Internet security better but foul exploits grow, IBM says
- 24 March, 2012 07:30
IBM said it found surprising improvements in Internet security such as a reduction in application security vulnerabilities, exploit code and spam, but it also noted that those improvements come with a price: Attackers have been forced to rethink their tactics.
OTHER STUFF: All hail: Inside the Museum of Nonsense
IBM's security group, X-Force, released its 2011 Trend and Risk Report which surveys some 4,000 customers, and the report showed the following:
• Spam out: a 50% decline in spam email compared to 2010.
• Better patching: Only 36% of software vulnerabilities remaining unpatched in 2011 compared to 43% in 2010. Some security vulnerabilities are never patched, but the percentage of unpatched vulnerabilities has been decreasing steadily over the past few years.
• Higher quality of software application code: Web-application vulnerabilities called cross-site scripting (XSS) are half as likely to exist in clients' software as they were four years ago, IBM stated. However, XSS vulnerabilities still appear in about 40% of the applications IBM scans.
• Fewer exploits: When security vulnerabilities are disclosed, exploit code is sometimes released that attackers can download and use to break into computers. Approximately 30% fewer exploits were released in 2011 than were seen on average over the past four years.
Of course there is a dark side. These are new security problem trends IBM reported:
• Shell command injection vulnerabilities more than doubled: For years, SQL injection attacks against Web applications have been a popular vector for attackers of all types. SQL injection vulnerabilities allow an attacker to manipulate the database behind a website. As progress has been made to close those vulnerabilities -- the number of SQL injection vulnerabilities in publicly maintained Web applications dropped by 46% in 2011-- some attackers have now started to target shell command injection vulnerabilities instead. These vulnerabilities allow the attacker to execute commands directly on a Web server. Shell command injection attacks rose by two to three times over the course of 2011.
• Automated password guessing: Poor passwords and password policies have played a role in a number of high-profile breaches during 2011. There is also a lot of automated attack activity on the Internet in which attacks scan the 'Net for systems with weak login passwords. IBM observed a large spike in this sort of password guessing activity directed at secure shell servers in the latter half of 2011.
• Increase in phishing attacks that impersonate social networking sites and mail parcel services: The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven't been seen since 2008. Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to Web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites.
• Publicly released mobile exploits up 19% in 2011: This year's IBM X-Force report focused on a number of emerging trends and best practices to manage the growing trend of "bring your own device," or BYOD, in the enterprise. IBM X-Force reported a 19% increase over the prior year in the number of exploits publicly released that can be used to target mobile devices.
• Cloud computing presents new challenges: In 2011, there were many high-profile cloud breaches affecting well-known organizations and large populations of their customers. IT security staff should carefully consider which workloads are sent to third-party cloud providers and what should be kept in-house due to the sensitivity of data, IBM said. The IBM X-Force report notes that the most effective means for managing security in the cloud may be through Service Level Agreements (SLAs) because of the limited impact that an organization can realistically exercise over the cloud computing service. Therefore, careful consideration should be given to ownership, access management, governance and termination when crafting SLAs, IBM stated.
Follow Michael Cooney on Twitter: @nwwlayer8 and on Facebook.
Read more about wide area network in Network World's Wide Area Network section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Security Research Center - Network World
- Layer 8: US Cyber Chief: We are fighting a “tide of criminality”
- From Anonymous to Hackerazzi: The year in security mischief-making
- All hail: Inside the museum of nonsense
- IBM X-Force: Ahead of the Threat - Downloads
- Applications Research Center - Network World
- Server Research Center - Network World
- FAQ: Cloud computing, demystified
- LAN & WAN Research Center - Network World
Ruggedized scientific calculator perfect for extreme math
How to Switch From iPhone 5S to BlackBerry Z30 (and Why)
How to Switch From iPhone 5S to BlackBerry Z30 (and Why)
CIOs to Become In-House Brokers -- and That's a Good Thing
The future of computing
CISO 2013 Security Insights: A new standard for security leaders
Insights from the 2013 IBM Chief Information Security Officer Assessment which uncovered a set of leading business, technology and measurement practices that help to address the questions CISO's and security leaders have in managing diverse business concerns, creating mobile security policies and in fully integrating business, risk and security metrics.
Swiss Nuclear Power Plant Improves Business Continuity
Learn how Kernkraftwerk Leibstadt (KKL), a Swiss nuclear power plant, achieved 95% virtualization with 50% fewer servers in just two months by implementing a Vblock System. The solution ensures that KKL can reliably deliver the continuous electricity supply safely and cost effectively.
PCI DSS v3.0 - Compliance Guide
Due to a lack of consumer confidence and a subsequent drop in sales, all entities that handle credit cardholder information are being challenged to adopt more effective data protection measures. This paper provides information on available tools to help validate compliance with the latest version of the Payment Card Industry Data Security Standard (PCI DSS).