Hackers Escalate Web Site Attacks, Despite Decline in Security Vulnerabilities
March 1, 2010 Alex Woodie
Computer hackers and cyber criminals are successfully adapting their techniques to the Web in response to efforts by software vendors to crack down on security vulnerabilities in their products, according to a new security report from IBM‘s X-Force team. In a separate report on enterprise security, Symantec found large companies are struggling to cope with the growth in and changing nature of cyber attacks, and plan to make extensive investments in security controls.
Five years ago, hackers were actively exploring and exploiting vulnerabilities in products installed on nearly every Windows desktop. Microsoft, with hundreds, if not thousands, of vulnerabilities discovered across its Windows operating systems, Internet Explorer and Outlook, was hit particularly hard, but developers like Adobe, Real Networks, and Mozilla didn’t escape unscathed, either.
Microsoft deserves a lot of credit for recognizing the problem and clamping down on vulnerabilities in its products, a process the vendor began in earnest in 2006. By 2008, the number of new vulnerabilities was starting to wane. But the gain was short-lived.
Like in the game “Whack a Mole,” as soon as vendors fixed bugs and improved design, hackers found new ways to steal people’s information and money using the Internet.
Instead of focusing on vulnerabilities in Windows applications, hackers raised the stakes by successfully infiltrating the servers and Web application frameworks of trusted companies. New techniques, such as cross-site scripting, SQL injection techniques, and bot-net armies of infected “zombie” PCs, allowed cyber criminals to victimize tens of thousands of people with relative ease. As organized crime became involved, the attacks became more polished, and security-related losses skyrocketed.
The trend largely continues today. According to IBM’s latest X-Force Trend and Risk Report, the number of new security vulnerabilities reported by software vendors decreased by 11 percent in 2009 compared to 2008. The instance of critical un-patched vulnerabilities, sometimes called zero day vulnerabilities, also declined. The use of malicious ActiveX components and SQL injection techniques dropped.
That’s the good news. Now the bad news: While security problems in shrink-wrapped products declined, there was a 345 percent increase in security vulnerabilities in Web sites and Web applications. According to the X-Force report, 67 percent of the Web applications discovered to have security vulnerabilities during 2009 had not been patched by the end of the year. The most successful attack technique was cross-site scripting, which took the lead from SQL injection.
So-called “social engineering” and “obfuscation” hacking techniques also continued to bear illicit fruit for cyber criminals. Instances of phishing, where hackers use trickery to lure victims to Web sites infected with malicious code, rose dramatically in the second half of 2009, according to the X-Force report. X-Force says it detected a 300 to 400 percent increase in attempts to hide, or obfuscate, exploit code in malicious Web sites.
And in a throw-back to the bad old days of the early 2000s, there was also a disturbing rise in vulnerabilities in document readers and editors; the Adobe PDF format was singled out by the X-Force team as having more than its share of security problems (not to mention problems with stability).
If it sounds like information security is out of control, it is.
“Providing enterprise security is excruciatingly difficult,” Symantec says in its new report, State of Enterprise Security 2010, which is based on a survey of 2,100 small, medium, and large companies around the world.
According to the report, cyber attacks have become a daily occurrence for many companies; only 25 percent of survey respondents report they have not been attacked in the last 12 months. And despite throwing huge sums at the problem–the average large company employs 230 people dedicated to IT security–companies lost an average of $2.8 million last year due to lapses in security, according to the report.
Covering the monetary losses of customers victimized by hackers is only part of the cost of poor security. While companies pay an average of $11,000 per person for a lost Social Security number or credit card number, the greatest threat for some is the loss of trust. “Who wants to do business with a company that cannot protect their customers’ information?” Symantec quotes one respondent as saying.
It should come as no surprise, then, that cyber security is the number one priority this year for 42 percent of Symantec’s survey respondents, beating out traditional crime, terrorism, and natural disasters. Nearly half of companies surveyed said they will make “major changes” to their security controls in 2010; only 6 percent indicated their security controls would not change this year.
Complicating the IT security is the rapid growth in cloud computing and virtualization, Symantec says. What’s more, the alphabet soup of new security-related regulations, such as ISO, HIPAA, SOX, CIS, ITIL, and PCI DSS, comes at just the wrong time.
So, what can a CIO do about the security problem? According to Symantec, the best approach to good enterprise security hasn’t changed. Here’s the storied security software vendor’s advice: