2011 a ‘watershed’ year for security breaches – IBM report

29 Sep 2011

This year has been a “watershed” in high-profile security breaches but there have been improvements in other areas, such as a decrease in web application vulnerabilities, a new report from IBM has found.

The company’s X-Force 2011 Mid-Year Trend and Risk Report, released today, unsurprisingly draws attention to the large number of cyber attacks and network compromises that have come to light so far this year. Targets ranged from Sony, RSA and Nintendo to Lockheed Martin, Gmail, Citigroup and the US Senate.

IBM said the breaches were underpinned by several trends. One is the advanced persistent threat (APT), whereby teams of professional attackers gain and maintain access to critical networks in order to collect strategic intelligence.

The success of APTs in turn raised the profile of what the report calls “whaling”, a type of spear phishing which targets ‘big fish’ – people at high levels of an organisation with access to critical data. According to the report, this often happens after attackers carefully study a person’s online profile which allows them to create a more plausible phishing email that the intended victim will be tricked into opening.

A third trend is the rise to prominence of groups using off-the-shelf techniques to commit targeted attacks for political ends or to make a point, rather than for pure financial gain. “Hacktivist groups, such as Lulzsec and Anonymous, lack the technical and operational sophistication of state-sponsored attackers and lack the financial motivation of the botnet operators, but they have been very successful at breaching networks and damaging reputations,” the report said.

It wasn’t all bad news: whereas 2010 saw more than 8,500 vulnerability disclosures – said to be the highest ever – this year the total will be just above 7,000. This is a significant drop on the previous year and is approximately the same amount that was seen in 2006.

The report said about half of the security vulnerabilities disclosed in recent years were web application vulnerabilities. That number is down to 37pc this year, with a significant drop in the volume of SQL injection vulnerabilities in particular.

So far, only about 12pc of the vulnerabilities that have been disclosed have seen exploit releases, whereas in previous years the number was closer to 15pc. However, security vulnerabilities with a Common Vulnerability Scoring System score of 10 out of 10 are up to 3pc for the year and have already exceeded 2010’s total, IBM said. Almost every one of these critical vulnerabilities is a serious remote code execution issue that impacts an important enterprise-class software product.

Spam volumes decrease

After years of consistent spam growth until the middle of last year, the report noted a significant decline in spam volumes in the first half of 2011, along with a drop in traditional phishing attacks. IBM said this was due to some of the major botnet operators being taken out by law enforcement.

On the other hand, the report noted security concerns around the use of smartphones and tablets in business, including the “bring your own device” approach, whereby people use their own handsets to access the company network.

IBM’s X-Force research team documented a “steady rise” in the disclosure of security vulnerabilities affecting mobiles. It recommended that IT teams consistently use anti-malware and patch management software for phones in business environments, noting that many mobile phone vendors do not rapidly push out security updates for their devices. X-Force is forecasting that 2011 will see twice the number of mobile exploit releases than in 2010.

Gordon Smith was a contributor to Silicon Republic