Key highlights in the IBM X-Force 2011 Trend & Risk Report
Posted by Leslie Horacek on March 22, 2012 at 4:59 AM EDT.
Today we announced the IBM X-Force Trend & Risk report for the year end 2011.
While some positive trends and improvements have emerged, attacker’s methods continue to adapt.
This is the first report under the new IBM Security Systems division. As such, we are pooling together data and intelligence from many of the IBM Security organizations like Q1 Labs, IBM AppScan OnDemand services, GTS Emergency Response Services, Identity and Access Management solutions, Cloud Strategy, CIO’s office, Infosphere Guardium, Managed Security Services and the X-Force Research and Development team.
2011 was a landmark year for IT security. If you remember, at the mid-year reporting we began discussing the frequent reports of data leaks, DoS attacks, and social Hacktivism. These daily headline incidents were so pervasive in both frequency and scope, that IBM X-Force declared 2011 the “year of the security breach”. Things didn’t change much by year end. This attack activity persisted. Enterprises around the world continue to face tremendous challenges running their businesses and protecting their assets in an increasingly connected world.
But as this report’s data shows, a somewhat contradictory course is unfolding, just as attackers are coming on full force in 2011, so too have the improvements in computer security in 2011 as companies have begun embracing better practices.
Here are highlights on some of those improvements:
Thirty percent decline in the availability of exploit code
When security vulnerabilities are disclosed, exploit code is sometimes released that attackers can download and use to break into computers. Approximately 30 percent fewer exploits were released in 2011 than were seen on average over the past four years. This improvement can be attributed to architectural and procedural changes made by software developers that help make it more difficult for attackers to successfully exploit vulnerabilities.
Decrease in unpatched security vulnerabilities
When security vulnerabilities are publicly disclosed, it is important that the responsible software vendor provide a patch or fix in a timely fashion. Some security vulnerabilities are never patched, but the percentage of unpatched vulnerabilities has been decreasing steadily over the past few years. In 2011 this number was down to 36 percent from 43 percent in 2010.
Decline in spam
IBM’s global spam email monitoring network has seen about half the volume of spam email in 2011 that was seen in 2010. Some of this decline can be attributed to the take-down of several large spam botnets, which hindered spammers’ ability to send emails. X-Force has been observing spam’s evolution through several generations over the past seven years as spam filtering technology has improved, and spammers have adapted their techniques in order to successfully reach targets.
Fifty percent reduction in cross site scripting (XSS) vulnerabilities due to Improvements in software quality
IBM X-Force team is seeing significant improvement in the quality of software produced by organizations that use tools like IBM AppScan OnDemand service to analyze, find, and fix vulnerabilities in their code. IBM found XSS vulnerabilities are half as likely to exist in customers' software as they were four years ago. However, XSS vulnerabilities still appear in about 40 percent of the applications IBM scans. This is still high for something well understood and able to be addressed.
So with all the good news this year for improvements with computer security, how has it been a landmark year?
Unfortunately, sophisticated attackers began adapting their techniques in response to these improvements.
We have observed that SQL injection continues to be a choice point of entry for attackers. Automated SQL injection attacks like LizaMoon are successfully scanning the Internet and exploiting vulnerable hosts. These SQL injection attacks have been common for a long time and still persist today.
X-Force witnessed several new attack trends towards the end of 2011 including 2 to 3 times more Shell Command Injection attack activity than was seen earlier in the year. Shell Command Injection vulnerabilities allow attackers to execute command-line instructions to gain control of a web server. With complete control over the content of the website, attackers then have the ability to modify the site so that visitors are redirected to exploits that install malware on their machines. Or, attackers can use the compromised web servers to act as a jump pad from which they can further target other systems and networks.
Spike in automated password guessing
Poor passwords and password policies have played a role in a number of high-profile breaches during 2011. There is also a lot of automated attack activity on the Internet in which attacks scan the net for systems with weak login passwords. IBM observed a large spike in this sort of password guessing activity directed at secure shell servers (SSH) in the latter half of 2011.
Increase in phishing attacks that impersonate social networking sites and mail parcel services
The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven’t been seen since 2008. Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites.
Emerging Technologies Create New Avenues for Attacks
New technologies such as mobile and cloud computing continue to create challenges for enterprise security.
X-Force reported a 19 percent increase over the prior year in the number of exploits publicly released that can be used to target mobile devices. There are many mobile devices in consumers' hands that have unpatched vulnerabilities to publicly released exploits, creating an opportunity for attackers. IT managers should be prepared to address this growing risk.
Other areas of the report that are worth checking out:
Social media is no longer a fringe pastime - With the widespread adoption of social media platforms and social technologies, this area has become a target of attacker activity. IBM X-Force observed a surge in phishing emails impersonating social media sites. More sophisticated attackers have also taken notice. The amount of information people are offering in social networks about their personal and professional lives has begun to play a role in pre-attack intelligence gathering for the infiltration of public and private sector computing networks.
Cloud computing presents new challenges - Cloud computing is moving rapidly from emerging to mainstream technology, and rapid growth is anticipated through the end of 2013. In 2011, there were many high profile cloud breaches affecting well-known organizations and large populations of their customers. IT security staff should carefully consider which workloads are sent to third-party cloud providers and what should be kept in-house due to the sensitivity of data. Cloud security requires foresight on the part of the customer as well as flexibility and skills on the part of the cloud provider.
We encourage readers to not only check out the highlights listed here, but read the full report for contributions from our colleagues.
To view the full X-Force 2011 Trend and Risk Report and to watch the video please visit www-03.ibm.com/security/xforce/
March 2012 Microsoft Super Tuesday
Posted by Shane Garrett on March 13, 2012 at 1:40 PM EDT.
March was a light month for updates from Microsoft. Even so, there were three issues that are remotely exploitable that deserve special attention.
- MS12-020 : Vulnerabilities in Remote Desktop Could Allow Remote Code Execution
Two CVEs were addressed in the Critical update to Remote Desktop/Terminal Services. This update should definitely be applied, especially if you have RDP enabled for machines that are directly accessible via the Internet.
CVE-2012-0002 covers a vulnerability that affects all versions of Windows and could be exploited for denial of service or remote code execution. Specially crafted RDP packets can be sent to the server causing a use-after-free situation. The vulnerable code is in a driver so this can lead to a bugcheck or possibly code execution in the context of the kernel. If Network Level Authentication is enabled in Windows 7 and 2008 environments then the attacker would need valid credentials, otherwise this attack can be performed unauthenticated.
CVE-2012-0152 covers a denial of service vulnerability that affects the Terminal Server services on Windows 7 and 2008. An attacker using readily available tools can cause the service to stop responding due to a flaw in how the service handles connections. - MS12-017 : Vulnerability in DNS Server Could Allow Denial of Service
This bulletin covers a privately reported vulnerability in the DNS Server software in Microsoft Windows 2003 and 2008, x86 and x64 versions. A memory leak exists when handling certain types of DNS query responses that can lead to the DNS Server process using a large amount of memory. The memory exhaustion can cause system performance issues as well as causing the DNS Server process to stop responding. Fortunately, the DNS Server can often recover from a memory exhaustion scenario by restarting. If you are using Windows as a DNS server it's recommended to apply this update.