Progress Being Made In IT Security War, IBM Says
April 2, 2012 Alex Woodie
IBM saw a reduction in application security vulnerabilities, exploit code, and spam last year as system makers and software developers tightened up their code, the vendor says in its latest X-Force report. When that attack surface got smaller, cybercriminals were forced to work their black magic in emerging areas, like social networking and mobile devices.
IBM’s semi-annual tally of the state of security identified some promising trends. On the spam front, it found a 50 percent decline in unsolicited commercial email compared to 2010. On the vulnerability front, it found that only 36 percent of previously identified vulnerabilities were still unpatched by the end of the year, compared to 43 percent in 2010. And Web applications are safer, with the number of applications vulnerable to cross-site scripting attacks down 50 percent compared with 2007.
Software developers, apparently, are getting the message on security.
“In 2011, we’ve seen surprisingly good progress in the fight against attacks through the IT industry’s efforts to improve the quality of software,” Tom Cross, manager of threat intelligence and strategy for IBM X-Force, said in a press release. “In response, attackers continue to evolve their techniques to find new avenues into an organization.”
But it wasn’t all puppies and rainbows in 2011, as cyber attackers found other ways to cause havoc. SQL injection attacks, in particular, continue to be a thorn in the side of Web applications due to the availability of automated tools. IBM also detected a 200 to 300 percent jump in so-called “shell injection” attacks from January to December. And toward the end of the year, IBM researchers noticed a spike in SSH password cracking attempts.
And while IT vendors got better at preventing vulnerabilities, IT users seemed to have gotten worse. IBM declared 2011 “the year of the security breach” last summer due to the large number of high profile and highly public breaches. IBM says the breaches were notable not only for their frequency but for the supposed security competency of the victims. Companies with security breaches last year included RSA, Sony, Citigroup, Epsilon, Lockheed Martin, and Northrop Grumman. (As we go to press on Friday, credit card service providers Visa and MasterCard are warning downstream banks that link into their networks that there has been a massive security breach, perhaps an inside job, that might expose millions of credit cards to easy cloning.)
The decline in vulnerabilities belies the rise in security breaches, and raises the question: Are cybercriminals getting smarter than the IT professionals charged with securing their company’s IT systems? Or maybe we’re just expecting too much from the security pros?
It may be the latter. In February, security software firm LogRhythm declared that 75 percent of security professionals “lack confidence in their ability to address cyber threats.” The number is the result of an unscientific study of only 200 people who answered a questionnaire online. But it does hint at the existence of a skills gap when it comes to defending corporate IT systems.
Just as the tools and tactics are changing in the ongoing IT cyber war, so is the battleground. In the future, corporate security pros will need to focus a lot more on social media and mobile computing than they are now–especially as corporations continue to connect their core business systems to mobile devices and social networking tools.
IBM identified mobile devices as a major security concern in last October’s 2011 mid-year X-Force report, and the concern continues today. The number of vulnerabilities declined slightly in 2011 but the rate of exploits rose quite a bit. Couple that with the huge growth in mobile platforms and the fact that very few mobile users run anti-malware software on their devices, and you have very attractive conditions for cybercriminals.
Cybercriminals are also finding social media a lucrative place to find and exploit new victims. More than 1 billion people are now using social media, which has become the number one online activity, surpassing the use of search engines like Google, according to IBM. Frauds and scams that criminals used to run via email are finding fresh life on social media websites. And it should come as no surprise that the prodigious amount of private information that people are putting out in the public realm is also being used for research purposes by the cyber-crooks.
A successful social media hack will include several tools in a cybercriminal’s bag of evil tricks, including social engineering, spear-phishing, and zero-day execution of a software vulnerability. The social-engineering phase involves creating good rapport with the victim by connecting with them (i.e. “friending” them) via fake (but plausible-sounding) accounts on social websites such as Facebook or LinkedIn. Once the predator has connected with his prey, he takes out his spear-phishing gear. He sends the victim an email that touts something plausible–such as a job-vacancy posting for a company the victim may be interested in working for. Instead of a job posting, of course, the link leads to a malformed website that the user has loaded with the necessary code to exploit a vulnerability in the victim’s computer.
The problem with social engineering attacks is that no amount of software can prevent it. The only way to fight social engineering attacks is educating users and instituting a “default deny” mentality. That may limit the popularity of users among their social media “friends,” but it will also protect them from falling victim to cybercriminals.
For a copy of the X-Force 2011 Trend and Risk Report, see www.ibm.com/security/xforce.