IBM X-Force Security Report Balances Good News With Bad

IBM X-Force has expressed its surprise at the results of its 2011 annual review. The team found that application security vulnerabilities, exploit code and spam have all reduced due to improved awareness.

The jubilation will, sadly, be short-lived for anyone reading further into the X-Force Trend and Risk Report which reveals that attackers are tending to target more niche IT loopholes and to be finding social networks and mobile devices a rich battlefield.

Fighting back

The report revealed a 50 percent drop in spam through 2011 following more aggressive moves on the part of companies like Microsoft’s Trustworthy Computing teams working with local police departments. These initiatives have resulted in the taking down of some of the largest spam engines – with a noticeable reduction in traffic.

Software vendors are playing their part, but could do better, with only 36 percent of software vulnerabilities remaining unpatched. More of these companies are issuing regular patches which is an added chore for IT departments but obviously worth the effort. The reduction in vulnerabilities shows a seven percent improvement on last year

Awareness of code weaknesses and testing have also played a part in the reduction of these vulnerabilities. The IBM team give the example of incidents of cross-site scripting (CSS) which are half as likely to exist in customers’ software than they were in 2007. This is probably down to CSS attacks from Anonymous and LulzSec being so widely publicised – and so obviously successful in compromising and publicly embarrassing their targets.

It seems that bounty rewards for reporting potential vulnerabilities may also be having an effect. When a potentially exploitable flaw is found, there is usually an immediate posting of exploit code – which carries no real reward other than the admiration of other hackers. With bounties being offered worth thousands of pounds, the number of such posts have reduced by 30 percent over the four years preceding 2011.

On the other end of the see-saw, publicly released exploits for mobile devices increased by 19 percent during 2011. X-Force uses this to warn about the Bring Your Own Device(BYOD) trend. The team pointed out that IT managers should be aware of the “many mobile devices in consumers’ hands that have unpatched vulnerabilities to publicly released exploits, creating an opportunity for attackers”.

Social network engineering

As might be expected, there has been a surge in phishing emails impersonating social media sites. More worrying is the amount of data on individuals that has now entered the public domain. Information on both their personal and professional lives is now offering pre-attack intelligence that opens individuals to spearphishing attacks and opening the way for infiltration of public and private sector computing networks.

Related to this is the growing move to Cloud computing and the opportunities this provides hackers. The report advises: “IT security staff should carefully consider which  workloads are sent to third-party cloud providers and what should be kept in-house due to the sensitivity of data. Cloud security requires foresight on the part of the customer as well as flexibility and skills on the part of the cloud provider.”

In compiling the report, IBM gathers data from numerous intelligence sources, including its database of more than 50,000 computer security vulnerabilities, its global Web crawler, and its international spam collectors. The team monitors in real-time over 13 billion events every day for nearly 4,000 clients in more than 130 countries through its nine global Security Operations Centres.

How well do you know Internet security? Take our quiz