Governments have had to target themselves with phishing attacks in order to highlight weak points in their security and protect national secrets from espionage, according to a report published this week by Sans.
Malicious attackers are increasingly setting their sights on targeted phishing attacks, or "spear" phishing, and custom-built applications, pushing these two areas into Sans' Top 20 Internet Security Risks of 2007.
The report, released on Tuesday, provides a glimpse into the nefarious activities of online attackers and the issues faced by security firms.
"Spear phishing has had its most critical and damaging impact in military and civilian government organisations and military contractors who build weapons and more," said Alan Paller, Sans Institute research director.
He estimated that 90 percent of the attacks that caused the greatest damage over the past 18 months targeted the military and government entities, as well as defence contractors. Corporate executives are also increasingly finding themselves as targets of spear phishing.
"It's done as an act of espionage, and not so much for economic gain," Paller said during a press conference with other security experts to release the report.
A chief information officer at a mid sized federal agency, for example, discovered his own computer was sending out data to China, unbeknownst to him, according to a composite cited in the report.
And in an effort to tackle the weakest security link in an organisation, one federal agency has taken the unusual step of sending out a benign version of a phishing attack to its employees and further educating those who bite on security measures they should be taking.
Phishing is used for economic gain, as a means to lure users into giving up their log-on and passwords, as well as such sensitive information as Social Security numbers and bank accounts.
Custom-built applications have also gained favour with malicious attackers, due to developers' lackadaisical approach in designing security into the software. Previously, attackers used to concentrate their efforts on widespread software.
Other frequent attack targets cited on the list include Web browsers, Office software, e-mail clients and media players on the client side, while Windows services, Unix and Mac OS services and database software were listed on the server side of the equation.
Unencrypted laptops and removable media, as well as VoIP servers and phones, also made it on the list.
