Archive for the ‘x-force’ Category
An Ounce of Cyber Prevention
IBM’s X-Force IRIS incident response team has published new research based on recent cyberattacks they’ve been asked to assist on and are reporting that cyberattacks designed to cause damage have doubled in the past six months and that 50 percent of those organizations affected are in manufacturing.
Physical, meet digital.
Some of the malicious code — including Industroyer, NotPetya, Stuxnet, among others – aren’t just looking or stealing. These are search and destroy missions.
From the report:
In the past, destructive malware was primarily used by sophisticated nation-state actors, but new analysis from X-Force’s incident response data has found that these attacks are now becoming more popular among cybercriminal attackers, with ransomware attacks including wiper elements to increase the pressure on victims to pay the ransom. As a result of this expanding profile, X-Force IRIS noted a whopping 200 percent increase in the amount of destructive attacks that our team has helped companies respond to over the past six months (comparing IBM incident response activities in the first half of 2019 versus the second half of 2018).
Other key findings:
An analysis of real-world incident response data from X-Force IRIS paints a picture of the devastating effects of these attacks on companies. A few of the key findings include:
- Massive destruction, massive costs: Destructive attacks are costing multinational companies $239 million on average. As a point of comparison, this is 61 times more costly than the average cost of a data breach ($3.92 million).
- The long road to recovery: The debilitating nature of these attacks requires a lot of resources and time to respond and remediate, with companies on average requiring 512 hours from their incident response team. It’s also common for organizations to use multiple companies to handle the response and remediation, which would increase hours even further.
- RIP laptops: A single destructive attack destroys 12,000 machines per company on average — creating quite a tab for new devices in order to get companies’ workforce back in action.
What You Can Do With An Ounce of Prevention
- Test your response plan under pressure. Use of a well-tailored tabletop exercise and a cyber range can ensure that your organization is ready at both tactical and strategic levels for a destructive malware attack.
- Use threat intelligence to understand the threat to your organization. Each threat actor has different motivations, capabilities and intentions, and threat intelligence can use this information to increase the efficacy of an organization’s response to an incident.
- Engage in effective defense in depth. Incorporate multiple layers of security controls across the entire Cyberattack Preparation and Execution Framework.
- Implement multifactor authentication (MFA) throughout the environment. The cost-benefit of MFA is tough to overstate, providing significant cybersecurity benefit in reducing the value of stolen or guessed passwords dramatically.
- Have backups, test backups and offline backups. Organizations should store backups apart from their primary network and only allow read, not write, access to the backups.
- Consider an action plan for a quick, temporary business functionality. Organizations that have been able to restore even some business operations following a destructive attack have fared better than their counterparts.
- Create a baseline for internal network activity and monitor for changes that could indicate lateral movement
If you find yourself in a cyberemergency, you can reach IBM Security at 888-241-9812 in the US and Canada, or (001) 312-212-8034 outside the US.
Batten Down The Hatches! IBM’s X-Force 2012 Trend And Risk Report
It’s been a busy year for IT security incidents. Yesterday, John Markoff and Nicole Perlroth with The New York Times told us about yet another incident, this time a cyberattack involving antispam group Spamhaus and an anonymous group unhappy with their efforts.
Click to enlarge. Based on disclosed incident details such as the vulnerability used and attack type, IBM X-Force was able to determine that the majority of the security incidents disclosed in 2012 were carried out by the top left quadrant above, with attackers going after a broad target base while using off-the-shelf tools and techniques. This can be attributed to the wide public availability of toolkits, and to the large number of vulnerable web applications that exist on the Internet.
But the list goes on and on. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations have been inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.
At the mid-year of 2012, IBM’s X-Force team predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case. While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year’s headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection.
What continues to be clear is that attackers, regardless of operational sophistication, will pursue a path-of-least-resistance approach to reach their objectives. Integration of mobile devices into the enterprise continues to be a challenge. In the previous report, X-Force looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices.
That said, recent developments have indicated that while these dangers still exist, and X-Force believes mobile devices should be more secure than traditional user computing devices by 2014. While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
In its latest report, X-Force explores how security executives are advocating the separation of personas or roles on employee-owned devices. It also addresses some secure software mobile application development initiatives that are taking place today. The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose.
Click to enlarge. The intense proliferation of social networking across the Internet poses new challenges to companies that need to control the sharing of confidential information. Any employee that has access to the Internet is going to be exposed to social networking sites and because they are so frequently accessed,
they have become a favorite target of scam and phishing.
Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems.
Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
As X-Force also reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing. Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive.
Whether the target is individuals or the enterprise, once again, X-Force reminds organizations that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.
Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak X-Force recorded.
Social media has dramatically changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities.
Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks.
Click to enlarge. The values for the evaluated threat and residual threat can be determined by comparing the likelihood or frequency of a threat occurring (high, medium, low) against the damage impact that could happen if the threat occurred (catastrophic, high, medium, low). The goal is to implement mitigation processes that either reduce the frequency of the threat occurring or reduce the impact if the threat does occur. A requirement for this to be successful is to have a specific, designated monitoring mechanism to monitor the implementation of the treatment processes and for the appearance of the threats.
