Browser drive-by exploits top Internet threat list

The European Network and Information Security Agency (ENISA) has pegged drive-by exploits as the top cyber threat facing Internet users.

In a report published this week, the agency said attackers were targeting existing software on Internet-connected users' computers such as web browsers and plug-ins, as well as operating systems, for automatic infection through visits to legitimate but compromised websites.

Infections occur without any user interaction and often go unnoticed, ENISA said.

Java exploits are "the major cross-platform threat" but other browser plug-ins such as Adobe Reader and Flash are also targetted by attackers.

Devices running Google's Android operating system are also vulnerable to drive-by attacks, according to the agency.

Big data, cloud in sights

Big data is a double-edged sword when it comes to security, ENISA noted. On the one hand it can be used to improve security but on the other, "it is expected attackers are going to abuse big data in order to enhance their capabilities, collect intelligence. 

Attackers are also expected to use big data to better hide their actions, the agency believes.

Cloud computing is in attackers' sights too, ENISA noted.

"The concentration of vast amounts of data in few logical locations makes cloud computing attractive target for attackers," it stated.

In particular, large public clouds with big quantities of information are desirable targets for attackers, ENISA said.

The integration of cloud services in mobile devices present further attack surfaces according to the agency.

ENISA sees the threat landscape emerging with new targets coming onto the radar in six months to a year's time. The new targets include mobile computing thanks to BYOD and consumerisation of IT, with cloud services, social networking, business applications and more being integrated into devices.

Critical infrastructures will "definitely attract threat agents" as the impact on all levels of society from going after such targets is big, the agency states.

The above areas overlap with other targets such as trust infrastructure, cloud computing and big data, making for a complex threat landscape.

ENISA proposes several steps to fight cyber threats, such as employing common terminology in reports, featuring end-user perspectives and collecting intelligence around incidents that includes better evidence on attack methods and impact, but also information on those behind them.

Top ten security threats identified by ENISA:

1. Drive-by exploits
2. Worms and Trojan Horses
3. Code injection attacks
4. Exploit kits
5. Botnets
6. Denial of service
7. Phishing
8. Data breaches
9. Rogue and scareware
10. Spam