Turbotodd

WARNING: This is an exceptionally long post intended for security and privacy geeks everywhere, including sys admins, Internet security hawks, CIOs, and innocent but interested bystanders everywhere.  No web servers were hacked in the preparation of this report: at least, none by me!

Okay, troopers, it’s that time of year again.  You know, the time when IBM releases its report card for security incidents, the X-Force Trend and Risk Report.

Google has the search “Zeitgeist” every year, we have the security “poltergeist!”

This time around, we’re looking back at the wild and wacky 2011, a year which showed surprising improvements in several areas of Internet security. Improvements, you ask?  Surely you jest, Turbo.

This figure from the 2011 IBM X-Force Trend And Risk Report shows a steady decline in the instances of input control related vulnerabilities such as cross-site scripting (XSS) and SQL injection since X-Force began recording these statistics in 2007. In 2011, the statistics suggest that the likelihood of encountering XSS in a given test continues to decrease but shows signs of leveling out at approximately a 40 percent chance of occurring. Injection vulnerabilities and specifically SQL injection appears to have leveled out at around a 20 percent chance of occurring in a given test.

No, no, there IS some good news.  Like a reduction in application security vulnerabilities, exploit code and spam.

But, good news leads to less good news on this front, as many of you who follow security well know, because the bad guys are being forced to rethink their tactics by targeting more niche IT loopholes and emerging technologies such as social networks and mobile devices.

The Top Line: Less Spam, More Adaptation

To get specific, the X-Force 2011 Trend and Risk Report demonstrated a 50 percent decline in spam email compared to 2010.

2011’s poltergeist saw a diligent patching of security vulnerabilities by software vendors, with only 36 percent of those vulnerabilities remaining unpatched in 2011 (compared to 43 percent in 2010).  The year also saw a higher quality of software application code, as seen in web-app vulnerabilities called “cross-site scripting” that were half as likely to exist in clients’ software as they were four years ago.

So, the net is, the bad guys are adapting their techniques to the changing tech environment. The report uncovered a rise in emerging attack trends including mobile exploits, automated password guessing, and a surge in phishing attacks.

It also witnessed an increase in automated shell command injection attacks against web servers, which may well be a response to successful efforts to close off other kinds of Web app vulnerabilities.

The Security Landscape Glass Half Full: Decrease In Unpatched Vulnerabilities, Exploit Code, And Spam

Getting even more specific, according to the report, there are several positive trends as companies adjusted their security policies in 2011:

• Thirty percent decline in the availability of exploit code. When security vulnerabilities are disclosed, exploit code is sometimes released that attackers can download and use to break into computers. Approximately 30 percent fewer exploits were released in 2011 than were seen on average over the past four years. This improvement can be attributed to architectural and procedural changes made by software developers that help make it more difficult for attackers to successfully exploit vulnerabilities.
• Decrease in unpatched security vulnerabilities. When security vulnerabilities are publicly disclosed, it is important that the responsible software vendor provide a patch or fix in a timely fashion. Some security vulnerabilities are never patched, but the percentage of unpatched vulnerabilities has been decreasing steadily over the past few years. In 2011 this number was down to 36 percent from 43 percent in 2010.
• Fifty percent reduction in cross site scripting (XSS) vulnerabilities due to improvements in software quality. The IBM X-Force team is seeing significant improvement in the quality of software produced by organizations that use tools like IBM AppScan OnDemand service to analyze, find, and fix vulnerabilities in their code.  IBM found XSS vulnerabilities are half as likely to exist in customers’ software as they were four years ago. However, XSS vulnerabilities still appear in about 40 percent of the applications IBM scans. This is still high for something well understood and able to be addressed.
• Decline in spam. IBM’s global spam email monitoring network has seen about half the volume of spam email in 2011 that was seen in 2010. Some of this decline can be attributed to the take-down of several large spam botnets, which likely hindered spammers’ ability to send emails. The IBM X-Force team witnessed spam evolve through several generations over the past seven years as spam filtering technology has improved and spammers have adapted their techniques in order to successfully reach readers.

The Security Landscape Glass Half Empty: Attackers Adapt Their Techniques in 2011

Even with these improvements, there has been a rise in new attack trends and an array of significant, widely reported external network and security breaches.

This figure from the 2011 IBM X-Force Trend And Risk Report shows an increase in mobile operating system exploits in 2011 due to an uptick in malicious activity targeting mobile devices. Because of the two-tiered relationship between phone end users, telecommunications companies, and mobile operating system vendors, disclosed mobile vulnerabilities can remain unpatched on phones for an extended period of time, providing a large window of opportunity to attackers.

As malicious attackers become increasingly savvy, the IBM X-Force documented increases in three key areas of attack activity:

• Attacks targeting shell command injection vulnerabilities more than double. For years, SQL injection attacks against web applications have been a popular vector for attackers of all types. SQL injection vulnerabilities allow an attacker to manipulate the database behind a website. As progress has been made to close those vulnerabilities – the number of SQL injection vulnerabilities in publicly maintained web applications dropped by 46 percent in 2011– some attackers have now started to target shell command injection vulnerabilities instead. These vulnerabilities allow the attacker to execute commands directly on a web server. Shell command injection attacks rose by two to three times over the course of 2011. Web application developers should pay close attention to this increasingly popular attack vector.
• Spike in automated password guessing – Poor passwords and password policies have played a role in a number of high-profile breaches during 2011. There is also a lot of automated attack activity on the Internet in which attacks scan the net for systems with weak login passwords. IBM observed a large spike in this sort of password guessing activity directed at secure shell servers (SSH) in the later half of 2011.
• Increase in phishing attacks that impersonate social networking sites and mail parcel services – The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven’t been seen since 2008. Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites.

Emerging Technologies Create New Avenues for Attacks

New technologies such as mobile and cloud computing continue to create challenges for enterprise security.

• Publicly released mobile exploits rise 19 percent in 2011. This year’s IBM X-Force report focused on a number of emerging trends and best practices to manage the growing trend of “Bring your Own Device,” or BYOD, in the enterprise. IBM X-Force reported a 19 percent increase over the prior year in the number of exploits publicly released that can be used to target mobile devices. There are many mobile devices in consumers’ hands that have unpatched vulnerabilities to publicly released exploits, creating an opportunity for attackers. IT managers should be prepared to address this growing risk.
• Attacks increasingly relate to social media – With the widespread adoption of social media platforms and social technologies, this area has become a target of attacker activity. IBM X-Force observed a surge in phishing emails impersonating social media sites. More sophisticated attackers have also taken notice. The amount of information people are offering in social networks about their personal and professional lives has begun to play a role in pre-attack intelligence gathering for the infiltration of public and private sector computing networks.
• Cloud computing presents new challenges – Cloud computing is moving rapidly from emerging to mainstream technology, and rapid growth is anticipated through the end of 2013. In 2011, there were many high profile cloud breaches affecting well-known organizations and large populations of their customers. IT security staff should carefully consider which workloads are sent to third-party cloud providers and what should be kept in-house due to the sensitivity of data. Cloud security requires foresight on the part of the customer as well as flexibility and skills on the part of the cloud provider. The IBM X-Force report notes that the most effective means for managing security in the cloud may be through Service Level Agreements (SLAs) because of the limited impact that an organization can realistically exercise over the cloud computing service. Therefore, careful consideration should be given to ownership, access management, governance and termination when crafting SLAs. The IBM X-Force report encourages cloud customers to take a lifecycle view of the cloud deployment and fully consider the impact to their overall information security posture.

The IBM X-Force 2011 Trend and Risk Report is based on intelligence gathered by one of the industry’s leading security research teams through its research of public vulnerability disclosures findings from more than 4,000 clients, and the monitoring and analysis of an average of 13 billion events daily in 2011.

“In 2011, we’ve seen surprisingly good progress in the fight against attacks through the IT industry’s efforts to improve the quality of software,” said Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force. “In response, attackers continue to evolve their techniques to find new avenues into an organization. As long as attackers profit from cyber crime, organizations should remain diligent in prioritizing and addressing their vulnerabilities.”

You can learn more about IBM Security Solutions here.