IBM released its X-Force 2010 Mid-Year Trend and Risk Report today, which showed record threat levels in almost every area.
Web vulnerabilities lead the way, representing more than half of the 4,396 publicly disclosed vulnerabilities documented by the X-Force Research & Development team in the first half of 2010. This represents a 36 percent increase over the same time period last year, with 55 percent of the disclosed vulnerabilities having no vendor-supplied patch at the end of the period.
Keep in mind that these figures don’t include custom-developed Web applications, which can also contain vulnerabilities.
On the positive side, the report noted that organizations were doing more to identify and disclose security vulnerabilities than in the past, helping to drive more open collaboration to identify and eliminate vulnerabilities before cyber criminals can exploit them.
Microsoft and Adobe’s collaboration to facilitate advanced information sharing on vulnerabilities via its Microsoft Active Protections Program (MAPP) is a good example of such progress. MAPP is a collaborative effort involving 65 global members that facilitates the sharing of product vulnerabilities with security software providers.
“This year’s X-Force report reveals that although threats are on the rise, the industry as a whole is getting much more vigilant about reporting vulnerabilities. This underscores the increased focus among our clients to continue looking for security solutions that help them better manage risk and ensure their IT infrastructure is secure by design,” said Steve Robinson, general manager, IBM Security Solutions.
The report noted that hidden attack methods grew in volume and complexity, with JavaScript being a major avenue of attack. Attackers are using sophisticated means to penetrate networks without being detected by traditional security tools. JavaScript obfuscation has been a popular technique used by all classes of cybercriminals to hide their exploits within document files and Web pages. IBM detected a 52 percent increase in obfuscated attacks during the first half of 2010 versus the same period in 2009.
PDF exploits continue to soar as attackers trick users in new ways. The widespread use of PDF-based exploits spiked during the first half of 2009, capturing three of the top five slots for browser exploits used in the wild since.
Another Positive trend! Phishing activity declined significantly during the period, with the first half of 2010 seeing a fraction of the phishing attacks that were seen at the peak in 2009, a decline of almost 82 percent.
The decline in phishing during the period is possibly a result of Avalanche, a notorious cybercrime gang, at one time responsible for two-thirds of all phishing attacks, discontinuing its phishing endeavors in favor of using malware.
Financial institutions are still the number one phishing target, representing about 49 percent of all phishing emails, while credit cards, governmental organizations, online payment institutions and auctions represent the majority of other targets.
Looking into the future, the X-Force Research and Development team has identified some key trends to watch for in the future, including:
Cloud Computing — As an emerging technology, security concerns remain a hurdle for organizations looking to adopt cloud computing.
Virtualization – X-Force’s vulnerability data shows that 35 percent of vulnerabilities impacting server class virtualization systems affect the hypervisor, which means that an attacker with control of one virtual system may be able to manipulate other systems on the same machine.
The IBM X-Force Report comes from IBM’s X-Force team, which gathers facts from numerous intelligence sources, including its database of over 50,000 computer security vulnerabilities, millions of intrusion events monitored on tens of thousands of managed network sensors deployed on customer networks throughout the world, its global Web crawler and its international spam collectors.
To read more from the IBM X-Force Team, visit: www.ibm.com/security/x-force