Wednesday, January 16, 2008

SANS Threat List 2008

SANS Institute has recently released the "Top Threat List" for 2008 at the SANS Security 2008 conference in New Orleans. The predictions for this year is quite widely covered, from web attack to malicious malware, to insider attacks and even social engineering. You can find the list below.

1. Increasingly sophisticated website attacks that exploit browser vulnerabilities - especially on trusted websites.

2. Increasing sophistication and effectiveness in botnets

3. Cyber espionage efforts by well resourced organisations looking to extract large amounts of data – particularly using targeted phishing.

4. An increase in mobile phone threats, especially against iPhones and Android-based phones.

5. Insider attacks

6. Advanced identity theft from persistent bots. Malicious agents that stay on compromised machines for months will be able to gather enough data to enable extortion attempts (against people who surf child porn sites, for example) and advanced identify theft attempts where criminals have enough data to pass basic security checks.

7. Increasingly malicious spyware

8. Web application security exploits

9. Increasingly sophisticated social engineering including blending phishing with VoIP and event phishing. For example, a blended attack may include an inbound email, apparently being sent by a credit card company, asks recipients to "re-authorise" their credit cards by calling a 1-800 number. The number leads them (via VoIP) to an automated system in a foreign country that, quite convincingly, asks that they key in their credit card number, CVV, and expiration date.

10. Supply chain attacks infecting consumer devices (USB thumb drives, GPS systems, photo frames, etc.) Retail outlets are increasingly becoming unwitting distributors of malware-infected devices, the experts warns.

Related Report:
- Browser vulns and botnets head threat list (The Register)

No comments: