Expert: Internet growth complicates security risks
- By Michael Arnone
- Nov 22, 2005
The Twenty Most Critical Internet Vulnerabilities (Updated) – The Experts’ Consensus
The spread of Internet technologies into telecommunications and Web-enabled devices, such as phones and handheld computers, will complicate information security risks during the next five years, a British chief information security official said today.
Telecom networks are converging, devices are including more functions, and both are using IP as the backbone of their infrastructure, said Roger Cumming, director of the United Kingdom’s National Infrastructure Security Co-ordination Centre (NISCC).
Those protocols are well-known to attackers compared with the “security through obscurity” obtained with older systems that few people understood, Cumming said.
Merging separate networks into one could cause problems by bringing to light known and unknown software vulnerabilities, he said.
Another concern is the growing malicious marketplace for government and commercial data, Cumming said.
Criminals have realized that they can make a fortune in extortion and identity theft, he said. That demand is making exploits more available to people who want to do damage, including terrorists.
Cumming’s observations were part of his comments on the SANS Institute’s latest update to its 20 Most Critical Internet Security Vulnerabilities in 2005 report, released today. The institute is a training and education organization for security professionals.
The institute, NISCC and the U.S. Computer Emergency Readiness Team explained the repercussions of findings from the institute’s report.
Ten of the vulnerabilities were in cross-platform applications installed on millions of systems, including backup software, antivirus software, database software and media players. Three affected network operating systems control routers, switches and other devices that form the Internet’s backbone. All 13 appeared as critical threats for the first time in the past 12 months.
The move from server-side attacks to client-side attacks in 2005 has given cybercriminals a tremendous advantage in their attacks on government and industry, said Alan Paller, director of research at SANS. Most client applications are not updated automatically with security patches, leaving large swathes of critical data unprotected.