This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Human error, zero-day targeted attacks make up latest SANS Top 20

Share this article:

Few would dispute the powerful link between social engineering and the success of a cyberattack in today's financially-driven threat landscape. So now, for the first time, the SANS Institute has named human error to its twice-annual Top 20 Internet Security Attack Targets list, a line-up that, until now, was reserved solely for technology.

Rohit Dhamankar, editor of the report, released this morning, said targeted social engineering attacks, known as spear phishing, are becoming more common across organizations, particularly military entities and government agencies. In these cases, for example, employees might receive an email claiming to come from the CEO but that instead contains a malicious link.

If an end user falls for the scheme, often times his or her machine winds up as part of a botnet, he said.

"It's targeted against specific organizations to get specific information," Dhamankar, who works as senior manager of security research at TippingPoint, told SCMagazine.com on Tuesday. "The weakest link is now being targeted. It's the end user falling for one of these emails."

Technology vulnerabilities still ruled the remainder of the Top 20 list. Included among them is a surge in exploits targeting web applications and non-Internet Explorer applications, such as Microsoft Office.

"Two years ago, hackers were targeting more servers which were administered by system administrators who are pretty well versed in security," Amol Sarwate, manager of the vulnerability research lab at Qualys, told SCMagazine.com today. "But now they are targeting client-side vulnerabilities…targeting common users who are not that security savvy."

But faster patching within organizations means cybercriminals are getting even craftier in their discoveries, thus giving rise to zero-day exploits.

"Automated patching is becoming more and more common," Dhamankar said. "There used to be a window of exploitation available for hackers but now…people are all patched. For a hacker to compromise a system, he has to have something which isn't patched yet."

Other notable threats mentioned in the latest list, previously named the Top 20 Internet Security Vulnerabilities, include a rise in voice over internet protocol (VoIP) attacks.

As more organizations deploy internet telephony, attackers are starting to focus attention on the technology's vulnerabilities, Dhamankar said. Exploits allow them to change settings or even take complete control of a VoIP network, allowing for the spread of phishing or DoS attacks.

The report also called attention to the increased risk organizations face when employees connect unauthorized devices, such as iPods or memory sticks, to the network, Dhamankar said. This can not only allow for the spread of malware but also opens the risk of employees either maliciously or accidentally walking out with confidential company information.

"All the person has to do is walk in with a USB drive and go," he said. "You don't need any fancy network-based data transfer solutions."

Click here to email Dan Kaplan.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

4% of Googlebots are fake and can launch attacks

4% of Googlebots are fake and can ...

Admins' fear of damaging their SEO gives malicious search engine bots a 'VIP pass' into sites.

Brit Lauri Love faces more US hacking charges

Brit Lauri Love faces more US hacking charges

Lauri Love, a 29-year-old British man from Stradishall in Suffolk, has been charged by a US court with hacking into multiple US government computers and stealing more than 100,000 employee ...

More questions than answers as BBC outage fuels DDoS talk

More questions than answers as BBC outage fuels ...

The British Broadcasting Corporation was hit by a prolonged outage on its website and iPlayer video-on-demand service (VOD) last weekend, raising questions about the cause and whether it was subjected ...