ARMONK, N.Y., March 22, 2012 /PRNewswire/ -- IBM (NYSE: IBM) today released the results of its X-Force 2011 Trend and Risk Report, which shows surprising improvements in several areas of Internet security such as a reduction in application security vulnerabilities, exploit code and spam. As a result, the report suggests attackers today are being forced to rethink their tactics by targeting more niche IT loopholes and emerging technologies such as social networks and mobile devices.
(Photo: http://photos.prnewswire.com/prnh/20120322/NY74756-a )
(Photo: http://photos.prnewswire.com/prnh/20120322/NY74756-b )
(Logo: http://photos.prnewswire.com/prnh/20090416/IBMLOGO )
The X-Force 2011 Trend and Risk Report revealed a 50 percent decline in spam email compared to 2010; more diligent patching of security vulnerabilities by software vendors, with only 36 percent of software vulnerabilities remaining unpatched in 2011 compared to 43 percent in 2010; and higher quality of software application code, as seen in web-application vulnerabilities called cross site scripting half as likely to exist in clients' software as they were four years ago.
In light of these improvements, it seems attackers are adapting their techniques. The report uncovers a rise in emerging attack trends including mobile exploits, automated password guessing, and a surge in phishing attacks. An increase in automated shell command injection attacks against web servers may be a response to successful efforts to close off other kinds of web application vulnerabilities.
The IBM X-Force 2011 Trend and Risk Report is based on intelligence gathered by one of the industry's leading security research teams through its research of public vulnerability disclosures findings from more than 4,000 clients, and the monitoring and analysis of an average of 13 billion events daily in 2011.
"In 2011, we've seen surprisingly good progress in the fight against attacks through the IT industry's efforts to improve the quality of software," said Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force. "In response, attackers continue to evolve their techniques to find new avenues into an organization. As long as attackers profit from cyber crime, organizations should remain diligent in prioritizing and addressing their vulnerabilities."
According to the report, there are positive trends as it appears companies implemented better security practices in 2011:
-- Thirty percent decline in the availability of exploit code - When
security vulnerabilities are disclosed, exploit code is sometimes
released that attackers can download and use to break into computers.
Approximately 30 percent fewer exploits were released in 2011 than were
seen on average over the past four years. This improvement can be
attributed to architectural and procedural changes made by software
developers that help make it more difficult for attackers to
successfully exploit vulnerabilities.
-- Decrease in unpatched security vulnerabilities - When security
vulnerabilities are publicly disclosed, it is important that the
responsible software vendor provide a patch or fix in a timely fashion.
Some security vulnerabilities are never patched, but the percentage of
unpatched vulnerabilities has been decreasing steadily over the past few
years. In 2011 this number was down to 36 percent from 43 percent in
-- Fifty percent reduction in cross site scripting (XSS) vulnerabilities
due to improvements in software quality - The IBM X-Force team is seeing
significant improvement in the quality of software produced by
organizations that use tools like IBM AppScan OnDemand service to
analyze, find, and fix vulnerabilities in their code. IBM found XSS
vulnerabilities are half as likely to exist in customers' software as
they were four years ago. However, XSS vulnerabilities still appear in
about 40 percent of the applications IBM scans. This is still high for
something well understood and able to be addressed.
-- Decline in spam - IBM's global spam email monitoring network has seen
about half the volume of spam email in 2011 that was seen in 2010. Some
of this decline can be attributed to the take-down of several large spam
botnets, which likely hindered spammers' ability to send emails. The IBM
X-Force team witnessed spam evolve through several generations over the
past seven years as spam filtering technology has improved and spammers
have adapted their techniques in order to successfully reach readers.
Attackers Adapt Their Techniques in 2011
Even with these improvements, there has been a rise in new attack trends and an array of significant, widely reported external network and security breaches. As malicious attackers become increasingly savvy, the IBM X-Force documented increases in three key areas of attack activity:
-- Attacks targeting shell command injection vulnerabilities more than
double - For years, SQL injection attacks against web applications have
been a popular vector for attackers of all types. SQL injection
vulnerabilities allow an attacker to manipulate the database behind a
website. As progress has been made to close those vulnerabilities - the
number of SQL injection vulnerabilities in publicly maintained web
applications dropped by 46 percent in 2011- some attackers have now
started to target shell command injection vulnerabilities instead. These
vulnerabilities allow the attacker to execute commands directly on a web
server. Shell command injection attacks rose by two to three times over
the course of 2011. Web application developers should pay close
attention to this increasingly popular attack vector.
-- Spike in automated password guessing - Poor passwords and password
policies have played a role in a number of high-profile breaches during
2011. There is also a lot of automated attack activity on the Internet
in which attacks scan the net for systems with weak login passwords. IBM
observed a large spike in this sort of password guessing activity
directed at secure shell servers (SSH) in the later half of 2011.
-- Increase in phishing attacks that impersonate social networking sites
and mail parcel services - The volume of email attributed to phishing
was relatively small over the course of 2010 and the first half of 2011,
but phishing came back with a vengeance in the second half, reaching
volumes that haven't been seen since 2008. Many of these emails
impersonate popular social networking sites and mail parcel services,
and entice victims to click on links to web pages that may try to infect
their PCs with malware. Some of this activity can also be attributed to
advertising click fraud, where spammers use misleading emails to drive
traffic to retail websites.
Emerging Technologies Create New Avenues for Attacks
New technologies such as mobile and cloud computing continue to create challenges for enterprise security.
-- Publicly released mobile exploits rise 19 percent in 2011 - This year's
IBM X-Force report focused on a number of emerging trends and best
practices to manage the growing trend of "Bring your Own Device," or
BYOD, in the enterprise. IBM X-Force reported a 19 percent increase over
the prior year in the number of exploits publicly released that can be
used to target mobile devices. There are many mobile devices in
consumers' hands that have unpatched vulnerabilities to publicly
released exploits, creating an opportunity for attackers. IT managers
should be prepared to address this growing risk.
-- Attacks increasingly relate to social media - With the widespread
adoption of social media platforms and social technologies, this area
has become a target of attacker activity. IBM X-Force observed a surge
in phishing emails impersonating social media sites. More sophisticated
attackers have also taken notice. The amount of information people are
offering in social networks about their personal and professional lives
has begun to play a role in pre-attack intelligence gathering for the
infiltration of public and private sector computing networks.
-- Cloud computing presents new challenges - Cloud computing is moving
rapidly from emerging to mainstream technology, and rapid growth is
anticipated through the end of 2013. In 2011, there were many high
profile cloud breaches affecting well-known organizations and large
populations of their customers. IT security staff should carefully
consider which workloads are sent to third-party cloud providers and
what should be kept in-house due to the sensitivity of data. Cloud
security requires foresight on the part of the customer as well as
flexibility and skills on the part of the cloud provider. The IBM
X-Force report notes that the most effective means for managing security
in the cloud may be through Service Level Agreements (SLAs) because of
the limited impact that an organization can realistically exercise over
the cloud computing service. Therefore, careful consideration should be
given to ownership, access management, governance and termination when
crafting SLAs. The IBM X-Force report encourages cloud customers to take
a lifecycle view of the cloud deployment and fully consider the impact
to their overall information security posture.
"Many cloud customers using a service worry about the security of the technology. Depending upon the type of cloud deployment, most, if not all, of the technology is outside of the customer's control," said Ryan Berg, IBM Security Cloud Strategist. "They should focus on information security requirements of the data destined for the cloud, and through due diligence, make certain their cloud provider has the capability to adequately secure the workload."
IBM continues to work with its clients to step up security to address these new areas. Recommendations for helping clients improve the security of their IT department in light of these new threats include: performing regular security assessments; segmenting sensitive systems and information; training end users about phishing and spear phishing and secure computing principals in general, as well as examining the policies of business partners.
To view the full X-Force 2011 Trend and Risk Report and watch a highlight video please visit www.ibm.com/security/xforce
About the IBM X-Force Trend and Risk Report
The IBM X-Force Trend and Risk Report is an annual assessment of the security landscape, designed to help clients better understand the latest security risks, and stay ahead of these threats. The report gathers facts from numerous intelligence sources, including its database of more than 50,000 computer security vulnerabilities, its global Web crawler and its international spam collectors, and the real-time monitoring of 13 billion events every day for nearly 4,000 clients in more than 130 countries. These 13-billion events monitored each day - more than 150,000 per second - are a result of the work done in IBM's nine global Security Operations Centers, which is provided as a managed security service to clients. To view the video of IBM security threat analysts discussing security, please visit: http://bit.ly/GILb9q and http://www.youtube.com/ibmsecuritysolutions
About IBM Security
With more than 40 years of security development and innovation, IBM has breadth and depth in security research, products, services and consulting. IBM has nine worldwide research labs innovating security technology and nine security operations centers around the world to help global clients maintain an appropriate security posture. IBM Managed Security Services delivers the expertise, tools and infrastructure clients need to secure their information assets from constant Internet attacks, often at a fraction of the cost of in-house security resources. The Institute for Advanced Security is IBM's global initiative the help organizations better understand and respond to the security threats to their business. Visit the Institute community at www.instituteforadvancedsecurity.com
For more information on IBM Security Solutions, please visit: www.ibm.com/security
IBM Media Relations