Emerging attack patterns deserve especially close watch by IT executives, according to a recent report from the SANS Institute.
Two new risks that are difficult to defend against are critical vulnerabilities in Web applications and unsuspecting users.
“For most large and sensitive organizations the newest risks are the ones causing the most trouble,” says Allan Paller, director
of research at SANs. “The new risks are much harder to defend; they take a level of commitment to continuous monitoring and
uncompromising adherence to policy with real penalties, that only the largest banks and most sensitive military organizations
have, so far, been willing to implement.”
Read the latest WhitePaper - NAC: Bridging the network security gap
SANs report of the Top 20 Internet security risks for 2007 warns of vulnerabilities in Web apps that enable the Web site to
be poisoned, the data behind the site to be stolen, and other computers connecting to that site to be compromised. The best
countermeasure are Web application firewalls, Web application security scanning, penetration testing service, source code
testing tools. SANS emphasizes that organizations must ensure their developers are capable of secure coding and that they
work in as secure development life cycle.
The next threat is one that is difficult to address: that of gullible, busy and accommodating computer users who follow false
instructions outlined in spear phishing e-mails. This had led to empty bank accounts, compromise of major military systems
around the world, compromise of government contractors, industrial espionage and more nasty results.
Security awareness training is key, but won’t solve the problem. SANS suggests organizations send users periodic spear phishing
e-mails to test them – those who bite are cut off or educated. Another tactic is to deploy new monitoring and forensics systems
that constantly search traffic and systems for evidence of attacks.
In addition to the newer threats, IT managers can’t let up on fighting existing vulnerabilities either.