2012 X-Force Trend And Risk Report Highlight
Malware and the malicious web
- In 2012, near daily leaks of private information about victims were announced like game scoreboards through tweets and other social media. Personal details, such as email addresses, passwords (both encrypted and clear text), and even national ID numbers were put on public display.
- Based on data for 2012, it is not surprising that the bulk of the security incidents disclosed were carried out with the majority of attackers going after a broad target base while using off-the-shelf tools and techniques. X-Force attributes this to the wide public availability of toolkits and to the large number of vulnerable web applications that exist on the Internet.
- The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers. This technique assisted in much higher connected uptime as well as having more bandwidth than home PC’s to carry out the attacks. In the sampling of security incidents from 2012, the United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%.
- IBM Managed Security Services (MSS) security incident trends are markers that represent the state of security across the globe. The relative volume of the various alerts can help to describe how attacks are established and launched. They also frequently provide hints about how methods have evolved. Based on this, the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet.
- IBM MSS has noted a dramatic and sustained rise in SQL injection-based traffic due, in large part, to a consistent effort from the Asia Pacific region. The alerts came from all industry sectors, with a bias toward banking and finance targets.
- Web browser exploit kits (also known as exploit packs) are built for one particular purpose: to install malware on end-user systems. In 2012 X-Force observed an upsurge in web browser exploit kit development and activity—the primary target of which are Java vulnerabilities—and X-Force supplies some strategies and tips to help protect against future attacks (see end of post to download full report).
- Java continues to be a key target for attackers. It has the advantage of being both cross-browser and cross-platform—a rare combination that affords attackers a lot of value for their investment. Web content trends, spam, and phishing Web content trends Top used websites are readily deployed as IPv6- ready, although attackers do not yet seem to be targeting IPv6 on a large scale.
- One third of all web access is done on websites which allow users to submit content such as web applications and social media.
- Nearly 50% of the relevant websites now link to a social network platform, and this intense proliferation poses new challenges to companies that need to control the sharing of confidential information.
Spam and phishing
- Spam volume remained nearly flat in 2012.
- India remains the top country for distributing spam, sending out more than 20% of all spam in the autumn of 2012. Following India was the United States where more than 8% of all spam was generated in the second half of the year. Rounding out the top five spam sending countries of origin were Vietnam, Peru, and Spain.
- At the end of 2012, IBM reports that traditional spam is on the retreat, while scam and spam containing malicious attachments is on the rise. In addition, attackers are demonstrating more resiliency to botnet take downs which results in an uninterrupted flow of spam volume.
Operational Security Practices
Vulnerabilities and exploitation
- In 2012, there were over 8,168 publicly disclosed vulnerabilities. While not the record amount X-Force expected to see after reviewing its mid-year data, it still represents an increase of over 14% over 2011.
- Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012.
- Cross-site scripting vulnerabilities accounted for over half of the total web application vulnerabilities disclosed in 2012. Cross-site scripting dominated the web vulnerability disclosures. Fifty-three percent of all publicly released web application vulnerabilities were cross-site scripting related. This is the highest rate X-Force has ever seen. This dramatic increase occurred while SQL injection vulnerabilities enjoyed a higher rate than 2011 but were still down significantly since 2010.
- There were 3,436 public exploits in 2012. This is 42% of the total number of vulnerabilities, up 4% from 2011 levels.
- Web browser vulnerabilities declined slightly for 2012, but not at as high a rate as document format issues. While the overall number of web browser vulnerabilities dropped by a nominal 6% from 2011, the number of high- and critical severity web browser vulnerabilities saw an increase of 59% for the year.
- Few innovations have impacted the way the world communicates quite as much as social media. However, with the mass interconnection and constant availability of individuals, new vulnerabilities and a fundamental shift in intelligence-gathering capabilities has provided attackers and security professionals alike with information useful for enhancing their activities.
- Rather than seeing a particular enterprise as an individual entity, attackers can view enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise.
Emerging Trends In Security
Mobile
- Prediction: Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives.
- Separation of personas or roles: While a small percentage of enterprises have dealt with BYOD by using virtualized desktop solutions to separate and control enterprise applications and data from the rest of the personally owned device, a greater number of enterprises have wanted or required some form of separation or dual persona on mobile devices. This difference in use or adoption could be the result of greater numbers of devices driving greater risk in the percentage of personally owned mobile devices versus personally owned PCs in a BYOD program.
- In many cases, enterprises have made significant investments into implementing Secure Software Development Life Cycle (SSDLC) processes. Today’s mobile application development benefits from this. Tools exist to support secure development as part of the process instead of being conducted in qualification or production. As a result, it should be more common for enterprises to have more securely developed mobile applications than their existing legacy applications. Closure of vulnerabilities in some traditional computing applications may only conclude as existing versions are sunset and replaced with newer, more securely developed replacements.
