Few would dispute the powerful link between social engineering and the success of a cyberattack in today's financially-driven threat landscape. So now, for the first time, the SANS Institute has named human error to its twice-annual Top 20 Internet Security Attack Targets list, a line-up that, until now, was reserved solely for technology.
Rohit Dhamankar, editor of the report, released this morning, said targeted social engineering attacks, known as spear phishing, are becoming more common across organizations, particularly military entities and government agencies. In these cases, for example, employees might receive an email claiming to come from the CEO but that instead contains a malicious link.
If an end user falls for the scheme, often times his or her machine winds up as part of a botnet, he said.
"It's targeted against specific organizations to get specific information," Dhamankar, who works as senior manager of security research at TippingPoint, told SCMagazine.com on Tuesday. "The weakest link is now being targeted. It's the end user falling for one of these emails."
Technology vulnerabilities still ruled the remainder of the Top 20 list. Included among them is a surge in exploits targeting web applications and non-Internet Explorer applications, such as Microsoft Office.
"Two years ago, hackers were targeting more servers which were administered by system administrators who are pretty well versed in security," Amol Sarwate, manager of the vulnerability research lab at Qualys, told SCMagazine.com today. "But now they are targeting client-side vulnerabilities…targeting common users who are not that security savvy."
But faster patching within organizations means cybercriminals are getting even craftier in their discoveries, thus giving rise to zero-day exploits.
"Automated patching is becoming more and more common," Dhamankar said. "There used to be a window of exploitation available for hackers but now…people are all patched. For a hacker to compromise a system, he has to have something which isn't patched yet."
Other notable threats mentioned in the latest list, previously named the Top 20 Internet Security Vulnerabilities, include a rise in voice over internet protocol (VoIP) attacks.
As more organizations deploy internet telephony, attackers are starting to focus attention on the technology's vulnerabilities, Dhamankar said. Exploits allow them to change settings or even take complete control of a VoIP network, allowing for the spread of phishing or DoS attacks.
The report also called attention to the increased risk organizations face when employees connect unauthorized devices, such as iPods or memory sticks, to the network, Dhamankar said. This can not only allow for the spread of malware but also opens the risk of employees either maliciously or accidentally walking out with confidential company information.
"All the person has to do is walk in with a USB drive and go," he said. "You don't need any fancy network-based data transfer solutions."
Click here to email Dan Kaplan.