tfh
Volume 19, Number 9 -- March 1, 2010

Hackers Escalate Web Site Attacks, Despite Decline in Security Vulnerabilities

Published: March 1, 2010

by Alex Woodie

Computer hackers and cyber criminals are successfully adapting their techniques to the Web in response to efforts by software vendors to crack down on security vulnerabilities in their products, according to a new security report from IBM's X-Force team. In a separate report on enterprise security, Symantec found large companies are struggling to cope with the growth in and changing nature of cyber attacks, and plan to make extensive investments in security controls.

Five years ago, hackers were actively exploring and exploiting vulnerabilities in products installed on nearly every Windows desktop. Microsoft, with hundreds, if not thousands, of vulnerabilities discovered across its Windows operating systems, Internet Explorer and Outlook, was hit particularly hard, but developers like Adobe, Real Networks, and Mozilla didn't escape unscathed, either.

Microsoft deserves a lot of credit for recognizing the problem and clamping down on vulnerabilities in its products, a process the vendor began in earnest in 2006. By 2008, the number of new vulnerabilities was starting to wane. But the gain was short-lived.

Like in the game "Whack a Mole," as soon as vendors fixed bugs and improved design, hackers found new ways to steal people's information and money using the Internet.

Instead of focusing on vulnerabilities in Windows applications, hackers raised the stakes by successfully infiltrating the servers and Web application frameworks of trusted companies. New techniques, such as cross-site scripting, SQL injection techniques, and bot-net armies of infected "zombie" PCs, allowed cyber criminals to victimize tens of thousands of people with relative ease. As organized crime became involved, the attacks became more polished, and security-related losses skyrocketed.

The trend largely continues today. According to IBM's latest X-Force Trend and Risk Report, the number of new security vulnerabilities reported by software vendors decreased by 11 percent in 2009 compared to 2008. The instance of critical un-patched vulnerabilities, sometimes called zero day vulnerabilities, also declined. The use of malicious ActiveX components and SQL injection techniques dropped.

That's the good news. Now the bad news: While security problems in shrink-wrapped products declined, there was a 345 percent increase in security vulnerabilities in Web sites and Web applications. According to the X-Force report, 67 percent of the Web applications discovered to have security vulnerabilities during 2009 had not been patched by the end of the year. The most successful attack technique was cross-site scripting, which took the lead from SQL injection.

So-called "social engineering" and "obfuscation" hacking techniques also continued to bear illicit fruit for cyber criminals. Instances of phishing, where hackers use trickery to lure victims to Web sites infected with malicious code, rose dramatically in the second half of 2009, according to the X-Force report. X-Force says it detected a 300 to 400 percent increase in attempts to hide, or obfuscate, exploit code in malicious Web sites.

And in a throw-back to the bad old days of the early 2000s, there was also a disturbing rise in vulnerabilities in document readers and editors; the Adobe PDF format was singled out by the X-Force team as having more than its share of security problems (not to mention problems with stability).

If it sounds like information security is out of control, it is.

"Providing enterprise security is excruciatingly difficult," Symantec says in its new report, State of Enterprise Security 2010, which is based on a survey of 2,100 small, medium, and large companies around the world.

According to the report, cyber attacks have become a daily occurrence for many companies; only 25 percent of survey respondents report they have not been attacked in the last 12 months. And despite throwing huge sums at the problem--the average large company employs 230 people dedicated to IT security--companies lost an average of $2.8 million last year due to lapses in security, according to the report.

Covering the monetary losses of customers victimized by hackers is only part of the cost of poor security. While companies pay an average of $11,000 per person for a lost Social Security number or credit card number, the greatest threat for some is the loss of trust. "Who wants to do business with a company that cannot protect their customers' information?" Symantec quotes one respondent as saying.

It should come as no surprise, then, that cyber security is the number one priority this year for 42 percent of Symantec's survey respondents, beating out traditional crime, terrorism, and natural disasters. Nearly half of companies surveyed said they will make "major changes" to their security controls in 2010; only 6 percent indicated their security controls would not change this year.

Complicating the IT security is the rapid growth in cloud computing and virtualization, Symantec says. What's more, the alphabet soup of new security-related regulations, such as ISO, HIPAA, SOX, CIS, ITIL, and PCI DSS, comes at just the wrong time.

