“Early in 2011, IBM X-Force declared it the year of the security breach. Enterprises both large and small were targeted. In 2012, the trend has continued…. At the mid-year point in 2012 we see an upward trend in overall vulnerabilities, with a possibility of an all-time high by year end.”
This is the cautionary observation made in IBM’s X-Force 2012 Mid-Year Trend and Risk Report, based on data collected from IBM’s security operations centers, which monitor more than 15 billion security events a day on behalf of approximately 4,000 clients in more than 130 countries.
“In the first half of 2012, we reported just over 4,400 new security vulnerabilities,” the report states. “If this trend continues throughout the rest of the year, the total projected vulnerabilities would be slightly more than the record we saw in 2010 approaching 9,000 total vulnerabilities.”
SQL injection — in which databases are directly attacked with unauthorized scripting — continues to reign as the top attack technique. In addition, attackers this year seem to be taking advantage of cross-site scripting vulnerabilities for web applications. Over 51% of all web application vulnerabilities reported so far in 2012 are now categorized as cross-site scripting.
Web and social media passwords continue to pose the greatest security threats to both enterprises and consumers. And now, the “bring your own device” (BYOD) trend is beginning to raise security risks within organizations.
BYOD — in which people are bringing their own smartphones, laptops and other devices into the workplace — is adding an entire new dimension to the corporate security challenge, the report states. There aren’t enough policies in force to manage the flood of devices now being used, and many companies are “still in their infancy” in adapting policies for BYOD. The threat is internal; as data could walk out the door in an employee’s device, opening it up for abuse of risk of theft.
The fragmented nature of the mobile market, along with multiple operating systems to be monitored and supported, also poses a growing risk for enterprises. “The one constant we have seen in the mobile security landscape is the compromise of nearly every mobile operating system at every released version. In fact, often new release versions are jail broken or rooted within days or even hours of their release. This is a consistent statement across nearly all mobile operating systems.”
For mobile devices in general, “the primary mobile security risks are with fake or rogue applications that cost the end user or business money through premium SMS messages.”
While seamless connectivity is a good thing, organizations need to take that extra step to ensure using these devices is also a secure experience. “The connection between websites, cloud-based services, and webmail provides a seamless experience from device to device, but users should be cautious about how these accounts are connected, the security of their password, and what private data has been provided for password recovery or account resetting. X-Force recommends the use of a lengthy password comprised of multiple words instead of an awkward combination of characters, numbers and symbols.”
Since the last X-Force Trend and Risk Report issued earlier this year, there has been an increase in malware and malicious web activities, the study also finds. *A continuing trend for attackers is to target individuals by directing them to a trusted URL or site which has been injected with malicious code. Through browser vulnerabilities, the attackers are able to install malware on the target system. The websites of many well-established and trustworthy organizations are still susceptible to these types of threats.”
Even Apple Macs — which have long enjoyed relative peace due to a low market share — are no longer exempt from security issues. With their growing rate of success, Macs, too, have become targets. “As the user base of the Mac operating system continues to grow worldwide, it is increasingly becoming a target of Advanced Persistent Threats (APTs) and exploits, rivaling those usually seen targeting the Windows platform,” the report states.
On the server-side, X-Force recommends encrypting passwords to the database using a hash function that is suitable for password storage. The hash function should be difficult to calculate, which helps limit the effectiveness of attacks.
Now, the good news: There has been “a continuing decline in exploit releases, improvements from the top ten vendors on patching vulnerabilities and a significant decrease in the area of portable document format (PDF) vulnerabilities,” the report states.
In addition, the study finds, spam and phishing levels remain low, thanks to the take-down of botnets in 2011. “As recently as July 2012, we witnessed yet another botnet take down with the removal of Grum,” the report adds. “The data clearly demonstrates declines from this activity.”
The adoption of IPv6 technology is also a positive trend, but with a caveat. “Currently, enterprises and governments taking advantage of IPv6 find less malicious activity occurring, although we don’t know when attackers will decide to adopt IPv6 technology,” the report says.
By Joe McKendrick