Top Internet security risks of 2007 revealed today

Published 28 November 2007

This year’s SANS Top 20 illuminates two new attack targets that criminals have chosen to exploit and the older targets where attackers have significantly raised the stakes

It never ends. Cyber criminals and cyber spies have shifted their focus again, successfully evading the countermeasures that most companies and government agencies have worked for years to put into place. Facing real improvements in system and network security, the attackers now have two new prime targets which allow them to evade firewalls, antivirus, and even intrusion prevention tools: Users who are easily misled and custom-built applications. This is a major shift from prior years when attackers limited most of their targets to flaws in commonly used software. The following scenarios are composites of actual events:

Scenario 1: The Chief Information Security Officer of a medium sized, but sensitive federal agency learned that his computer was sending data to computers in China. He had been the victim of a new type of spear phishing attack highlighted in this years’ Top 20. Once they got inside, the attackers had freedom of action to use his personal computer as a tunnel into his agency’s systems.

Scenario 2: Hundreds of senior federal officials and business executives visited a political think-tank web site that had been infected and caused their computers to become zombies. Keystroke loggers, placed on their computers by the criminals (or nation-state), captured their user names and passwords when they signed on to their personal bank accounts, and their stock trading accounts and their employers’ computers, and sent the data to computers in different countries. Bank balances were depleted; stock accounts lost money; servers inside their organizations were compromised and sensitive data was copied and sent to outsiders. Back doors were placed on some of those computers and are still there.

Scenario 3. A hospital’s web site was compromised because a web developer made a programming error. Sensitive patient records were taken. When the criminals proved they had the data, the hospital had to choose between paying extortion or allowing their patients’ health records to be spread all over the Internet.

Scenario 4. A teenager visits a web site which exploits the old version of her media player that she never updated. She did not do anything but visit the site; the video started up automatically when the page opened. The attacker put a key stroke logger on her computer. Her father used the same computer to access the family bank account. The attackers got his user name and password and emptied his bank account (the bank reimbursed him). US law enforcement officials followed