Top Security Threats for 2007


Funny, this article says exactly the opposite of what SANS had predicted. Alan Paller of SANS had said that there were already so many infected PC's that the number wasn't that likely to grow too much. They had basically reached a critical mass. In fact, the economies of botnets for rent was actually pretty fascinating. Initially, there was low demand, but a big market, so the cost became artificially low, which drove demand artificially high, which again drove the cost up - the numbers just aren't growing that fast anymore.

Paller's prediction (and I tend to agree) is that we'll see more application side attacks. As SQL injection tools become better and better, we'll see the same botnets being used for application-layer investigatory work - probes being sent from those bots for XSS or SQL injection vulnerabilities.

My predictions are that not just video, but other media viruses will grow. JPEG can be used to carry arbitrary payload, and I'm kinda' shocked only one QuickTime bug was really exploited well.

And I also predict that XSRF will continue to be a hot item. And I think with the organization that the bad guys have, they'll be able to farm out blogs, ads, etc., to push the exposure of those in a short amount of time.