Hackers switch efforts to cloud, social and mobile attacks

22 Mar 2012

Better defences are forcing hackers to rethink their tactics by targeting niche IT loopholes, social networks, cloud and mobile devices, IBM says in its X-Force report for 2011. On a positive note, it says there has also been a 50pc decline in spam in 2011 versus 2010.

Organisations appear to be more diligent in patch management, for example, with only 36pc of software vulnerabilities remaining unpatched in 2011 compared with 43pc in 2010.

The X-Force report pointed to a rise in new attack trends, such as automated password guessing, mobile exploits, a surge in phishing attacks and an increase in automated shell command injection attacks against web servers.

“In 2011, we’ve seen surprisingly good progress in the fight against attacks through the IT industry’s efforts to improve the quality of software,” said Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force.

“In response, attackers continue to evolve their techniques to find new avenues into an organisation. As long as attackers profit from cyber crime, organisations should remain diligent in prioritising and addressing their vulnerabilities.”

The report pointed to a 30pc decline in the availability of exploit code due to architectural and procedural changes made by software developers, making it more difficult for hackers.

The report also pointed to a 50pc reduction in cross site scripting (XSS) due to improvements in software quality. However, XSS vulnerabilities still exist in 40pc of the applications IBM scans.

The 50pc decline in spam IBM attributed to the takedown of several large spam botnets.

Despite improvements, the IBM report said there has been a rise in new attack trends and an increase in external security breaches.

As the use of SQL injection attacks against web applications falls 46pc, the researchers noted an increase in shell command injection vulnerabilities instead that allow hackers to execute commands directly on a web server.

New attack patterns

The rise in bring your own device (BYOD) policies in the enterprise is being accompanied by a focused and determined 19pc increase in attacks on mobile devices.

Many of these devices have unpatched vulnerabilities to publicly released exploits.

Attackers are also driving sophisticated attacks on social media sites aimed at gathering personal and professional information. Tactics focus on pre-attack intelligence gathering for the infiltration of public and private-sector computing networks.

As cloud computing goes mainstream, there were many high-profile breaches affecting well-known organisations and large populations of their users – such as the attack on Sony’s PlayStation Network.

IBM’s X-Force researchers urge IT security staff to carefully consider which workloads they send to third-party cloud providers and what should be kept in-house.

“Many cloud customers using a service worry about the security of the technology. Depending upon the type of cloud deployment, most, if not all, of the technology is outside of the customer’s control,” said Ryan Berg, IBM Security Cloud Strategist.

“They should focus on information security requirements of the data destined for the cloud, and through due diligence, make certain their cloud provider has the capability to adequately secure the workload.”  

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com