The Top Ten Cybersecurity Threats for 2008 – Final Draft

As promised, here is the final draft of my perspective on the top ten cybersecurity security threats for 2008. 

I reviewed many prior “top ten” threat lists and noticed most of them accidentally confuse vulnerabilities and threats, listing vulnerabilities as threats.   In my review, I could not find any “top ten” threat lists which attempted to use, or follow, the security professional’s textbook definition of threats.   Even the 2008 McAfee list makes this common mistake, listing Window’s Vista and VoIP as “threats” when, technically speaking, they are vulnerable systems (McAfee’s graph in their PDF has the caption “Windows Vulnerabilities” – this speaks for itself.)

My goal was not to create “yet another vulnerability list.”  Instead, my objective was to create a top ten cybersecurity threat list which actually focuses on threats, not vulnerabilities.  Please feel free to comment, as there is certainly room for improvement.   Your comments are very welcome as we rapidly approach 2008.   Thanks!

Top Ten Cybersecurity Threats for 2008

   — Cyber masquerading to abuse, attack, blackmail, bully, extort, or molest.

   — Password and identity theft from phishing, spyware, malware and theft of hardware.

   — Criminal use of botnets and botnet-like technologies.

   — Cyberbullying, cyberterrorism and other forms of electronic violence.

   — Subversion of democratic political processes.

   — Criminal manipulation and subversion of financial markets.

   — Spying by governments, industry and criminals.

   — Denial-of-service attacks.

   — Sabotage, theft and other attacks by disgruntled employees and insiders.

   — Cyberspace vandalism.

©2007 Tim Bass – All Rights Reserved

11 Responses to The Top Ten Cybersecurity Threats for 2008 – Final Draft

  1. Mike Smith says:


    – I assume “cyberbulling” should be “cyberbullying”

    – I don’t think password and identity theft are ends so much as means to an end, usually to commit fraud either online or off.

    – What criminal use of botnets did you have in mind besides password and identity theft or DDoS attacks?

    – You’ve got an extra “and” in the disgruntled employees entry

  2. Tim Bass says:

    Hi Mike!

    Thank you for finding the typos.

    I’ll address your issues / questions when I consolidate all the comments that are coming in here, via email, and on LinkedIn.

    Yours faithfully, Tim

  3. Glenn Watt says:

    As the VP, Global Security and Privacy at Medidata Solutions, I am seeing an emerging threat that I call “Kneejerk Network Paralysis” (KNP). KNP occurs when corporations, ISPs and even government agencies react to threats that have exploited vulnerabilities in a manner that effectively paralysis their ability to conduct business. A recent example involved the blacklisting of an entire set of /16 addresses were blocked because five to ten specific addresses were conducting malicious attacks. The block did stop the malicious attacks, but thousands of legitimate addresses could no longer exchange data with the organization that had blacklisted them. KNP is clearly a self-imposed denial of service, and as such is a threat.

  4. Tim Bass says:

    Hi Glenn,

    Great comment and wonderful to hear from you. There was another comment, with humor added, in the CISSP Yahoo! eGroup, where Anton Aylward replied:

    “Re: [cisspforum] The Top Ten Cybersecurity Threats for 2008 – Final Draft

    Tim Bass said the following on 06/12/07 08:43 AM:
    > [..]
    > In my review, I could not find any “top ten” threat lists which
    > attempted to use, or follow, the security professional’s textbook
    > definition of threats. Even the 2008 McAfee list makes this common
    > mistake, listing Window’s Vista and VoIP as “threats” when, technically
    > speaking, they are vulnerable systems (McAfee’s graph in their PDF has
    > the caption “Windows Vulnerabilities” – this speaks for itself.)

    That would make “Microsoft”, “Microsoft’s programmers” or possibly
    programmers in general the “threat”. –Anton Aylward

    Yours sincerely, Tim

  5. Tim, I think your list looks great!!

    Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
    IT Security Officer
    Brown University

  6. Lea Viljanen says:

    A couple of points. First of all, I would glue together cyber bullying (#4) and cyber vandalism (your #10) under some kind of electronic violence heading. Combined with #1 I can’t see this problem area covering 3/10 of top ten threats.

    Secondly, I would add at least accidental exposure of personal data, which may be caused by several vulnerabilities. For example unclear or non-existent security policies (i.e people sending records around unencrypted). It may also be caused by other common vulnerabilities, such as problems in web applications (see the Canada passport thing, link below).

    Also SPAM will still be a threat. While our e-mail filtering is beginning to cope with the flood, unsolicited advertising will start to creep to other channels (VoiP calls, IM, Web 2.0 services etc). Probably better heading for this threat would be something like “diminished productivity gains because of unsolicited commercial content”.

    Besides, I would remove the word “cyber” from a lot of the threats.

  7. Bill Marlow says:

    Tim – Most of your list is really about enterprise computers only – I would include communication in the mix of “cyber”. I have been working on VoIP and GSM Voice and data thefts. From a threat standpoint – it is – in order – Governments, Organized Crime, Competitors and Terrorists (including blackmailers). This is the “dirty little world” that no one talks about.

    I would change the list into the top 5 technology threats (Bots, vandalism/bulling/etc, Communications, identity theft, false authentication) and Top 5 Organizations (Governments, Organized Crime, Terrorist, Political Activists, People Gone Bad).

    Just some thoughts –


  8. Gary Hinson says:

    Hi there. Glad to see someone taking “threat” seriously. Like you, I get frustrated by those who confuse threat, vulnerability, impact and risk [aside: maybe there’s mileage in drawing up top-10 lists for threats, vulnerabilities and impacts, and then consolidating them into a top 10 infosec risks for 2008? It would be an interesting collaborative project. I’ll suggest it via CISSPforum …].

    As to your list, what about the accident and disaster threats, as a whole? Accidental misconfiguration of systems. Accidental entry of invalid data. Bugs. Floods, fires, tornados, storms. That’s an entire class of threats that is every bit as threatening today as it ever was.

    At least, in my book they count as threats! The equivalent vulnerabilities would be things such as: all eggs in one basket; badly located operations; poor software/hardware QA; excessive complexity; excessive changes; missing or inadequate controls such as fire/flood prevention measures and alarms.

    Kind regards,

  9. Al Gartner says:

    Aging technology I think is going to start getting more prevalent in the next year. I’ve walked through many datacenters and am still in awe as to how much ‘beige’ I see in some of these places. Companies like to push availability – the ‘five nines’, without necessarily understanding the need to maintain hardware and software currency. Instead of executing routine maintenance, systems are simply pushed 24x7x365 until they fall over. Certainly not all organizations are susceptible to this – some do get it, but those that do not will find themselves falling what could be called ‘self-inflicted’ denial-of-service as they experience critical failures of aging infrastructure.

  10. Hi Tim,

    I think your list looks great! I will think about this some more and if I come up with anything I’ll let you know.


  11. Don’t forget the users :-), that must be the greatest threat…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: