Going Overboard on Threats

10:05 AM -- It's the end of the year, which can only mean one thing: It's look-back, look-ahead season.

Every security expert you ever heard of -- and some you've never heard of -- is now offering his opinion on the worst threats of 2007 and the most dangerous threats of 2008. What's ironic is that virtually all of these "industry" estimates and predictions offer a different conclusion.

Infoblox and OpenDNS, among others, say we should be watching out for the threat to DNS servers. "Many organizations today manage their internal DNS, but leave their Internet-facing DNS wide open to abuse their network and act as a vector for malicious activity," says David Ulevitch, CEO of OpenDNS. (See DNS Servers in Harm's Way.)

Experts at the SANS Institute, on the other hand, say DNS is no longer even in its Top 20 list of vulnerabilities. SANS says the two chief threats for 2008 are Web applications holes and client-side flaws -- basically dumb developers and dumber end users. Flaws in Microsoft Windows also continue to be a critical vulnerability, the research and training organization says. (See Client, Application Flaws Top SANS Vulnerability List.)

Research firm Telus, which provided its analysis publicly for the first time this year, agrees that Web application flaws are important -- but it rates the venerable buffer overflow as the industry's top threat. And unlike SANS, Telus says Windows threats are on the decline. (See Buffer Overflows Are Top Threat, Report Says.)

About a dozen researchers and vendors say we should be watching out for identity theft and online fraud, which is expected to hit an all-time high this holiday season. The cost of cyberfraud will hit $3.6 billion this year, according to security firm CyberSource. (See Cybercriminals Ready for Banner Holiday Shopping Season.)

But AirDefense says the biggest threat to retailers is not in the stores, or even on the Web -- it's hackers breaking into retailers' corporate networks using absurdly simple wireless attacks, which can be accomplished from any shopping mall parking lot. (See Many Retailers Open to Wireless Attacks.)

And we haven't even mentioned the international threat from cyberwar and cyberterrorism, which was cited as a chief danger in the annual Virtual Criminology Report issued by McAfee last week. (See Cyberwarfare Now 'Business as Usual'.)

So here's my question: Out of all of these so-called "industry" reports, which ones should we give credence to? If there is a "top threat," which one is it? It seems like all of these experts and pundits should present their threats American Idol-style and we should get to vote on which one we're most afraid of. ("I don't know, Paula, that one just didn't scare me all that much.")

Seriously, does it really matter which threat is the worst? If I'm on the Titanic, which should I worry the most about: the presence of icebergs, the potential for overflow in water-tight compartments, or the horrific shortage of lifeboats? Couldn't any one of those threats kill me?

If you're a security manager, you've got to worry about all of the threats, not just the ones that place highest on somebody's list. True, you have to set priorities, and maybe these reports help do that in some way. But in the end, you can still get drowned by the least-likely threat.

Maybe we should spend less time making lists -- and more time correcting all of the vulnerabilities we know to be there.

— Tim Wilson, Site Editor, Dark Reading