The Good: Overall phishing declined in 2010. Medium-good: More vulnerabilities were identified, but organizations were proactively finding them. The bad: There were more targeted attacks.
Cyber-criminals shifted focus in 2010 to launch more
sophisticated targeted attacks, IBM said in a new report. In short, 2010 was
the year cyber-attacks became more about quality rather than quantity.
While there was an increase in new vulnerabilities, exploits
and types of attacks in 2010, more vulnerabilities were being identified before
they could be attacked, according to IBM's X-Force 2010 Trend and Risk Report,
released March 31. The increase in vulnerability reports were partly the result
of organizations proactively trying to identify bugs in software, the
researchers said in the report.
Overall, 2010 was a more dangerous year, with more vulnerabilities
and exploits than in 2009. As computing environments increased in complexity,
so did the threat landscape, as the number of sophisticated attacks being
launched expanded. More than 8,000 new vulnerabilities-or 27 percent more than
2009-were found in 2010, and exploit releases increased 21 percent, the report
to Zeus Botnets to mobile exploits, a
widening variety of attack methodologies is popping up each day," said Tom
Cross, a threat intelligence manager at IBM X-Force.
The high-profile targeted attacks in 2010 were launched by
highly sophisticated cyber-criminals who were likely well-funded and well-aware
of hidden vulnerabilities, according to the report.
However, phishing attacks have declined significantly,
according to the report. While there is still a fair amount of them, there is
less than a quarter of the volume compared to 2009 and 2008, the IBM X-Force
researchers found. However, current phishing attempts are more likely to be
spear phishing, or very targeted attacks, the report said. Cyber-criminals put
in the effort to create complicated and targeted attacks on specific types of
victims in 2010, according to the report.
While the researchers viewed the rise in the number of
vulnerabilities found and reported as a fairly positive development, they were
concerned that 44 percent of those reported vulnerabilities did not have a
vendor-supplied patch by the end of 2010.
The report also highlighted the challenges IT departments
are facing in securing mobile devices in the workplace. While attacks were not
widely prevalent in 2010, the biggest mobile threat appears to be data loss,
according to the report. IT professionals are most concerned about how data on
these devices can be lost or misused than about actual malware, the researchers
said. However, there was a rise in vulnerability disclosures and exploits,
especially in regards to jailbreaking, the report found.
Mobile security best practices are currently evolving, and
emphasize enhanced password management and data encryption capabilities, the
As cloud adoption increased, cloud providers focused on
their security credentials, such as baking in security features in to the cloud
infrastructure from the beginning, the report found. Even though security is
still considered an inhibitor to cloud adoptions, the researchers predicted
that as cloud security capabilities mature, organizations will start moving to
the cloud in order to get better security than what is available in-house.
The growth rate for spam leveled off by the end of 2010.
This may have been the result of a number of large botnet takedowns in the
second half of 2010. Spammers may be focusing their efforts on making sure spam
can bypass filters instead of just pumping up the volume, the researchers
The report noted the increased number of security threats in
Europe compared to previous years. Nearly a quarter of all financial phishing
e-mails targeted European banks in 2010, the report found. The United Kingdom,
Germany, Ukraine and Romania were also among the top 10 countries sending spam
"Staying ahead of these growing threats and designing
software and services that are secure from the start has never been more
critical," Cross said.