In-Depth

Reported Drop in Security Threats Masks Their Severity

The number of new vulnerabilities disclosed by researchers actually declined in 2007 -- the first time that’s happened since 2003 -- but it’s not all good news.

• By Stephen Swoyer
• 02/12/2008

At first glance it might seem that IT security jobs will be getting easier. According to security researcher (and IBM subsidiary) Internet Security Systems (ISS), the number of new vulnerabilities disclosed by researchers actually declined in 2007.

ISS’ research buttresses similar findings from Microsoft Corp., which -- in its January-June 2007 Microsoft Intelligence Report (published in October of last year) -- cited a similar decline in security vulnerabilities, the first such decline since 2003.

ISS says the number of new vulnerability disclosures dropped by 5.4 percent in 2007. Researchers were quick to qualify this finding, however, stressing that the drop could be the result of an anomaly or statistical correction.

ISS researchers report that last year it saw none of the double-digit growth in new vulnerability disclosures that characterized both 2005 and 2006. As researcher Kris Lamb wrote on the ISS X-Force team blog, citing data from ISS’ X-Force 2007 Trends Statistics Report, “2005 and 2006 saw large spikes in vulnerability growth [of approximately 41 percent each year] that were well above the X-Force Database historical average [i.e., 27 percent a year].”

Although the decline in vulnerability disclosures is encouraging relative to the double-digit spikes of 2005 and 2006, it fell far short of another historical precedent. “The 5.4 percent decline in 2007 could simply be a statistical correction to the growth in vulnerabilities in 2005 and 2006,” Lamb indicates. “Although the number of disclosures dipped in 2007, the drop [i.e., 5.4 percent] is less dramatic than the decrease in vulnerability growth witnessed between 2002 and 2003.”

There’s a further wrinkle here. Even though the overall number of vulnerabilities declined, the number of high-priority vulnerabilities rose sharply, growing 28 percent. One explanation for this, Lamb suggests, is that “Researchers could simply be focusing on the sometimes more difficult, high-priority finds.”

This finding also dovetails with Microsoft’s own research. “Disclosures of High severity vulnerabilities across the industry continue to increase, while the growth of Low and Medium severity issues appears to be slowing,” the Microsoft report observes. “The latter point is a trend reversal from recent years and suggests there is a wider set of targets for malicious attackers.”