This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Human error, zero-day targeted attacks make up latest SANS Top 20

Share this article:

Few would dispute the powerful link between social engineering and the success of a cyberattack in today's financially-driven threat landscape. So now, for the first time, the SANS Institute has named human error to its twice-annual Top 20 Internet Security Attack Targets list, a line-up that, until now, was reserved solely for technology.

Rohit Dhamankar, editor of the report, released this morning, said targeted social engineering attacks, known as spear phishing, are becoming more common across organizations, particularly military entities and government agencies. In these cases, for example, employees might receive an email claiming to come from the CEO but that instead contains a malicious link.

If an end user falls for the scheme, often times his or her machine winds up as part of a botnet, he said.

"It's targeted against specific organizations to get specific information," Dhamankar, who works as senior manager of security research at TippingPoint, told SCMagazine.com on Tuesday. "The weakest link is now being targeted. It's the end user falling for one of these emails."

Technology vulnerabilities still ruled the remainder of the Top 20 list. Included among them is a surge in exploits targeting web applications and non-Internet Explorer applications, such as Microsoft Office.

"Two years ago, hackers were targeting more servers which were administered by system administrators who are pretty well versed in security," Amol Sarwate, manager of the vulnerability research lab at Qualys, told SCMagazine.com today. "But now they are targeting client-side vulnerabilities…targeting common users who are not that security savvy."

But faster patching within organizations means cybercriminals are getting even craftier in their discoveries, thus giving rise to zero-day exploits.

"Automated patching is becoming more and more common," Dhamankar said. "There used to be a window of exploitation available for hackers but now…people are all patched. For a hacker to compromise a system, he has to have something which isn't patched yet."

Other notable threats mentioned in the latest list, previously named the Top 20 Internet Security Vulnerabilities, include a rise in voice over internet protocol (VoIP) attacks.

As more organizations deploy internet telephony, attackers are starting to focus attention on the technology's vulnerabilities, Dhamankar said. Exploits allow them to change settings or even take complete control of a VoIP network, allowing for the spread of phishing or DoS attacks.

The report also called attention to the increased risk organizations face when employees connect unauthorized devices, such as iPods or memory sticks, to the network, Dhamankar said. This can not only allow for the spread of malware but also opens the risk of employees either maliciously or accidentally walking out with confidential company information.

"All the person has to do is walk in with a USB drive and go," he said. "You don't need any fancy network-based data transfer solutions."

Click here to email Dan Kaplan.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...