• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Hackers Escalate Web Site Attacks, Despite Decline in Security Vulnerabilities

    March 1, 2010 Alex Woodie

    Computer hackers and cyber criminals are successfully adapting their techniques to the Web in response to efforts by software vendors to crack down on security vulnerabilities in their products, according to a new security report from IBM‘s X-Force team. In a separate report on enterprise security, Symantec found large companies are struggling to cope with the growth in and changing nature of cyber attacks, and plan to make extensive investments in security controls.

    Five years ago, hackers were actively exploring and exploiting vulnerabilities in products installed on nearly every Windows desktop. Microsoft, with hundreds, if not thousands, of vulnerabilities discovered across its Windows operating systems, Internet Explorer and Outlook, was hit particularly hard, but developers like Adobe, Real Networks, and Mozilla didn’t escape unscathed, either.

    Microsoft deserves a lot of credit for recognizing the problem and clamping down on vulnerabilities in its products, a process the vendor began in earnest in 2006. By 2008, the number of new vulnerabilities was starting to wane. But the gain was short-lived.

    Like in the game “Whack a Mole,” as soon as vendors fixed bugs and improved design, hackers found new ways to steal people’s information and money using the Internet.

    Instead of focusing on vulnerabilities in Windows applications, hackers raised the stakes by successfully infiltrating the servers and Web application frameworks of trusted companies. New techniques, such as cross-site scripting, SQL injection techniques, and bot-net armies of infected “zombie” PCs, allowed cyber criminals to victimize tens of thousands of people with relative ease. As organized crime became involved, the attacks became more polished, and security-related losses skyrocketed.

    The trend largely continues today. According to IBM’s latest X-Force Trend and Risk Report, the number of new security vulnerabilities reported by software vendors decreased by 11 percent in 2009 compared to 2008. The instance of critical un-patched vulnerabilities, sometimes called zero day vulnerabilities, also declined. The use of malicious ActiveX components and SQL injection techniques dropped.

    That’s the good news. Now the bad news: While security problems in shrink-wrapped products declined, there was a 345 percent increase in security vulnerabilities in Web sites and Web applications. According to the X-Force report, 67 percent of the Web applications discovered to have security vulnerabilities during 2009 had not been patched by the end of the year. The most successful attack technique was cross-site scripting, which took the lead from SQL injection.

    So-called “social engineering” and “obfuscation” hacking techniques also continued to bear illicit fruit for cyber criminals. Instances of phishing, where hackers use trickery to lure victims to Web sites infected with malicious code, rose dramatically in the second half of 2009, according to the X-Force report. X-Force says it detected a 300 to 400 percent increase in attempts to hide, or obfuscate, exploit code in malicious Web sites.

    And in a throw-back to the bad old days of the early 2000s, there was also a disturbing rise in vulnerabilities in document readers and editors; the Adobe PDF format was singled out by the X-Force team as having more than its share of security problems (not to mention problems with stability).

    If it sounds like information security is out of control, it is.

    “Providing enterprise security is excruciatingly difficult,” Symantec says in its new report, State of Enterprise Security 2010, which is based on a survey of 2,100 small, medium, and large companies around the world.

    According to the report, cyber attacks have become a daily occurrence for many companies; only 25 percent of survey respondents report they have not been attacked in the last 12 months. And despite throwing huge sums at the problem–the average large company employs 230 people dedicated to IT security–companies lost an average of $2.8 million last year due to lapses in security, according to the report.

    Covering the monetary losses of customers victimized by hackers is only part of the cost of poor security. While companies pay an average of $11,000 per person for a lost Social Security number or credit card number, the greatest threat for some is the loss of trust. “Who wants to do business with a company that cannot protect their customers’ information?” Symantec quotes one respondent as saying.

    It should come as no surprise, then, that cyber security is the number one priority this year for 42 percent of Symantec’s survey respondents, beating out traditional crime, terrorism, and natural disasters. Nearly half of companies surveyed said they will make “major changes” to their security controls in 2010; only 6 percent indicated their security controls would not change this year.

    Complicating the IT security is the rapid growth in cloud computing and virtualization, Symantec says. What’s more, the alphabet soup of new security-related regulations, such as ISO, HIPAA, SOX, CIS, ITIL, and PCI DSS, comes at just the wrong time.

    So, what can a CIO do about the security problem? According to Symantec, the best approach to good enterprise security hasn’t changed. Here’s the storied security software vendor’s advice:

    1. Protect the infrastructure–implement end point security, secure messaging and Web servers, back up data, and get visibility into threats and the capability to response quickly
    2. Protect the information–catalog sensitive information, find out who has access to it, and track sensitive information as it comes and goes
    3. Develop and enforce policies–a good security policy is the starting point for good security. Once a company has a policy, it becomes easier to identify threats and automate responses to them
    4. Manage systems–good systems management leads to good security. Automate the process of applying patches to operating systems, and monitor the systems continuously.

    RELATED STORIES

    Web Site Vulnerabilities Continue Unabated, IBM X-Force Says

    Decline In Vulnerabilities Belies Threat Increase, Microsoft Says in New Security Report

    Surf’s Up for Web-Based Organized Crime, IBM X-Force Says



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: mtfh_rc, Volume 19, Number 9 -- March 1, 2010

    Sponsored by
    Maxava

    Migrate IBM i with Confidence

    Tired of costly and risky migrations? Maxava Migrate Live minimizes disruption with seamless transitions. Upgrading to Power10 or cloud hosted system, Maxava has you covered!

    Learn More

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Hunting Down Storage Hogs CNX Offers Free Community Edition of Valence Web 2.0 App

    Leave a Reply Cancel reply

TFH Volume: 19 Issue: 9

This Issue Sponsored By

    Table of Contents

    • X64 and Blade Servers Lead the Server Recovery
    • Custom Baby Data Centers Coming from Big Blue
    • System Automation, VTL, and Security Linked in Help/Systems, Crossroads Deal
    • Mad Dog 21/21: It’s i or Die for Power in the Midrange
    • Hackers Escalate Web Site Attacks, Despite Decline in Security Vulnerabilities
    • IBM Cuts Power 595 CPU Prices, Offers Remote Server Migration
    • No Power 750, 770, and 780 Prices for i Configs? What Gives?
    • MKS Recovering Nicely From the Economic Storm
    • IBM Assigns Per-Core Pricing Metrics to Power7 Chips
    • Intelliden Snapped Up by IBM for Network Management

    Content archive

    • The Four Hundred
    • Four Hundred Stuff
    • Four Hundred Guru

    Recent Posts

    • POWERUp 2025 –Your Source For IBM i 7.6 Information
    • Maxava Consulting Services Does More Than HA/DR Project Management – A Lot More
    • Guru: Creating An SQL Stored Procedure That Returns A Result Set
    • As I See It: At Any Cost
    • IBM i PTF Guide, Volume 27, Number 19
    • IBM Unveils Manzan, A New Open Source Event Monitor For IBM i
    • Say Goodbye To Downtime: Update Your Database Without Taking Your Business Offline
    • i-Rays Brings Observability To IBM i Performance Problems
    • Another Non-TR “Technology Refresh” Happens With IBM i TR6
    • IBM i PTF Guide, Volume 27, Number 18

    Subscribe

    To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

    Pages

    • About Us
    • Contact
    • Contributors
    • Four Hundred Monitor
    • IBM i PTF Guide
    • Media Kit
    • Subscribe

    Search

    Copyright © 2025 IT Jungle