IBM X-Force Report Reveals a Record Number of Vulnerabilities in 2016

The newly-released 2017 IBM X-Force Threat Intelligence Index report found a 566 percent increase in the number of compromised data records as the total number of security vulnerabilities surpassed 10,000 for the first time.

Data Flaw Record

2016 was a particularly active year for cyber-security —that is if you look at it in terms of breached records and disclosed vulnerabilities. IBM released its X-Force Threat Intelligence Index 2017 on March 29, reporting a record high number of disclosed software vulnerabilities and breached data records.

Since 1997, IBM's X-Force vulnerability database has been tracking public disclosures of software vulnerabilities. In 2016, IBM tracked 10,197 software vulnerabilities, marking a new record high and the first time the number has ever exceeded 10,000.

Adding insult to injury, IBM reported that more than 4 billion data records were lost in data breaches, marking a 566 percent year-over-year in increase in the total number of data record that were compromised.

While the number of data records lost in 2016 seems high, the actual number of stolen records could well be even higher. Diana Kelley, Global Executive Security Advisor at IBM Security, explained that X-Force analysts monitor publicly disclosed breaches throughout the year, including open source intelligence, databases and global news sources. All the reported breaches are vetted and tracked through IBM's X-Force Interactive Security Incidents tool throughout the year. 

"That said, there is no way to capture the full number of breaches that occur as many of them are not publicly disclosed," Kelley told eWEEK. "Each country has different laws concerning the public disclosure of data breaches, so many breaches and incidents go unreported."

Kelley also noted that there are other types of security incidents, such as denial of service attacks which don’t involve the direct loss of data, or those in which the amount of leaked data can't be quantified.

"Taking this into account, the full measure of security incidents and leaked data is likely much higher than the amount that is publicly disclosed each year," she added.

The report also showed that attackers shifted their attack tactics in 2016 and that cyber-thieves are just going after credit card data anymore.

"What really surprised me in the 2016 report compared to years past is that this year we saw a marked shift in the data the attackers were targeting as part of data breaches, "Kelley said.

Kelley commented that rather that just attempting to steal credit card information and social security numbers, attackers in 2016 went after more complex information like email archives and private documents, in addition to the traditional personally identifiable information. She added that the goal of attackers has increasingly been to leverage the stolen information for blackmail and power advantages over individuals or organizations.

Ransomware

"2016 was without a question the year of ransomware," Kelley said.

She noted that one way to illustrate why 2016 was the year of ransomware is the large increase in the percentage of spam emails with ransomware attachments, which increased from a mere 0.6 percent in 2015, to nearly 40 percent of all spam messages sent in 2016, according to a separate IBM X-Force analysis.

"We also saw reports from the FBI that in the first three months of 2016, cyber-criminals were paid a reported $209 million via ransomware," Kelley said. "This would put criminals on pace to make nearly $1 billion from their use of the malware just last year."

Looking out to next year's X-Force report, Kelley said that one thing that IBM would like to see is

a decline in the number of breaches. However based on historical trends, she admitted that’s unlikely to happen in the near term.

"Additionally, I would hope to see wider gaps between the number of attempted and successful attacks," Kelley said. "Continued training and awareness around traditional attack methods and tactics cyber-criminals use, as well as having a proper incident response plan in place can help that hope become a reality.

"As more organizations adopt advanced monitoring tools with cognitive and machine-learning capabilities, we expect to see earlier detection and organizational preparedness help lower the overall number of records breached," she said.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.