Archive for March 2013
Batten Down The Hatches! IBM’s X-Force 2012 Trend And Risk Report
It’s been a busy year for IT security incidents. Yesterday, John Markoff and Nicole Perlroth with The New York Times told us about yet another incident, this time a cyberattack involving antispam group Spamhaus and an anonymous group unhappy with their efforts.
Click to enlarge. Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosed in 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.
But the list goes on and on. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations have been inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.
At the mid-year of 2012, IBM’s X-Force team predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case. While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year’s headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection.
What continues to be clear is that attackers, regardless of operational sophistication, will pursue a path-of-least-resistance approach to reach their objectives. Integration of mobile devices into the enterprise continues to be a challenge. In the previous report, X-Force looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices.
That said, recent developments have indicated that while these dangers still exist, and X-Force believes mobile devices should be more secure than traditional user computing devices by 2014. While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
In its latest report, X-Force explores how security executives are advocating the separation of personas or roles on employee-owned devices. It also addresses some secure software mobile application development initiatives that are taking place today. The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose.
Click to enlarge. The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,
they have become a favorite target of scam and phishing.
Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems.
Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
As X-Force also reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing. Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive.
Whether the target is individuals or the enterprise, once again, X-Force reminds organizations that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.
Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak X-Force recorded.
Social media has dramatically changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities.
Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks.
Click to enlarge. The values for the evaluated threat and residual threat can be determined by comparing the likelihood or frequency of a threat occurring (high, medium, low) against the damage impact that could happen if the threat occurred (catastrophic, high, medium, low). The goal is to implement mitigation processes that either reduce the frequency of the threat occurring or reduce the impact if the threat does occur. A requirement for this to be successful is to have a specific, designated monitoring mechanism to monitor the implementation of the treatment processes and for the appearance of the threats.
2012 X-Force Trend And Risk Report Highlight
Malware and the malicious web
- In 2012, near daily leaks of private information about victims were announced like game scoreboards through tweets and other social media. Personal details, such as email addresses, passwords (both encrypted and clear text), and even national ID numbers were put on public display.
- Based on data for 2012, it is not surprising that the bulk of the security incidents disclosed were carried out with the majority of attackers going after a broad target base while using off-the-shelf tools and techniques. X-Force attributes this to the wide public availability of toolkits and to the large number of vulnerable web applications that exist on the Internet.
- The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers. This technique assisted in much higher connected uptime as well as having more bandwidth than home PC’s to carry out the attacks. In the sampling of security incidents from 2012, the United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%.
- IBM Managed Security Services (MSS) security incident trends are markers that represent the state of security across the globe. The relative volume of the various alerts can help to describe how attacks are established and launched. They also frequently provide hints about how methods have evolved. Based on this, the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet.
- IBM MSS has noted a dramatic and sustained rise in SQL injection-based traffic due, in large part, to a consistent effort from the Asia Pacific region. The alerts came from all industry sectors, with a bias toward banking and finance targets.
- Web browser exploit kits (also known as exploit packs) are built for one particular purpose: to install malware on end-user systems. In 2012 X-Force observed an upsurge in web browser exploit kit development and activity—the primary target of which are Java vulnerabilities—and X-Force supplies some strategies and tips to help protect against future attacks (see end of post to download full report).
- Java continues to be a key target for attackers. It has the advantage of being both cross-browser and cross-platform—a rare combination that affords attackers a lot of value for their investment. Web content trends, spam, and phishing Web content trends Top used websites are readily deployed as IPv6- ready, although attackers do not yet seem to be targeting IPv6 on a large scale.
- One third of all web access is done on websites which allow users to submit content such as web applications and social media.
- Nearly 50% of the relevant websites now link to a social network platform, and this intense proliferation poses new challenges to companies that need to control the sharing of confidential information.
Spam and phishing
- Spam volume remained nearly flat in 2012.
- India remains the top country for distributing spam, sending out more than 20% of all spam in the autumn of 2012. Following India was the United States where more than 8% of all spam was generated in the second half of the year. Rounding out the top five spam sending countries of origin were Vietnam, Peru, and Spain.
- At the end of 2012, IBM reports that traditional spam is on the retreat, while scam and spam containing malicious attachments is on the rise. In addition, attackers are demonstrating more resiliency to botnet take downs which results in an uninterrupted flow of spam volume.
Operational Security Practices
Vulnerabilities and exploitation
- In 2012, there were over 8,168 publicly disclosed vulnerabilities. While not the record amount X-Force expected to see after reviewing its mid-year data, it still represents an increase of over 14% over 2011.
- Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012.
- Cross-site scripting vulnerabilities accounted for over half of the total web application vulnerabilities disclosed in 2012. Cross-site scripting dominated the web vulnerability disclosures. Fifty-three percent of all publicly released web application vulnerabilities were cross-site scripting related. This is the highest rate X-Force has ever seen. This dramatic increase occurred while SQL injection vulnerabilities enjoyed a higher rate than 2011 but were still down significantly since 2010.
- There were 3,436 public exploits in 2012. This is 42% of the total number of vulnerabilities, up 4% from 2011 levels.
- Web browser vulnerabilities declined slightly for 2012, but not at as high a rate as document format issues. While the overall number of web browser vulnerabilities dropped by a nominal 6% from 2011, the number of high- and critical severity web browser vulnerabilities saw an increase of 59% for the year.
- Few innovations have impacted the way the world communicates quite as much as social media. However, with the mass interconnection and constant availability of individuals, new vulnerabilities and a fundamental shift in intelligence-gathering capabilities has provided attackers and security professionals alike with information useful for enhancing their activities.
- Rather than seeing a particular enterprise as an individual entity, attackers can view enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise.
Emerging Trends In Security
Mobile
- Prediction: Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
- Separation of personas or roles: While a small percentage of enterprises have dealt with BYOD by using virtualized desktop solutions to separate and control enterprise applications and data from the rest of the personally owned device, a greater number of enterprises have wanted or required some form of separation or dual persona on mobile devices. This difference in use or adoption could be the result of greater numbers of devices driving greater risk in the percentage of personally owned mobile devices versus personally owned PCs in a BYOD program.
- In many cases, enterprises have made significant investments into implementing Secure Software Development Life Cycle (SSDLC) processes. Today’s mobile application development benefits from this. Tools exist to support secure development as part of the process instead of being conducted in qualification or production. As a result, it should be more common for enterprises to have more securely developed mobile applications than their existing legacy applications. Closure of vulnerabilities in some traditional computing applications may only conclude as existing versions are sunset and replaced with newer, more securely developed replacements.
- Over 2012, it is safe to conclude that more enterprises are supporting BYOD or the use of personally owned devices than previously. In the last two years, IBM Security has spoken to hundreds of global 2000 customers and out of those interviewed, only three said they had no plans to implement any kind of BYOD program.
To learn more on how your organization can work to address these types of vulnerabilities, download the full IBM X-Force 2012 Trend And Risk Report here.
Tiger’s New Old Game
The last time Tiger Woods was the number one ranked golfer in the world was October 2010. That’s a grand total of 29 months ago.
That all changed this week at Arnold Palmer’s Bay Hill Invitational, which Tiger Woods won running away at -13. That’s Woods’ eighth time to win the same PGA tournament.
Justin Rose gave Woods his best, but faltered on Saturday before attempting a comeback on Monday’s round (after torrential storms in and around Orlando postponed play on Sunday), and Ricky Fowler tried to match Woods’ performance in the final grouping, but Woods’ irons were too much for Fowler and all the “chasers.”
And then there was Woods’ putting, which was nothing short of masterful. For the week, he made 19 of 28 putts between 7 and 20 feet. It was like the Tiger of old — the golf ball seemed to just follow a line from Woods’ putter to the middle of the hole, over and over and over again.
You could hear professional golfers around the globe simply deflate with each stroke of Tiger’s Nike Method putter.
So, Tiger has now won 77 PGA Tour wins, only 5 away from legend Sam Snead’s 82.
And then there’s The Masters coming up in Augusta in mid-April, the golfing equivalent of the Super Bowl.
You think a few odds makers in Vegas now have Tiger to win this year’s Masters?
Not that I would ever gamble on such a thing, but money does talk, and in this case, online casino Bovada already has Tiger at 11/4 odds to take this year’s green jacket.
But since this is a data driven, technology-oriented blog, let’s look at a few more numbers.
Bleacherreport’s Ryan Rudnansky observes that in 2010, Tiger ranked 109th in putting (strokes gained). 45th in 2011. 36th last year. And this year?
You got it? Numero uno.
At Doral, he recorded just 100 putts for the 72 holes, the lowest putting mark in his career.
Oh, yes, and he’s won three times this year in four stroke-play tournaments (we’ll disregard his nasty bit of business at the Accenture Match Play, where Charles Howell III ousted him in the first match).
Is Tiger’s taking the Master’s in two weeks a done deal?
Of course not.
Would I pick him over all the other players in the field?
What do you think?
A Mobile Summary
I’m going to have to start naming this “Mobile Monday.”
Because on Mondays, it seems like there’s always something of import to occur within the mobile space.
I guess one could say that for every other day of the week, and maybe it just seems more notable to me on Mondays.
In today’s case, it was Yahoo’s announced acquisition of Summly, a mobile app that has a unique algorithm which helps summarize news stories and which was started by a 15 year-old programmer, Nick D’Alosio. The Summly took Apple’s “Best Apps of 2012” award for Intuitive Touch capability.
So of course the first thing that will happen post acquisition is that the app will be REMOVED from the App Store starting today.
Does that seem counterintuitive or is it just me?
Kid writes app, app receives a gazillion downloads, Yahoo buys app, makes kid rich, Yahoo removes app from App Store.
Only in the tech industry.
The idea, of course, being that someday soon the capabilities of Summly will find themselves embedded in other Yahoo apps. Yeah, and I’ve got some great swamp land in south Florida that I’d like to show you.
Turbo recently shelled out a little over a hundred bucks for the daskeyboard Professional Model S. This keyboard features Mac-specific functions such as media controls, brightness controls, command and alt/option keys, eject and clear keys. The Professional Model S for Mac is “plug and play” with Mac computers and updated to also include media controls.
On the topic of mobile, nobody’s ever really created a good mobile Bluetooth keyboard that’s portable and, preferably, folds up…and I’ve tried just about all of them…Kickstarter, anyone?
But I am VERY happy with my new daskeyboard keyboard, which I’m going to tell you all about now.
When I’m working at home, it’s like hearing a machine gun emanating from my office (They don’t call me Turbo for nothin’, and it mostly had to do with my typing speed…How else would you expect me to be able to generate all these blog posts!?)
I saw daskeyboards for the first time last year at SXSW, but I was able to contain my credit card. This year, I decided to jump in headfirst.
With a discount, I was able to get the daskeyboard Pro Model S for about $100, and though that might seem like a lot for a keyboard, when you spend as much time every day in front of a computer as I do, it seemed like a pretty good investment at the time — and that turned out to be the case.
Remember those original IBM AT and XT (and later, PS/2) computers where you could use those clickety-clack Model M keyboards? Well, daskeyboard has reinvented that PC keyboarding past, and you can now go clickety-clack at 90 words per minute with the lightest, softest, but clickiest touch you can imagine.
Only this time, you can do it on both Macs and PCs, and you can do it all in black.
IBM Helps ING DIRECT Canada Connect with Mobile, Social Customers
ING DIRECT Canada’s mobile application, developed with IBM, delivers customers with a dashboard view based on their most frequent banking activities.
IBM is making a fast start with its new “Mobile First” initiative, which is intended to help companies around the world bring all their resources together to strengthen customer engagement, whenever and wherever the customer wants, and on the customer’s favorite device, which is increasingly a mobile one.
IBM client ING DIRECT Canada is applying a “smarter commerce” approach to consumer banking with IBM’s help in meeting the growing expectations of its 1.8 million customers.
IBM announced today that it is working with the online bank to deliver innovative financial services that improve ING DIRECT’s customer experience including simplified account access across mobile devices and social media channels, voice recognition, and advanced security.
ING DIRECT Canada’s mobile application, developed with IBM, delivers customers with a dashboard view based on their most frequent banking activities.
Based on IBM software and services, these innovations support ING DIRECT’s Orange Snapshot initiative, designed to provide its clients greater control to manage their accounts within their increasingly mobile and social lifestyle.
Orange Snapshot gives mobile consumers a complete and simplified view of all their accounts, as well as bill payment and email money transfers, in two easy clicks.
This allows consumers to sign on once from their mobile device, saving time and aggravation from multiple log-ins.
Working with IBM, the bank’s latest mobile innovation allows clients to easily and securely access their ING DIRECT account information from within Facebook’s social networking site.
Clients who opt-in to this app are able to view their account balances, history and pending transactions as well as receive account notifications — real time messages automatically pushed to them within Facebook.
With security and privacy always top of mind, ING DIRECT plans to expand this application further to include transactions such as transfers, bill payments and email money transfers.
Furthermore, ING DIRECT allows clients to share their experiences through Facebook and Twitter to make saving money more intriguing.
In a recent survey, ING DIRECT learned that 52 percent of consumers were able to forego non-essential purchases when they could better visualize the impact of their spending habits.
IBM’s Smarter Commerce initiative is designed to help businesses better connect with the rising tide of digital consumers who prefer to buy through online, mobile and social channels.
It is estimated that there are more smartphones on the planet than humans. According to IDC, by 2016, more than 10 billion smartphones will be in use around the globe. In Canada, more than half of smartphone users bank from their devices — and that number grows higher when looking at users between the ages 18-34.
ING DIRECT continues to work with IBM in seeking new ways to connect to mobile applications in order to advance sales, manage secure transactions, and provide new insights about clients.
The bank has begun experimenting with new voice recognition capabilities on their mobile apps that will allow clients to conduct simple banking transactions by speaking rather than typing or the application can read account information to the customer.
ING DIRECT is also exploring the use of biometrics within their mobile apps for purposes such as client login to improve the client experience while maintaining the highest standards of security. Internal pilots are already yielding positive outcomes.
Recently, Forrester Research, Inc. recognized IBM as a leader in enterprise mobility services, according to the February 2013 report The Forrester Wave TM: Enterprise Mobility Services, Q1 2013.
Based on an analysis of 13 global leaders’ enterprise mobility capabilities and how they stack up, the report indicates that IBM “brings clients a world-class design agency combined with breadth and depth of enterprise mobility consulting both in terms of technology capabilities and global presence.”
You can go here to learn more about IBM’s “Mobile First” initiative.
Six Keys To Effective Reputational And IT Risk Management
In September of last year, I blogged about the IBM 2012 Global Reputational Risk and IT Study, which I explained was an “investigation of how organizations around the world are managing their reputations in today’s digital era, where IT is an integral part of their operations and where IT failures can result in reputational damage.”
I also wrote “corporate reputations are especially difficult to manage in an era when anyone with a smartphone and Internet connection can file their complaint with a single touch.”
That continues to be the case, but what’s new is that IBM has recently issued another report on further implications of this study and its findings, and more importantly, what organizations can do to get on offense when it comes to better managing their corporate reputation.
The Connection Between Reputational Risk And IT
When the corporate world first began paying attention to the concept of reputational risk in 2005, organizations’ focus tended to be on business issues like compliance and financial misdoings.
Today, the focus has shifted to include the reputational impact of IT risks. Virtually every company is now reliant on technology for its critical business processes and interactions. While it may take 10 minutes or 10 hours to recover from an IT failure, the reputational impact can be felt for months or even years.
Reputational damage caused by IT failures such as data breaches, systems failures and data loss now has a price tag. According to analyses performed by the Ponemon Institute, the economic value of a company’s reputation declines an average of 21 percent as a result of an IT breach of customer data — or the equivalent of an average of US $332 million.
The question now is not whether IT risks affect your corporate reputation, but what you can do to effectively prevent and mitigate these risks.
Six Keys To Effective Reputational And IT Risk Management
An analysis of responses to the IBM study revealed distinct correlations between the initiatives that organizations are undertaking to protect their reputations from the ramifications of IT failures and the overall effectiveness of their reputational and IT risk management efforts.
Based on this analysis, and the pattern it revealed among organizations that are most confident in their ability to prevent and mitigate IT-related reputational risk, there are six key initiatives that IBM recommends as part of every company’s efforts:
- Put someone in charge. Ultimate responsibility for reputational risk, including IT-related items, should rest with one person.
- Make the compliance and reputation connection. Measuring reputational and IT risk management strategies against compliance requirements is essential.
- Reevaluate the impact of social media. In addition to recognizing its potential for negative reputational impact, social media should be leveraged for its positive attributes.
- Keep an eye on your supply chain. Organizations must require and verify adherence of third-party suppliers to corporate standards.
- Avoid complacency. Organizations should continually evaluate reputational and IT risk management against strategy to find and eliminate potential gaps.
- Fund remediation; invest in prevention. For optimal reputational risk mitigation, companies need to fund critical IT systems as part of their core business
How IBM Can Help
When planned and implemented effectively, your organization’s reputational and IT risk strategy can become a vital competitive advantage. When you protect against and mitigate reputational risks successfully, you can enhance brand value in the eyes of customers, partners and analysts. Further, your organization can better attract new customers, retain existing customers and generate greater revenue.
IBM can help you protect your reputation with a robust portfolio of IT security, business continuity and resiliency, and technical support solutions. You can start with an IT security risk assessment, or penetration testing performed by IBM experts.
For business continuity and resiliency, you can begin with a Continuous Operations Risk Evaluation (CORE) Workshop and move on to cloud-based resiliency services. Our technical support solutions range from basic software support to custom technical support.
What makes IBM solutions work is global reach with a local touch. This includes:
- Over 160 business resiliency centers in 70 countries; more than 50 years of experience
- More than 9,000 disaster recovery clients, with IBM providing 100 percent recovery for clients who have declared a disaster
- A global network of 33 security operations, research and solution development centers; 133 monitored countries
- 15,000 researchers, developers and subject matter experts working security initiatives worldwide.
To learn more about the IBM Global Reputational Risk and IT Study go here.
turbotodd
