of a new type of spear phishing attack highlighted in this year’s Top 20. Once they got inside, the attackers had freedom of action to use his personal computer as a tunnel into his agencys systems.”
“Scenario 3. A hospitals Web site was compromised because a Web developer made a programming error. Sensitive patient records were taken. When the criminals proved they had the data, the hospital had to choose between paying extortion or allowing their patients health records to be spread all over the Internet.”
You can read the entire 2007 SANS Top 20 article here.