So, what can a CIO do about the security problem? According to Symantec, the best approach to good enterprise security hasn't changed. Here's the storied security software vendor's advice:

  1. Protect the infrastructure--implement end point security, secure messaging and Web servers, back up data, and get visibility into threats and the capability to response quickly
  2. Protect the information--catalog sensitive information, find out who has access to it, and track sensitive information as it comes and goes
  3. Develop and enforce policies--a good security policy is the starting point for good security. Once a company has a policy, it becomes easier to identify threats and automate responses to them
  4. Manage systems--good systems management leads to good security. Automate the process of applying patches to operating systems, and monitor the systems continuously.


RELATED STORIES

Web Site Vulnerabilities Continue Unabated, IBM X-Force Says

Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report

Surf's Up for Web-Based Organized Crime, IBM X-Force Says



                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot


Sponsored By
WORKSRIGHT SOFTWARE

Do you need area code information?
Do you need ZIP Code information?
Do you need ZIP+4 information?
Do you need city name information?
Do you need county information?
Do you need a nearest dealer locator system?

We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

Just call us and we'll arrange for 30 days FREE use of either
ZIP/CITY or PER/ZIP4.

WorksRight Software, Inc.
Phone: 601-856-8337
Fax: 601-856-9432
E-mail: software@worksright.com
Web site: www.worksright.com


Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Brian Kelly, Shannon O'Donnell,
Mary Lou Roberts, Victor Rozek, Kevin Vandever, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Northeast User Groups Conference:  20th Annual Conference, April 12 - 14, Framingham, MA
DRV Technologies:  SpoolFlex automatically converts reports to user friendly PC formats - FREE trial!
COMMON:  Join us at the annual 2010 conference, May 3 - 6, in Orlando, Florida

 

 

IT Jungle Store Top Book Picks

Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
The iSeries Express Web Implementer's Guide: List Price, $49.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
Can the AS/400 Survive IBM?: List Price, $49.00
Chip Wars: List Price, $29.95


 
Four Hundred Stuff
Visual LANSA Gets Expanded Interoperability, Developer Convenience

Linoma Bolsters Surveyor/400 with Excel Capabilities, SSL

Lawson Updates M3 Suite of ERP Apps for i/OS

Customers Begin Using ilook to Web-Enable i/OS System Screens

Shield Adds IFS Replication to HA Offering

Four Hundred Guru
Naming Idiosyncrasies with the DB2 Storage Engine for MySQL

How To Use the Inhibit Write Keyword?

Hunting Down Storage Hogs

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
February 20, 2010: Volume 12, Number 08

February 13, 2010: Volume 12, Number 07

February 6, 2010: Volume 12, Number 06

January 30, 2010: Volume 12, Number 05

January 23, 2010: Volume 12, Number 04

January 16, 2010: Volume 12, Number 03

TPM at The Register
Marathon reels in another $6.5m

Windows server revenue outpaced Linux in Q4

Novell: Linux finally breaks even

EMC shuffles Ionix to VMware

Novell flirts with Citrix

HyTrust nets $10.5m in funding

Cray inks $45m super pact with DoD

Gartner report card gives high marks to x64, blades

Netezza to bake analytics into appliances

IBM services help complicate cloud's horizon

Intel and friends in $3.5bn tech stimulation

Server makers end 2009 on a high normal

THIS ISSUE SPONSORED BY:

PowerTech
MaxAva
Linoma Software
RevSoft
WorksRight Software


Printer Friendly Version


TABLE OF CONTENTS
X64 and Blade Servers Lead the Server Recovery

Custom Baby Data Centers Coming from Big Blue

System Automation, VTL, and Security Linked in Help/Systems, Crossroads Deal

Mad Dog 21/21: It's i or Die for Power in the Midrange

Hackers Escalate Web Site Attacks, Despite Decline in Security Vulnerabilities

But Wait, There's More:

IBM Cuts Power 595 CPU Prices, Offers Remote Server Migration . . . No Power 750, 770, and 780 Prices for i Configs? What Gives? . . . MKS Recovering Nicely From the Economic Storm . . . IBM Assigns Per-Core Pricing Metrics to Power7 Chips . . . Intelliden Snapped Up by IBM for Network Management . . .

The Four Hundred

BACK ISSUES




 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2010 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement