IBM in its X-Force security report for 2011 said security efforts have cut spam and improved vulnerability patching, but attackers are now targeting mobile devices and the cloud.
Cyber-criminals, increasingly stymied by better security
around traditional threats like spam and exploit codes, are changing gears and
focusing more of their efforts in such areas as mobile devices, social networks
and cloud computing, according to a report by IBM.
In Big Blues "X-Force 2011 Trend and Risk Report,"
released March 22, IBM found significant reductions in such Internet security
threats as spam and improvements in such areas as vulnerability patching and
software application code. However, in response to such developments,
cyber-criminals are now trying to find new ways to launch their attacks, as
well as relying on a well-worn method: phishing.
IBMs report is based on research of public vulnerability
disclosures findings from more than 4,000 clients and information gathered from
the monitoring of about 13 billion events a day in 2011.
In 2011, weve seen surprisingly good progress in the fight
against attacks through the IT industrys efforts to improve the quality of
software, Tom Cross, manager of threat intelligence and strategy for IBM
X-Force, said in a statement. "In response, attackers continue to evolve
their techniques to find new avenues into an organization. As long as attackers
profit from cyber-crime, organizations should remain diligent in prioritizing
and addressing their vulnerabilities."
Among the positives IBM saw in 2011 was a 50 percent drop in
spam, compared with 2010 levels, and better patching of security
vulnerabilities in software. Vendors left only 36 percent of software vulnerabilities
unpatched, compared with 43 percent in 2010. IBM officials said some of the
decline in spam probably came from authorities taking
down several large botnets, such as Rustock
There also was a higher quality of software application code,
IBM found. That was seen in Web application vulnerabilities called cross-site
scripting, which were half as likely to exist in clients software as they were
four years ago. There also was a 30 percent drop in the availability of exploit
code, which is released to help attackers when security vulnerabilities are
found. IBM attributes the decline to procedural and architectural changes by
software developers that make it more difficult for cyber-criminals to take
advantage of vulnerabilities that are disclosed.
But attackers are adapting in a number of ways, including
increasing their targeting of shell command injection vulnerabilities instead
of using SQL infection attacks against Web applications. The number of SQL
injection vulnerabilities in Web applicationssuch vulnerabilities enable
attackers to get into the databases behind the applicationsdropped 46 percent
in 2011. However, shell command injection attackswhich let cyber-criminals
execute commands directly on a Web servergrew by almost three times last year.
There also were increases in the second half of 2011 in both
automated password guessing and phishing attacks. In particular, phishing
attacks in the second half of the year hit levels that hadnt been seen since
2008, according to IBM, with many disguised as coming from social networking
sites and mail parcel services.
Mobile devices, social media and the cloud are areas of
emerging interest to attackers, according to IBM. There was a 19 percent
increase in 2011 in publically released exploits aimed at mobile devices. For
IT managers, that becomes a key concern, given the growing bring-your-own-device
, where employees are using their personal smartphones and
tablets to access corporate networks and data. IBM also saw a surge in phishing
attacks in social media sites, where users are increasingly offering
information about their personal and professional lives.
The rapid adoption of cloud computing is also a growing cause
for concern, and IBM recommended that IT administrators give a lot of thought
in deciding what data can be put into a public cloud and what should be left
inside the firewall, and how service level agreements (SLAs) are written.
"Many cloud customers using a service worry about the
security of the technology, Ryan Berg, an IBM security cloud strategist, said
in a statement. Depending upon the type of cloud deployment, most, if not all,
of the technology is outside of the customer's control. They should focus on
information security requirements of the data destined for the cloud, and
through due diligence, make certain their cloud provider has the capability to
adequately secure the workload."