- Over 2012, it is safe to conclude that more enterprises are supporting BYOD or the use of personally owned devices than previously. In the last two years, IBM Security has spoken to hundreds of global 2000 customers and out of those interviewed, only three said they had no plans to implement any kind of BYOD program.
To learn more on how your organization can work to address these types of vulnerabilities, download the full IBM X-Force 2012 Trend And Risk Report here.
IBM X-Force Mid-Year Report: Security Attacks Focused On Browsers, Mobile, Social
SPAM aside, IBM’s mid-year X-Force Trend and Risk Report shows a sharp increase in browser-related exploits, renewed concerns around social media password security, and continued challenges in mobile devices and corporate “bring your own device” (BYOD) programs.
Yesterday, IBM released the results of its X-Force 2012 Mid-Year Trend and Risk Report.
The mid-year report is troubling, revealing ongoing challenges and opportunities and the need for continued vigilance in the digital security realm.
The headlines: The latest report shows a sharp increase in browser-related exploits, renewed concerns around social media password security, and continued challenges in mobile devices and corporate “bring your own device” (BYOD) programs.
“Companies are faced with a constantly evolving threat landscape, with emerging technologies making it increasingly difficult to manage and secure confidential data,” said Kris Lovejoy, General Manager, IBM Security Services. “A security breach–whether from an outside attacker or an insider–can impact brand reputation, shareholder value, and expose confidential information. Our team of security threat analysts track and monitor security events and attack activity to better help our clients stay ahead of emerging threats.”
Mobile, Social: New Security Targets Of Opportunity
Since the last X-Force Trend and Risk Report, IBM’s X-Force has seen an increase in malware and malicious web activities:
- A continuing trend for attackers is to target individuals by directing them to a trusted URL or site which has been injected with malicious code. Through browser vulnerabilities, the attackers are able to install malware on the target system. The websites of many well-established and trustworthy organizations are still susceptible to these types of threats.
- The growth of SQL injection, a technique used by attackers to access a database through a website, is keeping pace with the increased usage of cross-site scripting and directory traversal commands.
- As the user base of the Mac operating system continues to grow worldwide, it is increasingly becoming a target of Advanced Persistent Threats (APTs) and exploits, rivaling those usually seen targeting the Windows platform.
Emerging Trends in Mobile Security
While there are reports of exotic mobile malware, most smartphone users are still most at risk of premium SMS (short message service, or texting) scams.
These scams work by sending SMS messages to premium phone numbers in a variety of different countries automatically from installed applications. There are multiple scam infection approaches for this:
- An application that looks legitimate in an app store but only has malicious intent
- An application that is a clone of a real application with a different name and some malicious code
- A real application that has been wrapped by malicious code and typically presented in an alternative app store
One game-changing transformation is the pervasiveness of Bring Your Own Device (BYOD) programs. Many companies are still in their infancy in adapting policies for allowing employees to connect their personal laptops or smartphones to the company network.
To make BYOD work within a company, a thorough and clear policy should be in place before the first employee-owned device is added to the company’s infrastructure.
Improvements in Internet Security Continue
As discussed in the 2011 IBM X-Force Trend and Risk Report, there continues to be progress in certain areas of Internet security. IBM X-Force data reports a continuing decline in exploit releases, improvements from the top ten vendors on patching vulnerabilities and a significant decrease in the area of portable document format (PDF) vulnerabilities.
IBM believes that this area of improvement is directly related to the new technology of sandboxing provided by the Adobe Reader X release.
Sandboxing technology works by isolating an application from the rest of the system, so that if compromised, the attacker code running within the application is limited to what it can do or what it can access.
Sandboxes are proving to be a successful investment from a security perspective. In the X-Force report, there was a significant drop in Adobe PDF vulnerability disclosures during the first half of 2012.
This development coincides nicely with the adoption of Adobe Reader X, the first version of Acrobat Reader released with sandboxing technology.
New IBM Security Operations Center Opens In Poland
To further protect its clients from emerging threats like those reported in the IBM X-Force Mid-Year Trend and Risk Report, IBM yesterday announced the opening of a security operations center in Wroclaw, Poland.
This newest IBM Security Operations Center is the 10th worldwide facility to help clients proactively manage these threats, including real-time analysis and early warning notification of security events.
Data for the bi-annual X-Force report comes from IBM’s security operations centers which monitor more than 15 billion security events a day on behalf of approximately 4,000 clients in more than 130 countries.
About the IBM X-Force Trend and Risk Report
The IBM X-Force Trend and Risk Report is an annual assessment of the security landscape, designed to help clients better understand the latest security risks, and stay ahead of these threats.
The report gathers facts from numerous intelligence sources, including its database of more than 68,000 computer security vulnerabilities, its global Web crawler and its international spam collectors, and the real-time monitoring of 15 billion events every day for approximately 4,000 clients in more than 130 countries.
These 15 billion events monitored each day, are a result of the work done in IBM’s 10 global security operations centers, which is provided as a managed security service to clients.
To view the full X-Force 2012 Mid-Year Trend and Risk Report go here.
A New Class Of Security
Click to enlarge. This graph outlines some of the key types of security attacker types and techniques that the 2011 IBM X-Force Trends Report identified as being most common. By the end of last year, the frequency and scope of these incidents persisted, and continue to bring awareness to the basic tenants of operating a business and protecting its assets in an increasingly connected world.
As hackers increasingly find new and nefarious ways to threaten the global digital infrastructure, recent policy advancements such as the proposed “Cybersecurity Act of 2012” in the U.S. have been introduced as solutions to the world’s growing cybersecurity problem.
While IBM accepts it is an imperative to properly secure critical systems, private sector advancements should be balanced with pragmatic legislative policies that avoid overly-prescriptive mandates that can inhibit the very innovation needed to ensure cybersecurity.
Consequently, IBM moved quickly and sent a letter urging the U.S. Senate to address flaws in the proposed cybersecurity bill.
According to IBM’s X-Force 2011 Trend and Risk Report, cyber attackers are adapting and moving quickly to target newer information technologies such as social networks and mobile devices. This rapidly evolving nature of cyber attacks necessitates a new approach to enabling cybersecurity.
Responding to the ever-changing nature and volume of attacks requires agility, risk-based management, and a commitment to innovative defensive measures. IBM supports bipartisan, cybersecurity legislation, but the “Cybersecurity Act of 2012” would add bureaucracy to a process that needs speed to succeed.
Government and industry would be best served by a common-sense approach to cybersecurity that allows for investment in R&D, improved information sharing between public and private sectors, better security for federal IT networks, and criminal penalties for cyber-crimes.
Industry Solutions To A Network Problem
Advanced threats, rapid adoption of social media, and Web applications have also been driving the need for new, intelligent approaches to security.
As employee access to the Web has become ubiquitous, enterprises are struggling with massive increases in malware as well as Advanced Persistent Threats (APTs), which can compromise proprietary data.
Many of today’s security solutions often offer limited visibility and control over network activity, which can put the company at risk.
To help clients proactively protect against evolving security threats, including those posed by social media sites and malicious websites, IBM today announced a new class of network security appliance that delivers a more granular view of a company’s security posture and a simplified security management interface.
This new next-generation intrusion prevention appliance helps clients address advanced attacks targeting their organization, providing visibility into exactly what applications are being used on the network, where users are going on the Web, with the ability to monitor and control this activity, which can result in improved security and reduced operational costs.
IBM Security Network Protection XGS 5000
IBM Security Network Protection XGS 5000 is a next-generation intrusion protection system specifically designed to address the constantly evolving, increasingly sophisticated threats that organizations face today.
It builds on the proven, core security features found in IBM Security Network Intrusion Prevention System, including helping protect against “zero-day” exploits, by adding new levels of visibility and control over the network, applications, data and users to help improve security by helping prevent misuse and identify previously undetectable threats.
IBM Security Network Protection incorporates global threat intelligence from X-Force, including a Web filter database of over 15 billion URLs — capable of monitoring and categorizing millions of Web servers and applications each day to provide superior protection against the changing threat landscape.
Gaining Control, And Visibility, Into Security Events
Once organizations are aware of the nature of activity on their network, the new application control features enable clients to have granular control over what is happening on their network; this means granular user and group-level control over which applications and Websites are permitted, and how they are used down to individual actions or activities within these applications and sites.
IBM Security’s Advanced Threat Protection Platform helps clients by providing the following features and capabilities:
- Proven security to help protect against zero-day threats: enables preemptive protection against a full spectrum of advanced threats, including Web application attacks and exploits hidden in files. IBM’s protection engine is built upon years of security intelligence gathered by X-Force Research, and can stop entire classes of attacks — including new and unknown threats – without updates; most solutions available today match individual protection signatures — a process that can be too slow to stop evolving threats and can result in higher rates of false positives and false negatives.
- Visibility and insight: provides application awareness, monitoring and control, with high level dashboards for drilling down into events and reporting. Also provides deep insight into the nature of activities on the network through broad application awareness and flow data analysis. Integrates with QRadar Security Intelligence Platform to provide even greater levels of insight including anomaly detection and event correlation.
- Control: utilizes intelligence related to Web applications, Websites, and non-Web applications, including Web application and Web site coverage with over 15 Billion URLs across 68 categories and support for 1000+ applications and actions.
IBM Security Network Protection XGS 5000 will be available starting in 3Q12.
About IBM Security
IBM’s security portfolio provides the security intelligence to help organizations holistically protect their people, data, applications and infrastructure. IBM offers solutions for identity and access management, security information and event management, database security, application development, risk management, endpoint management, next-generation intrusion protection and more.
IBM operates one of the world’s broadest security research and development, and delivery organizations. This comprises nine security operations centers, nine IBM Research centers, 11 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM monitors 15 billion security events per day in more than 130 countries and holds more than 3,000 security patents.
Warning Against Your Insecurities: The 2011 IBM X-Force Trend And Risk “Poltergeist”
WARNING: This is an exceptionally long post intended for security and privacy geeks everywhere, including sys admins, Internet security hawks, CIOs, and innocent but interested bystanders everywhere. No web servers were hacked in the preparation of this report: at least, none by me!
Okay, troopers, it’s that time of year again. You know, the time when IBM releases its report card for security incidents, the X-Force Trend and Risk Report.
Google has the search “Zeitgeist” every year, we have the security “poltergeist!”
This time around, we’re looking back at the wild and wacky 2011, a year which showed surprising improvements in several areas of Internet security. Improvements, you ask? Surely you jest, Turbo.
This figure from the 2011 IBM X-Force Trend And Risk Report shows a steady decline in the instances of input control related vulnerabilities such as cross-site scripting (XSS) and SQL injection since X-Force began recording these statistics in 2007. In 2011, the statistics suggest that the likelihood of encountering XSS in a given test continues to decrease but shows signs of leveling out at approximately a 40 percent chance of occurring. Injection vulnerabilities and specifically SQL injection appears to have leveled out at around a 20 percent chance of occurring in a given test.
No, no, there IS some good news. Like a reduction in application security vulnerabilities, exploit code and spam.
But, good news leads to less good news on this front, as many of you who follow security well know, because the bad guys are being forced to rethink their tactics by targeting more niche IT loopholes and emerging technologies such as social networks and mobile devices.
The Top Line: Less Spam, More Adaptation
To get specific, the X-Force 2011 Trend and Risk Report demonstrated a 50 percent decline in spam email compared to 2010.
2011’s poltergeist saw a diligent patching of security vulnerabilities by software vendors, with only 36 percent of those vulnerabilities remaining unpatched in 2011 (compared to 43 percent in 2010). The year also saw a higher quality of software application code, as seen in web-app vulnerabilities called “cross-site scripting” that were half as likely to exist in clients’ software as they were four years ago.
So, the net is, the bad guys are adapting their techniques to the changing tech environment. The report uncovered a rise in emerging attack trends including mobile exploits, automated password guessing, and a surge in phishing attacks.
It also witnessed an increase in automated shell command injection attacks against web servers, which may well be a response to successful efforts to close off other kinds of Web app vulnerabilities.
The Security Landscape Glass Half Full: Decrease In Unpatched Vulnerabilities, Exploit Code, And Spam
Getting even more specific, according to the report, there are several positive trends as companies adjusted their security policies in 2011:
- Thirty percent decline in the availability of exploit code. When security vulnerabilities are disclosed, exploit code is sometimes released that attackers can download and use to break into computers. Approximately 30 percent fewer exploits were released in 2011 than were seen on average over the past four years. This improvement can be attributed to architectural and procedural changes made by software developers that help make it more difficult for attackers to successfully exploit vulnerabilities.
- Decrease in unpatched security vulnerabilities. When security vulnerabilities are publicly disclosed, it is important that the responsible software vendor provide a patch or fix in a timely fashion. Some security vulnerabilities are never patched, but the percentage of unpatched vulnerabilities has been decreasing steadily over the past few years. In 2011 this number was down to 36 percent from 43 percent in 2010.
- Fifty percent reduction in cross site scripting (XSS) vulnerabilities due to improvements in software quality. The IBM X-Force team is seeing significant improvement in the quality of software produced by organizations that use tools like IBM AppScan OnDemand service to analyze, find, and fix vulnerabilities in their code. IBM found XSS vulnerabilities are half as likely to exist in customers’ software as they were four years ago. However, XSS vulnerabilities still appear in about 40 percent of the applications IBM scans. This is still high for something well understood and able to be addressed.
- Decline in spam. IBM’s global spam email monitoring network has seen about half the volume of spam email in 2011 that was seen in 2010. Some of this decline can be attributed to the take-down of several large spam botnets, which likely hindered spammers’ ability to send emails. The IBM X-Force team witnessed spam evolve through several generations over the past seven years as spam filtering technology has improved and spammers have adapted their techniques in order to successfully reach readers.
The Security Landscape Glass Half Empty: Attackers Adapt Their Techniques in 2011
Even with these improvements, there has been a rise in new attack trends and an array of significant, widely reported external network and security breaches.
This figure from the 2011 IBM X-Force Trend And Risk Report shows an increase in mobile operating system exploits in 2011 due to an uptick in malicious activity targeting mobile devices. Because of the two-tiered relationship between phone end users, telecommunications companies, and mobile operating system vendors, disclosed mobile vulnerabilities can remain unpatched on phones for an extended period of time, providing a large window of opportunity to attackers.
As malicious attackers become increasingly savvy, the IBM X-Force documented increases in three key areas of attack activity:
- Attacks targeting shell command injection vulnerabilities more than double. For years, SQL injection attacks against web applications have been a popular vector for attackers of all types. SQL injection vulnerabilities allow an attacker to manipulate the database behind a website. As progress has been made to close those vulnerabilities – the number of SQL injection vulnerabilities in publicly maintained web applications dropped by 46 percent in 2011– some attackers have now started to target shell command injection vulnerabilities instead. These vulnerabilities allow the attacker to execute commands directly on a web server. Shell command injection attacks rose by two to three times over the course of 2011. Web application developers should pay close attention to this increasingly popular attack vector.
- Spike in automated password guessing – Poor passwords and password policies have played a role in a number of high-profile breaches during 2011. There is also a lot of automated attack activity on the Internet in which attacks scan the net for systems with weak login passwords. IBM observed a large spike in this sort of password guessing activity directed at secure shell servers (SSH) in the later half of 2011.
- Increase in phishing attacks that impersonate social networking sites and mail parcel services – The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven’t been seen since 2008. Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites.
Emerging Technologies Create New Avenues for Attacks
New technologies such as mobile and cloud computing continue to create challenges for enterprise security.
- Publicly released mobile exploits rise 19 percent in 2011. This year’s IBM X-Force report focused on a number of emerging trends and best practices to manage the growing trend of “Bring your Own Device,” or BYOD, in the enterprise. IBM X-Force reported a 19 percent increase over the prior year in the number of exploits publicly released that can be used to target mobile devices. There are many mobile devices in consumers’ hands that have unpatched vulnerabilities to publicly released exploits, creating an opportunity for attackers. IT managers should be prepared to address this growing risk.
- Attacks increasingly relate to social media – With the widespread adoption of social media platforms and social technologies, this area has become a target of attacker activity. IBM X-Force observed a surge in phishing emails impersonating social media sites. More sophisticated attackers have also taken notice. The amount of information people are offering in social networks about their personal and professional lives has begun to play a role in pre-attack intelligence gathering for the infiltration of public and private sector computing networks.
- Cloud computing presents new challenges – Cloud computing is moving rapidly from emerging to mainstream technology, and rapid growth is anticipated through the end of 2013. In 2011, there were many high profile cloud breaches affecting well-known organizations and large populations of their customers. IT security staff should carefully consider which workloads are sent to third-party cloud providers and what should be kept in-house due to the sensitivity of data. Cloud security requires foresight on the part of the customer as well as flexibility and skills on the part of the cloud provider. The IBM X-Force report notes that the most effective means for managing security in the cloud may be through Service Level Agreements (SLAs) because of the limited impact that an organization can realistically exercise over the cloud computing service. Therefore, careful consideration should be given to ownership, access management, governance and termination when crafting SLAs. The IBM X-Force report encourages cloud customers to take a lifecycle view of the cloud deployment and fully consider the impact to their overall information security posture.
The IBM X-Force 2011 Trend and Risk Report is based on intelligence gathered by one of the industry’s leading security research teams through its research of public vulnerability disclosures findings from more than 4,000 clients, and the monitoring and analysis of an average of 13 billion events daily in 2011.
“In 2011, we’ve seen surprisingly good progress in the fight against attacks through the IT industry’s efforts to improve the quality of software,” said Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force. “In response, attackers continue to evolve their techniques to find new avenues into an organization. As long as attackers profit from cyber crime, organizations should remain diligent in prioritizing and addressing their vulnerabilities.”
You can learn more about IBM Security Solutions here.
A Hacker’s Nervous Breakdown
How ironic that here I am at Pulse 2012, where we’re talking about Internet and other related security matters, and then this headline: EXCLUSIVE: Infamous international hacking group LulzSec brought down by own leader.
Wow.
Apparently, law enforcement agents on two continents arrested five members of the infamous hacking group, Anonymous, early this morning. Furthermore, they were apparently acting on information and evidence gathered by the organization’s leader, who apparently had been cooperating with the government for months.
Doh!
Anonymous and its various offshoots — LulzSec, AntiSec, etc. — Are believed to have caused billions of dollars of damage to the government, banks, and corporations around the world.
The New York field office of the Federal Bureau of investigation released a press statement which indicated that five computer hackers in the United States and abroad were charged today, and six pled guilty, for computer hacking and other crimes.
The six hackers identified themselves as aligned with the group anonymous, which is a loose confederation of computer hackers and others, and/or offshoot groups related to Anonymous.
The now unsealed indictment revealed the perps were charged with hacks including of Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service. Included in the indictment were that of Hector Xavier Monsegur, aka “Sabu” and “Leon” and “Xavier DeLeon,” who pled guilty last August 15th to a 12-count information charging him with computer hacking conspiracies and other crimes, and who apparently has been cooperating with the government to bring several of the others to justice.
According to the New York Times’ coverage of the story, Mr. Monsegur ran his schemes out of a public housing project on the Lower East Side of Manhattan.
So was he the head of the Anonymous snake? Now that the indictments are out, I suspect we’ll be finding out very, very soon.
IBM To Acquire Security Intelligence Provider Q1 Labs
IBM has announced a definitive agreement to acquire privately held Q1 Labs, a Waltham, Massachusetts-based provider of security intelligence software.
The move aims to accelerate IBM’s efforts to help clients more intelligently secure their enterprises by applying analytics to correlate information from key security domains and creating security dashboards for their organizations.
Financial terms were not disclosed.
Following the close of the acquisition, Q1 Labs will join the newly-formed IBM Security Systems division, representing the world’s most comprehensive security portfolio. After the close, IBM intends the new division to be led by Brendan Hannigan, CEO of Q1 Labs.
The new division will target a $94 billion opportunity in security software and services, which has a nearly 12 percent compound annual growth rate, according to IBM estimates.
Q1 Labs will join the more than 10 strategic security acquisitions IBM has made in the last decade and the more than 25 analytics-related purchases, including the recently announced acquisition of security analytics software firm, i2.
Organizations face a landscape with high-impact corporate breaches, growing mobile security concerns and advanced security threats, as highlighted in last week’s IBM X-Force Mid-Year Trend and Risk Report.
Firms must be equipped to identify threats, detect insider fraud, predict business risk and address regulatory mandates. Three quarters of firms feel cyberattacks are hard to detect and their effectiveness would increase with end-to-end solutions, according to a recent industry report.
Q1 Labs’ advanced analytics and correlation capabilities can automatically detect and flag actions across an enterprise that deviate from prescribed policies and typical behavior to help prevent breaches, such as an employee accessing unauthorized information.
“Since perimeter defense alone is no longer capable of thwarting all threats, IBM is in a unique position to shift security thinking to an integrated, predictive approach,” said Brendan Hannigan, CEO of Q1 Labs. “Q1 Labs’ security analytics will add greater intelligence to IBM’s security portfolio and continue to distinguish IBM from competitors.”
IBM operates the world’s broadest security research and development organization, comprising nine security operations centers, nine IBM Research centers, 11 software security development labs and three Institutes for Advanced Security.
It employs thousands of security experts globally such as security operations analysts, consultants, sales and tech specialists, and strategic outsourcing delivery professionals. IBM monitors 12 billion security events per day in more than 130 countries and holds 3,000 security patents. IBM has been in the security business for nearly 50 years dating back to the security innovation in its mainframe systems.
You can learn more about IBM’s security offerings here.
IBM X-Force Trends Report: Year Of The Security Breach
Attacker types and techniques in 1H2011 identified by the IBM X-Force Mid-Year Trend & Risk Report. The study revealed mobile security exploits would likely double in 2011.
Okay, it’s my last day in Bangalore. At least for this particular journey.
I don’t have any more India-related news, except to report that the Kolkata Night Riders beat the Royal Challengers Bangalore in the CLT20 last night, here in Bangalore.
KKR won by nine wickets, and now I know why there were such sad faces in the stadium as I watched the end of the match late last night on TV.
As I was watching cricket, IBM was releasing the results of its “X-Force 2011 Mid-Year Trend and Risk Report,” a tiding I always attempt to cover in some depth, both because I find the reports fascinating and enlightening, and because I consider it a real service that IBM is providing to the global IT community.
Poised at the frontline of security, the IBM X-Force team serves as the eyes and ears for thousands of IBM clients – studying security attack techniques and creating defenses before many vulnerabilities are even announced.
The X-Force Mid-Year Trend and Risk Report is based on intelligence gathered through IBM’s research of public vulnerability disclosures as well as the monitoring and analysis of an average of 12 billion security events daily since the beginning of 2011.
Drumroll, Please: Moble Exploits Are Ripe For Exploitation!
The headline: This report demonstrates the rapidly changing security landscape characterized by high-profile attacks, growing mobile vulnerabilities and more sophisticated threats such as “whaling.”
Adoption of mobile devices such as smartphones and tablets in the enterprise, including the “Bring Your Own Device” approach, which allows personal devices to access the corporate network, is raising new security concerns.
IBM X-Force has documented a steady rise in the disclosure of security vulnerabilities affecting these devices. X-Force research recommends that IT teams consistently employ anti-malware and patch management software for phones in enterprise environments.
Click to enlarge. This graphic explores what the security situation might look like if it were run by the IBM X-Force team as they attempted to deal with this year's exploits.
Other key findings from the study:
- Malicious software targeting mobile phones is often distributed through third-party app markets. Mobile phones are an increasingly attractive platform for malware developers as the sheer size of the user base is growing rapidly, and there is an easy way to monetize mobile phone infections. Malware distributors can set up premium texting (SMS messaging) services that charge users that text to a specific number. Malware then sends text messages to those premium numbers from infected phones.
- Some mobile malware is designed to collect end user’s personal information. This data could then be used in phishing attacks or for identity theft. Mobile malware is often capable of spying on victim’s personal communications as well as monitoring and tracking their physical movements via the GPS capabilities common in these phones.
“For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices,” said Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force. “It appears that the wait is over.”
Critical Vulnerabilities Triple in 2011
The X-Force team also reports that the percentage of critical vulnerabilities has tripled thus far in 2011.
