Key highlights in the IBM X-Force 2012 Trend & Risk Report
Posted by Leslie Horacek on September 20, 2012 at 9:07 AM EDT.
I’m happy to announce that today the IBM X-Force Mid-Year 2012 Trend and Risk report is out the door!
If you remember, early in 2011, IBM X-Force declared it the year of the security breach. Enterprises both large and small were targeted. In 2012, the trend has continued and the topic of security breaches quickly rose to the top of discussion lists from board rooms to blogs and to major media. Executives and security professionals around the world have had to assess and understand just how well they might be doing in this combustible environment of attack activity. They continue to ask the hard questions about how to secure an enterprise that is interconnected by means of cloud, mobile, and outsourcing technologies.
As a security research organization, IBM X-Force has traditionally viewed security breaches with a technical focus. However, we have modified our view of attacks and breaches over time to encompass a greater business context.
So let’s dive into those highlights…
New Attack Surfaces with Equal Opportunity Exploits
Since the last X-Force Trend and Risk Report, IBM’s X-Force has seen an increase in malware and malicious web activities.
A continuing trend for attackers is to target individuals by directing them to a trusted URL or site which has been injected with malicious code. Through browser vulnerabilities, the attackers are able to install malware on the target system. The websites of many well-established and trustworthy organizations are still susceptible to these types of threats. These equal opportunity exploits allow attackers to create a common code base for distributing malware across Windows, Mac, and in some cases even Linux.
As the user base of the Mac operating system continues to grow worldwide, it is increasingly becoming a target of Advanced Persistent Threats (APTs) and exploits, rivaling those usually seen on Windows platforms.
Reviewing the state of Mac malware during the first half of 2012, we observe three major developments.
• First, the utilization of browser-related exploits towards malware installation, which had to that point been a problem exclusive to Windows users.
• Second is the emergence of Mac Advanced Persistent Threat (APT) malware. X-Force expects Mac APT malware to become more ubiquitous over time. So far, the Mac APT malware is just designed for information theft, though the attackers have leveraged exploits in Microsoft Office for Mac documents as well as Java vulnerabilities to facilitate infection.
• Third is the emergence of even more sophisticated technology towards anti-reverse engineering and rootkit features, such as in the recent OS X malware, Crisis.
Apple has released additional security features in the most recent version of OS X, Mountain Lion. X-Force, however, will not be surprised if attackers, APT-related or just financially motivated, find ways to continue on the OS X platform.
What is a Secure Password?
The overall breach trend continues into 2012, as several major high profile businesses have had to deal with the fallout of leaked passwords and other personal data.
The connection between websites, cloud-based services, and webmail provides a seamless experience from device to device, but users should be cautious about how these accounts are connected, the security of their password, and what private data has been provided for password recovery or account resetting. X-Force recommends the use of a lengthy password comprised of multiple words instead of an awkward combination of characters, numbers and symbols.
On the server-side, X-Force recommends encrypting passwords to the database using a hash function that is suitable for password storage. The hash function should be computationally expensive to calculate and use a salt value for each user account which helps limit the effectiveness of 'rainbow tables' and brute force dictionary attacks.
Hand in hand: Cross-site scripting and SQL injection attacks
Since our last IBM X-Force Trend and Risk Report, we continue to see steady growth in SQL injection, keeping pace with the growth of cross-site scripting and directory traversal commands such as HTTP “DotDot” commands. These three exploit types become very powerful when they are used together.
In addition, over 51% of all web application vulnerabilities reported so far in 2012 are now categorized as cross-site scripting.
Emerging Trends in Mobile Security – declining vulnerabilities and exploits
IBM X-Force has found that, in the first half of 2012, reported mobile vulnerabilities and exploits are down to the lowest levels since 2008. We think there are multiple things going on. First, mobile operating system developers continue to invest with both in-house discoveries of vulnerabilities as well as enhancements to their security models to prevent vulnerabilities from being successful. Next, as is typically the case with a new area like mobile, we tend to observe an initial spike in discoveries, but then as the easier bugs disappear, and hard to exploit ones are left, there is a lag between when researchers and attackers discover techniques to overcome previously perceived limitations.
Bring your own device (BYOD) policies and Patching
Most organizations are either coping with bring-your-own-device (BYOD) paradigms or in the process of figuring out how to make it work. While this is partly a discussion about mobile security challenges, it is also about best practices and policies and the overhead in working towards a useable framework.
X-Force key messages about “Bring your own device” programs:
• More than one-half of CISOs say mobile security (including bring-your-own-device) is their greatest near-term technology concern.(2012 IBM CISO Study)
• To make BYOD work within your company, a thorough and clear policy should be in place before the first employee-owned device is added to the company’s infrastructure. X-Force recommends six areas of focus for “Making BYOD work” within the enterprise in our report.
• Mobile security technologies are making progress, but patching is becoming a real concern - which is important as we’ve witnessed compromise of nearly every mobile operating system at every version.
Improvements in Internet Security Continue
As discussed in the last report, there continues to be progress in certain areas of Internet security.
IBM X-Force 2012 data reports a continuing decline in true exploit releases, improvements from the top ten vendors on patching vulnerabilities, spam volume has stabilized at low levels and we’ve seen a significant decrease in the area of portable document format (PDF) vulnerabilities. IBM believes that this area of improvement is directly related to the new technology of sandboxing provided by the Adobe® Reader X release.
Sandboxes are proving to be a successful investment from a security perspective. In the X-Force report, there was a significant drop in Adobe PDF vulnerability disclosures during the first half of 2012. This development coincides nicely with the adoption of Adobe® Reader X, the first version of Acrobat Reader released with sandboxing technology.
New and interesting to keep an eye towards
June 6th, 2012, IPv6 day took place. This year many companies and organizations implemented permanent IPv6 deployments. Interestly, X-Force data demonstrates that there are some businesses more IPv6 ready than others.
Web 2.0 sites, as well as governmental organizations, are the most IPv6-ready areas of the Internet. In addition, many non-governmental organizations, search engines, portals, IT-sites, news sites, and blogs are also well prepared.
However, websites with content such as illegal drug sites, anonymous proxies, pornography, and gambling sites are particularly not IPv6-ready.
So why are some websites dismissing IPv6 technology? One answer might be that many of the unwanted websites only exist for a few hours. This is particularly true for spam URLs, so these guys might want to avoid any additional technical efforts. Furthermore, the spammers want to reach as many users as possible, so there is no need to support IPv6, because everybody speaks” IPv4 but only a few groups can “speak” IPv6.
It will be interesting to see if there is a significant increase of IPv6 support in the next few months and years.
We encourage readers to not only check out the highlights listed here, but read the full report for contributions from our IBM Security colleagues.
To view the full X-Force 2012 Trend and Risk Report please visit: