I have been on the road so I am playing a bit of catch-up these days, but I saw this article a couple of days ago and it reinforced a couple of things I have been thinking about for a while.
The article discusses how attacks and penetrations on computer systems are increasingly being committed by organized criminals looking for money rather than crackers looking for recognition. This follows the pattern we have seen where the goal of attackers is no longer to “get root” on a machine. Rather, the attackers are targeting the information resources housed on the machine because those are the assets that have value. Why go to all the trouble of trying to get root access to a server when you can just go through a web application, avoid all the intrusion detection systems, and get access to the information resource you were after anyway?
A lot of CSOs we work with are still over-concerned about preventing attackers from “getting root” and that makes them focus too much on comparatively rare vulnerabilities like command injection when they should be focusing on the problems everyone has like SQL injection and parameter/cookie tampering. Folks need to understand that “getting root” isn’t as cool as it used to be – these days attackers are trying to steal sensitive information assets and actually make some money.
dan _at_ denimgroup.com