Security Testers! Are you ready for the Top 10 Security Threats for 2008?

Security Testers, Security Analysts, Penetration Testers, Vulnerability Assessors pay attention! Security Company McAfee has released a list of top 10 predicted security threats for year 2008. If you are a tester who gives importance to the security aspect of the product you are testing and who likes to do a security analysis based on the potential risks associated with the components of the AUT (Application Under Test), then this post might interest you. In case you are not a software tester, don’t stop reading this yet! Knowledge of such threats can be helpful for any computer user, so read on. :)

McAfee Inc has released its top ten predictions for security threats for 2008. Researchers at McAfee Avert Labs expect an increase in Web dangers and threats targeting Microsoft Corp's Windows Vista operating system, among other new or increased threats. "Threats are increasingly moving to the Web and migrating to newer technologies such as VoIP and instant messaging," said Jeff Green, senior vice president of McAfee Avert Labs and product development. "Professional and organized criminals continue to drive a lot of the malicious activity. As they become increasingly sophisticated, it is more important than ever to be aware and secure when traversing the Web."

A popular proverb says, “you must know your enemy if you want to win the war”! As testers, we must know the security threats before we can plan out any strategy to combat against them. And I feel it is important to know these threats before we plan out a
risk-based testing strategy for the application we are testing. Having said that, this list of top ten security threats is NOT exhaustive. These are mere predictions by a reputed security company. We should also keep our eyes and ears open for other possible threats in addition to the ones mentioned in the list. Here is a summarized version of the list of security threats as released by McAfee for year 2008:

1. Web 2.0 on Target – Attackers have started using Web 2.0 sites as a way to distribute malware and are data mining the Web, looking for information people share to give their attacks more authenticity. With more and more users looking for this type of websites, the attackers are adapting their solutions and attempt to conduct malware attacks and other malicious actions through these pages. The recent Salesforce and MySpace attacks are pretty edifying, most attempts targeting users’ login credentials. As a tester, if you are
testing a web application or social networking site that uses Web 2.0 standards, then this can be a matter of concern for you!

2. The Botnet Storm – A recently noticed threat recognized as "Storm" exposed a new trend in the malicious attacks concerning the computers. Also known as "Nuwar", the Storm created the largest peer-to-peer botnet ever. It has been the most versatile malware on record. The infections permanently change codes and several file formats making the blocking and removal process very difficult for the security technologies, which are supposed to protect the data stored on the hard-drives. A number of PCs were turned into bots after the infection. Bots are computer programs that give cyber crooks full control over PCs. Bot programs typically get installed surreptitiously on the PCs of unknowing computer users. More such security attacks are to be witnessed in the year 2008, as per McAfee.

3. You will hate this IM (Instant Malware) – Instant messaging client continuously rise in popularity as lots of Internet users choose Yahoo Messenger, Windows Live Messenger or Skype to communicate on the web. For several years, researchers have warned of the risk of a self-executing instant-messaging (IM) worm. This threat could spawn millions of users and circle the globe in a matter of seconds. Although IM malware has existed for years, we have yet to see such a self-executing threat. And with the increasing IM virus families, year 2008 could be the year when we witness a devastating self-executing instant malware.

4. It’s all about Money – The threat to virtual economies is outpacing the growth of the threat to the real economy. As virtual objects continue to gain real value, more attackers will look to capitalize on this. The numbers and types of password-stealing Trojans are on the rise, the two favorite targets being: online gaming and banking industries.

5. Bull’s eye on Windows Vista – Once the market share of Win Vista crosses the threshold of 10% and Vista becomes more prevalent (with the advent of Service Pack 1), professional attackers and malware authors may begin to see an impact on their businesses and expend some effort in exploring ways to circumvent the new operating system’s defense mechanism. The old threats will still persist, but a new crop is on its way!

6. Virtualization Honeypot – As security vendors continue to embrace virtualization to create new, more resilient defenses to defeat complex threats, researchers, professional hackers, and malware authors will begin looking at ways to circumvent the new defensive technology.

7. VoIP Attack – Attacks on VoIP (Voice over Internet Protocol) applications should increase by 50 percent in 2008, according to McAfee. The technology is still new and defense strategies are lagging, making VoIP a favorites target for professional hackers.

8. Phishers to target less-popular sites – The phishing attacks have always been pretty efficient as they use copies of genuine websites to trick the users to enter their sensitive data (like user ID, password, credit card number etc). Cyber criminals are getting smarter. They have learned that it’s tougher and riskier to target top-tier sites, which are attacked regularly and are prepared to respond more quickly. Knowing that a large percentage of people reuse their user names and passwords, malware writers are likely to target less-popular sites more frequently than before to gain access to primary targets using information gained from secondary-target victims.

9. Beware of Parasites – In 2007 several crimeware authors turned old school to deliver threats like Grum, Virut, and Almanahe; parasitic viruses with a monetary mission. The number of variants of an older parasitic threat, Philis, grew by more than 400 percent, while over 400 variants of a newcomer, Fujacks, were catalogued. McAfee is expecting a continued interest in parasitic malwares from the crimeware community, with overall parasitic malware expected to grow by 20 percent in 2008.

10. Adware Attacks – And at last, this one is like a breeze of cool air. Adware will diminish in 2008, according to McAfee. The combination of lawsuits, better defenses, and the negative connotation associated with advertising through adware helped start the decline of adware in 2006. And according to McAfee, this decline will continue in 2008. But still, the threat of adware attacks is serious enough to push it into the top 10 threats list for year 2008.

Well, this concludes the list of top ten security threats for year 2008 (what a nice way to welcome a new year)! Let’s see if the knowledge of the threats can help us (testers) in planning out a better strategy for our next security test plan while approaching
risk-based testing. Wish you all a very Happy New Year 2008 ahead.

Happy Testing…
Share on Google Plus

About Debasis Pradhan

Debasis has over a decade worth of exclusive experience in the field of Software Quality Assurance, Software Development and Testing. He writes here to share some of his interesting experiences with fellow testers.


Post a Comment

NOTE: Comments posted on Software Testing Tricks are moderated and will be approved only if they are on-topic. Please avoid comments with spammy URLs. Having trouble leaving comments? Contact Me!