Key highlights in the IBM X-Force 2011 Trend & Risk Report
Posted by Leslie Horacek on March 22, 2012 at 4:59 AM EDT.
Today we announced the IBM X-Force Trend & Risk report for the year end 2011.
While some positive trends and improvements have emerged, attacker’s methods continue to adapt.
This is the first report under the new IBM Security Systems division. As such, we are pooling together data and intelligence from many of the IBM Security organizations like Q1 Labs, IBM AppScan OnDemand services, GTS Emergency Response Services, Identity and Access Management solutions, Cloud Strategy, CIO’s office, Infosphere Guardium, Managed Security Services and the X-Force Research and Development team.
2011 was a landmark year for IT security. If you remember, at the mid-year reporting we began discussing the frequent reports of data leaks, DoS attacks, and social Hacktivism. These daily headline incidents were so pervasive in both frequency and scope, that IBM X-Force declared 2011 the “year of the security breach”. Things didn’t change much by year end. This attack activity persisted. Enterprises around the world continue to face tremendous challenges running their businesses and protecting their assets in an increasingly connected world.
But as this report’s data shows, a somewhat contradictory course is unfolding, just as attackers are coming on full force in 2011, so too have the improvements in computer security in 2011 as companies have begun embracing better practices.
Here are highlights on some of those improvements:
Thirty percent decline in the availability of exploit code
When security vulnerabilities are disclosed, exploit code is sometimes released that attackers can download and use to break into computers. Approximately 30 percent fewer exploits were released in 2011 than were seen on average over the past four years. This improvement can be attributed to architectural and procedural changes made by software developers that help make it more difficult for attackers to successfully exploit vulnerabilities.
Decrease in unpatched security vulnerabilities
When security vulnerabilities are publicly disclosed, it is important that the responsible software vendor provide a patch or fix in a timely fashion. Some security vulnerabilities are never patched, but the percentage of unpatched vulnerabilities has been decreasing steadily over the past few years. In 2011 this number was down to 36 percent from 43 percent in 2010.
Decline in spam
IBM’s global spam email monitoring network has seen about half the volume of spam email in 2011 that was seen in 2010. Some of this decline can be attributed to the take-down of several large spam botnets, which hindered spammers’ ability to send emails. X-Force has been observing spam’s evolution through several generations over the past seven years as spam filtering technology has improved, and spammers have adapted their techniques in order to successfully reach targets.
Fifty percent reduction in cross site scripting (XSS) vulnerabilities due to Improvements in software quality
IBM X-Force team is seeing significant improvement in the quality of software produced by organizations that use tools like IBM AppScan OnDemand service to analyze, find, and fix vulnerabilities in their code. IBM found XSS vulnerabilities are half as likely to exist in customers' software as they were four years ago. However, XSS vulnerabilities still appear in about 40 percent of the applications IBM scans. This is still high for something well understood and able to be addressed.
So with all the good news this year for improvements with computer security, how has it been a landmark year?
Unfortunately, sophisticated attackers began adapting their techniques in response to these improvements.
We have observed that SQL injection continues to be a choice point of entry for attackers. Automated SQL injection attacks like LizaMoon are successfully scanning the Internet and exploiting vulnerable hosts. These SQL injection attacks have been common for a long time and still persist today.
X-Force witnessed several new attack trends towards the end of 2011 including 2 to 3 times more Shell Command Injection attack activity than was seen earlier in the year. Shell Command Injection vulnerabilities allow attackers to execute command-line instructions to gain control of a web server. With complete control over the content of the website, attackers then have the ability to modify the site so that visitors are redirected to exploits that install malware on their machines. Or, attackers can use the compromised web servers to act as a jump pad from which they can further target other systems and networks.
Spike in automated password guessing
Poor passwords and password policies have played a role in a number of high-profile breaches during 2011. There is also a lot of automated attack activity on the Internet in which attacks scan the net for systems with weak login passwords. IBM observed a large spike in this sort of password guessing activity directed at secure shell servers (SSH) in the latter half of 2011.
Increase in phishing attacks that impersonate social networking sites and mail parcel services
The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven’t been seen since 2008. Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites.
Emerging Technologies Create New Avenues for Attacks
New technologies such as mobile and cloud computing continue to create challenges for enterprise security.
X-Force reported a 19 percent increase over the prior year in the number of exploits publicly released that can be used to target mobile devices. There are many mobile devices in consumers' hands that have unpatched vulnerabilities to publicly released exploits, creating an opportunity for attackers. IT managers should be prepared to address this growing risk.
Other areas of the report that are worth checking out:
Social media is no longer a fringe pastime - With the widespread adoption of social media platforms and social technologies, this area has become a target of attacker activity. IBM X-Force observed a surge in phishing emails impersonating social media sites. More sophisticated attackers have also taken notice. The amount of information people are offering in social networks about their personal and professional lives has begun to play a role in pre-attack intelligence gathering for the infiltration of public and private sector computing networks.
Cloud computing presents new challenges - Cloud computing is moving rapidly from emerging to mainstream technology, and rapid growth is anticipated through the end of 2013. In 2011, there were many high profile cloud breaches affecting well-known organizations and large populations of their customers. IT security staff should carefully consider which workloads are sent to third-party cloud providers and what should be kept in-house due to the sensitivity of data. Cloud security requires foresight on the part of the customer as well as flexibility and skills on the part of the cloud provider.
We encourage readers to not only check out the highlights listed here, but read the full report for contributions from our colleagues.
To view the full X-Force 2011 Trend and Risk Report and to watch the video please visit http://www-03.ibm.com/security/xforce/