Internet Security Systems - AlertCon(TM)

Preview of the 2008 X-Force Trend and Risk Report

Posted by Holly Stewart on January 30, 2009 at 2:12 PM EST.

We've been working feverishly over the past few months pulling data and doing analysis for the 2008 X-Force Trend and Risk Report due out on Monday.  The report contains a LOT of data and probably way too many pages for its own good.  So, I thought I'd highlight some of the more interesting findings here to help you navigate to the real gems when it comes out.

When Is a Critical Vulnerability Really Critical?
The security industry has countless ways to score and prioritize vulnerabilities to plan appropriate responses to them.  But, are we doing enough?  With the sheer volume of disclosures and with more and more organized crime rings taking advantage of some of them, how can we better assess when we should sound the alarm?  Tom Cross delves into this question with a detailed analysis of what did and did not "happen" in 2008 and how we might better assess the exploitation probability of new vulnerabilities in 2009.

The Vulnerable Web
Everyone knows that Web sites are prone to vulnerabilities and exploitation, but do we really know how bad off we are?  Some new findings about patching, exploitation, and the use of ActiveX controls will shed light on how severe this problem has become.  Even spammers are finding ways to exploit trusted Web sites to increase their readership!

Operating System Vulnerabilities
New for this year's report is an analysis of the most vulnerable operating systems... and it's not who most of you would expect!

Fastest-Growing Method of Personal Computer Exploitation
Browser-related exploits are still number one when it comes to personal computers.  However, new methods of web-based exploitation are on the horizon, led by a jump in vulnerability disclosures affecting this up-and-coming category of client-side vulnerabilities and marked by a huge uptick in web-based exploitation in the last quarter of 2008.

Look for these topics and more in the report on Mon.!

-Holly

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.