X-Force is declaring 2011 the “Year of the Security Breach” due to the large number of high-profile attacks and network compromises that have occurred this year.
This graphic explores the top website categories from the 1H2011 report containing at least one malicious link.
There is a cadre of notable emerging threats from this year’s breaches:
- Teams of professional attackers motivated by a desire to collect strategic intelligence have been able to gain and maintain access to critical computer networks through a combination of stealth, sophisticated technical capabilities and careful planning. These attackers are often referred to as “Advanced Persistent Threats” (APTs).
- The success of APTs has raised the profile of “whaling,” a type of spear phishing which targets “big fish,” or those positioned in high levels of an organization with access to critical data. These targeted attacks are often launched after careful study of a person’s online profiles has armed an attacker with the information needed to create a compelling phishing email that the victim will be fooled into clicking on.
- Attacks from ‘hacktivist’ groups, who targeted web sites and computer networks for political ends rather than just financial gain. Hacktivist groups have been successful in using well known, off-the-shelf attack techniques such as SQL Injection, which is one of the most common attack techniques seen in the Internet.
- Anonymous proxies have more than quadrupled in number compared to three years earlier. Anonymous proxies are a critical type of website to track, because they allow people to hide potentially malicious intent.
Advances In Security
“The rash of high-profile breaches this year highlights the challenges organizations often face in executing their security strategy,” said Cross. “Although we understand how to defend against many of these attacks on a technical level, organizations don’t always have the cross-company operational practices in place to protect themselves.”
Although the X-Force team declared 2011 as a watershed in high-profile security breaches, the report also uncovered some improvements in areas of computer security that show headway in the fight against crime on the Internet.
- The first half of 2011 saw an unexpected decrease in web application vulnerabilities, from 49 percent of all vulnerability disclosures down to 37 percent. This is the first time in five years X-Force has seen a decrease.
- High and critical vulnerabilities in web browsers were also at their lowest point since 2007, despite an increasingly complex browser market. These improvements in web browser and application security are important as many attacks are targeted against those categories of software
- As major botnet operators are taken down and off-line by law enforcement officials, the report shows a trend in the decline of spam and more traditional phishing tactics.
- After years of consistent spam growth until the middle of 2010, there has been a significant decline in spam volumes in the first half of this year.In the first half of 2011, the percentage of spam that is phishing on a weekly basis was less than 0.01 percent. Traditional phishing has greatly declined from the levels X-Force was seeing prior to the middle of 2010.
Also of note, the SQL Slammer Worm has been one of the most common sources of malicious packets on the Internet since its appearance and naming by the IBM X-Force team in 2003, but it has fallen down the list after a dramatic disappearance observed in March 2011.
The most recent analysis strongly suggested that the SQL Slammer Worm’s disappearance is due to an unknown source or actor. The analysis showed that a time-based trigger using a Slammer’s server clock was used to shut it down, proving that it was disabled by a single cause.
Traditional Vulnerabilities Still a Problem
The X-Force report uncovered numerous attacks that target traditional security vulnerabilities. According to the report, attacks on weak passwords are commonplace on the Internet, as are attacks that leverage SQL Injection vulnerabilities in web applications to compromise backend databases.
Databases have become an important target for attackers. Critical data used to run organizations — including financial/ERP, customer, employee, and intellectual property information such as new product designs — is stored in relational databases.
IBM researchers tested almost 700 web sites — from the Fortune 500 and other most popular sites — to uncover that 40 percent of these contain a class of security issues referred to as client-side JavaScript vulnerabilities. The existence of vulnerabilities like these in so many corporate web sites is indicative of the security blindspots in many organizations.
This graphic reveals insight into the exploit effort versus potential reward in the 1H 2011 X-Force report.
IBM Launches Institute for Advanced Security in Asia Pacific
To help combat security risks and to foster collaboration amongst security industry leaders, IBM is launching the IBM Institute for Advanced Security in Asia Pacific in order to combat growing security threats in the region.
The IBM Mid-Year X-Force report states that top countries originating spam have shifted to Asia Pacific, with India sending out roughly 10 percent of all spam registered today, and South Korea and Indonesia also making the top five list.
This Institute joins its predecessors in Brussels, Belgium and Washington, D.C., focused on European and U.S. clients respectively.
About the IBM X-Force Team and the Trend and Risk Report
This report comes from IBM’s X-Force team, the premier security research organization within IBM that has catalogued, analyzed and researched more than 50,000 vulnerability disclosures since 1997.
The IBM X-Force Trend and Risk Report is an annual assessment of the security landscape, designed to help clients better understand the latest security risks, and stay ahead of these threats.
It is the result of the work done in IBM’s nine global Security Operations Centers, which is provided as a managed security service to clients.
The report gathers facts from numerous intelligence sources, including its database of computer security vulnerabilities, global web crawler, international spam collectors, and the real-time monitoring of an average of 12 billion security events every day for nearly 4,000 clients in more than 130 countries.
turbotodd
Turbotodd 