GovernmentExecutive.com

Targeted attacks on computers and vulnerabilities in Web applications topped the list of threats to government and industry information systems in 2007, according to a new report from the SANS Institute. While proper security measures can help lock down agency systems, employees are easily duped by the increasingly sophisticated methods of hackers.

The institute, an information security organization in Bethesda, Md., on Wednesday will release a list of its top 20 cybersecurity threats, devised with input from 43 security experts from government, industry and academia. While most of the threats have existed for a number of years -- such as botnets and malware attacks -- new means of intrusion have emerged that are far more difficult to detect.

"This is an arms race; each time we set up a defense, the people who are attacking raise the sophistication of the attack," said Alan Paller, director of research at the SANS Institute. "For a lot of years, the sophistication was in how well they could find vulnerabilities in the system. What's different is that as they have been blocked in most simple vulnerabilities, they've come up with two completely new ones that most federal agencies aren't even thinking about."

One emerging threat lies with Web applications, which accounted for half the total vulnerabilities reported in 2007, according to TippingPoint, an intrusion prevention systems vendor in Austin, Texas. And that figure doesn't include custom-developed Web applications, which are particularly prevalent in government. Similarly, security vendor Symantec Corp. reported that in the first six months of 2007, 61 percent of all vulnerabilities disclosed involved Web applications, with more than 237 detected in Web browser plug-ins.

Malicious intruders gain access by exploiting vulnerabilities in Web browsers, office applications and media players, and often face few obstacles in accessing sensitive information from back-end databases. Part of the problem, Paller said, is that developers don't emphasize security.

In recent years, "governments and enterprises have focused heavily on protecting their servers via firewalls," said Rohit Dhamankar, project manager of the SANS top 20 list and senior manager of security research at TippingPoint. "But this year, the spotlight [is] on client-side vulnerabilities. One sees hundreds of thousands of attacks on the Web applications every day. These compromised servers are then being used to host Web browser exploits and phishing scams. The wedding between Web application vulnerabilities and Web browser vulnerabilities is really proving to be profitable for the evil folks."

Typically, a simple lack of emphasis on security by application developers results in the vulnerabilities that intruders exploit, according to the report. Web application firewalls, security scanners, source code testing tools, penetration testing services and a formal policy that requires a valid secure development life cycle can prevent malicious access.

The second emerging threat is far more difficult to control: the computer user. As attackers grow increasingly calculating and their strikes more targeted, phishing e-mails become tougher to spot. These scams no longer involve mass e-mails asking for bank account information. Rather, they appear as a message from a sender that users might think is a colleague or acquaintance making what appears to be a legitimate request. An agency executive, for example, might receives a message he thinks is from his assistant, informing him that registration for an event the following week requires a credit card number. He thinks nothing of the request.

"Criminal elements are now behind many of today's attacks, which are silent and highly targeted [and often] seek personal and financial information for serious financial gain," said Dean Turner, director of the Symantec Global Intelligence Network. "Public agencies typically hold vast quantities of personal information, which makes them targets for identity thieves as well as organizations and nation-states that desire mission-critical government and military data."

Given that the threat lies at the user level, targeted attacks are particularly difficult to prevent. Besides security awareness training and monitoring of network traffic, the SANS Institute also recommends "inoculation," in which all users are sent periodic "spear phishing" e-mails that are benign. Much like a fire drill that tests employees' knowledge of how to exit in a hurry, these tests provide an opportunity to better educate users.

COMMENTS

• I connect via wireless broadband with the latest virus protection. I got an email from a site where I had a resume and emailed back to remove my resume after the terrible email stating, "we are not like other frad outfits and have real bank accounts, etc.' Anyway, that company sent a message not to reply to this email as their site was hit. Well, since, I have been under attack. This intruder sends stuff and the virus protection finds it but more stuff is sent until the virus protection fails to quarantine it and simply records it. I have to stop what I am doing and try to remove it. The infected file says it is in use by another person. I cannot change the name. I cannot move it to the desktop from the Temp Internet files. However, I know it comes in via Internet Explorer. The virus pops up with a new web page every time I change web pages, including opening an email. However, I restart, delete, restart and delete until it is out. As soon as I open Explorer, it pings that site somehow and I have to shut Explorer in short order. Otherwise, it sends download software repeatedly in many forms and attacks many MS OS functions until it breaks back in. It even opens a phony warning alert as a icon that tells you that a virus is detected and if you touch the icon, it automatically opens a dialog box for you to download ‘the fix’. I am sure that would 'fix' you good. In any case, all it seems to do is spam you into misery with pop up web pages... unless you download the help it requests... then it is katie bar the door. Nick Gilliland Posted December 3, 2007 9:13 AM
• Some of the email attacks that you mention could be twarted by scanning email messages that display an http link that is innocuous while the source code is for another, malicious link. I look at source code if I am concerned about the message and then delete the email without opening it, if it is suspicious. Stephen Taylor Posted November 30, 2007 11:57 AM
• Looks like things are going to become very difficult to keep going. It is getting scarie out here. Does any one on line have any ideas? Wilma V Ranger Posted November 28, 2007 4:00 PM