Phishing Declined in 2010 as Overall Vulnerabilities Rose: IBM

The Good: Overall phishing declined in 2010. Medium-good: More vulnerabilities were identified, but organizations were proactively finding them. The bad: There were more targeted attacks.

Cyber-criminals shifted focus in 2010 to launch more sophisticated targeted attacks, IBM said in a new report. In short, 2010 was the year cyber-attacks became more about quality rather than quantity.

While there was an increase in new vulnerabilities, exploits and types of attacks in 2010, more vulnerabilities were being identified before they could be attacked, according to IBM's X-Force 2010 Trend and Risk Report, released March 31. The increase in vulnerability reports were partly the result of organizations proactively trying to identify bugs in software, the researchers said in the report.

Overall, 2010 was a more dangerous year, with more vulnerabilities and exploits than in 2009. As computing environments increased in complexity, so did the threat landscape, as the number of sophisticated attacks being launched expanded. More than 8,000 new vulnerabilities-or 27 percent more than 2009-were found in 2010, and exploit releases increased 21 percent, the report said.

"From Stuxnet to Zeus Botnets to mobile exploits, a widening variety of attack methodologies is popping up each day," said Tom Cross, a threat intelligence manager at IBM X-Force.

The high-profile targeted attacks in 2010 were launched by highly sophisticated cyber-criminals who were likely well-funded and well-aware of hidden vulnerabilities, according to the report.

However, phishing attacks have declined significantly, according to the report. While there is still a fair amount of them, there is less than a quarter of the volume compared to 2009 and 2008, the IBM X-Force researchers found. However, current phishing attempts are more likely to be spear phishing, or very targeted attacks, the report said. Cyber-criminals put in the effort to create complicated and targeted attacks on specific types of victims in 2010, according to the report.

While the researchers viewed the rise in the number of vulnerabilities found and reported as a fairly positive development, they were concerned that 44 percent of those reported vulnerabilities did not have a vendor-supplied patch by the end of 2010.

The report also highlighted the challenges IT departments are facing in securing mobile devices in the workplace. While attacks were not widely prevalent in 2010, the biggest mobile threat appears to be data loss, according to the report. IT professionals are most concerned about how data on these devices can be lost or misused than about actual malware, the researchers said. However, there was a rise in vulnerability disclosures and exploits, especially in regards to jailbreaking, the report found.

Mobile security best practices are currently evolving, and emphasize enhanced password management and data encryption capabilities, the researchers said.

As cloud adoption increased, cloud providers focused on their security credentials, such as baking in security features in to the cloud infrastructure from the beginning, the report found. Even though security is still considered an inhibitor to cloud adoptions, the researchers predicted that as cloud security capabilities mature, organizations will start moving to the cloud in order to get better security than what is available in-house.

The growth rate for spam leveled off by the end of 2010. This may have been the result of a number of large botnet takedowns in the second half of 2010. Spammers may be focusing their efforts on making sure spam can bypass filters instead of just pumping up the volume, the researchers speculated.

The report noted the increased number of security threats in Europe compared to previous years. Nearly a quarter of all financial phishing e-mails targeted European banks in 2010, the report found. The United Kingdom, Germany, Ukraine and Romania were also among the top 10 countries sending spam in 2010.

"Staying ahead of these growing threats and designing software and services that are secure from the start has never been more critical," Cross said.