Click here to receive your FREE subscription to Campus Technology
Security Trends
SANS Flags Browsers, Botnets as Top Security 'Menaces'
1/17/2008
So Web 2.0 is definitely on the minds of security-conscious admins.
In the SANS report, Web 2.0 came in at No. 8 in the list.
"Web 2.0 applications are vulnerable because user-supplied data cannot be trusted; your script running in the users' browser still constitutes 'user supplied data.' In 2008, Web 2.0 vulnerabilities will be added to more traditional programming flaws and Web application attacks will grow substantially," the report said.
Botnets, Phishing, Espionage, and 'Blended' Threats
The SANS report also warned of increasing sophistication of more traditional data security threats. The institute said botnets will become more effective over the course of this year, as new variants of 2007's Storm worm emerge. Botnets were listed as 2008's No. 2 threat.
Espionage and "insider attacks" also made the top 5 in the SANS list. Espionage in this context is targeted mainly toward government and military, while insider attacks affect any organization. Insider attacks have been compounded, according to the institute, by the breakdown of security barriers, allowing insiders "to attack both from the inside and from outside an organization's network boundaries."
Persistent bots and increasingly malicious spyware are also threats to watch. Persistent bots reside on computers for months collecting data, including passwords. Spyware is becoming increasingly sophisticated, attacking or dodging anti-virus and other software, making investigations and detection increasingly difficult.
Finally, the group also warned of a new menace to security: blended and event-based approaches to phishing.
"Blended approaches will amplify the impact of many more common attacks," the report said. "For example, the success of phishing is being radically increased by first stealing IDs of users of other technologies. Even if it is non-targeted, event phishing is gaining in sophistication. Tax filing scams and scams based on the U.S. Presidential elections will be widely used this year, and many of them will succeed. A note with the subject 'Hillary drops out of the race' or 'Rudy and female staffer caught on film' could generate huge new botnets of people who are interested in politics but may not have patched their systems fully."
The report was compiled by the SANS Institute from input from a dozen security veterans. Further information can be found at the link below.
Read More:
About the author: Dave Nagel is the executive editor for 1105 Media's educational technology online publications and electronic newsletters. He can be reached at dnagel@1105media.com.
Have any additional questions? Want to share your story? Want to pass along a news tip? Contact Dave Nagel, executive editor, at dnagel@1105media.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- U Wyoming Students Vote To Implement Sonic Foundry's Mediasite for Lecture Capture
An overwhelming student vote for Mediasite will put the Webcasting platform from Sonic Foundry into University of Wyoming lecture halls this fall. Mediasite is a presentation capture tool that records and synchronizes audio, video, and slides and then allows the presenter to provide it online for on-demand viewing or in podcast form. The tool also enables the presenter to make the presentation available online as it happens.
- DNS Flaw Unfixed as Experts Argue Protocol
Speculation continues as to what the ultimate systemic Domain Name System (DNS) flaw could be. This flaw apparently allows Web surfers to be spoofed, directing them to fake Web sites to gain passwords and load malware on their computers.
- IT Cost Cuts in 2008 May Be a Trend, Study Says
A first-quarter 2008 survey conducted by Computer Economics suggests a possible slowdown in IT spending and staffing lies ahead.
- Microsoft Revamps Its Platforms Division, Loses Kevin Johnson
Microsoft announced late Wednesday a reorganization of its Platforms & Services Division (PSD), as well as the departure of Kevin Johnson, a 16-year Microsoft veteran and president of the PSD.
- Microsoft's DNS Fix Leads to More Problems
The blogosphere is awash with talk about the possible overall weakness of the Domain Name System (DNS) architecture. For its part, Microsoft's released a DNS fix in its patch slate for July, but Redmond seems to have problems just getting it to end users. Moreover, some users of the DNS fix have experienced additional difficulties.
- D2L Launches Mobile Learning Environment
Desire2Learn this week announced a new mobile application of its Desire2Learn Learning Environment. Called Desire2Learn 2GO, the application ties in with Learning Environment 8.3 to provide access via Blackberry. The company also announced that it's streamlining integration Respondus 3.5, a quiz- and test-building application.
