The Register houses an article that discusses a recent report from the analyst firm Gartner. The report presents the top ten threats according to IT-departments. The list is:

1. Viruses and Worms
2. Outside Hacking or Cracking
3. Identity Theft and Phishing
4. Spyware
5. Denial of Service
6. Spam
7. Wireless and Mobile Device Viruses
8. Insider Threats
9. Zero Day Threats
10. Social Engineering
11. Cyber-Terrorism

I fail to understand how Social engineering and Zero Day Threats can be considered so low; and how Viruses and Worms, Spyware and Spam can be placed so high. Why?

First, lets look upon the nature and sophistication of these different "hacks". Viruses, worms and spam are indirected and often (often!) not very sophisticated. These are automated and more or less easily spotted. This is why there are noumerosly of tools to detect and respond to them, like antivirus, antispyware and different kind of spam-filters. The tools we have do a good job in protecting us and our computers from these kind of attacks. So, why are they considered such a big threat? I'd guess it's because every single corporation, and every single user is affected and attacked by these. Noone is left out. There are also many evidences of incidents which have had severe economic effects (blaster even managed to take down an entire power plant). So the consequences of an outbreak of viruses is highly documented. However, i think that if the tools available is encorporated and properly used, the threat from them should not be considered this high. Dont misundersand me: They present a serious threat, but not bigger than social engineering and various zero-day threats. Just look at the possible effects and consequences of a successfull attack. Sure a flood of a network-worm will have impacts on network-performance and disturb the user and -possibly- disclose some information; An directed sophisticated attack, on the other hand, most likely will disclose information or make serious harm to the targeted network.

Now, lets look at attacks of more directed type, like zero day threats. Do we have any tools to defend ourselves against these? No! Antivirus-manufacturers have problems detecting new, yet unknown viruses. IDSs have a hard time spotting new, unidentified exploits. Likewise, how do we spot a social-engineering attack? This is mainly a people-problem (trust etc), and therefor hard to adress with computer-based solutions (and therefor out of my scope ;). But wouldn't a threat that is hard to mitigate be considered more severe? For a home-user, I would consider viruses, worms, spam and spyware to be the greatest threats, because these parties aren't targeted by sophisticated directed attacks. But corporations are! And they have the tools and knowledge to buy and incorporate defences. So, what's left for them? The attacks that can't be defended against perhaps? Zero day exploits is one example of such..

The categories are a little bit strange too. Whats the difference between a zero-day attack and an outside hack? Can't an zero day exploit be used in an outside hack? Phishing is also often considered to be a social-engineering attack, because it exploits the users trust.

I'm a big fan of the linux distribution Debian. Especially for servers. Last week (or was it this week?) Debian Sarge went Stable. This is great news for us enjoying the stability and security of Debian.

Oddly enough, the Debian-crew actually made a mistake. New installations from CD or DVD of Debian Stable had security updates disabled. These installation wouldn't download security updates. I guess someone forgot a line or two in /etc/apt/sources.list

The pressing of 10.000 CDs were stopped, problem fixed, and things went back to normal.

But seriously, who installs by CD anyway? ;)