IBM Declares 2011 "Year of the Security Breach"

If you're wondering when malware will become a real problem for mobile devices, your wait is over. So says Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force.

According to IBM's new X-Force 2011 Mid-Year Trend and Risk Report, Big Blue predicts that by the end of 2011, the number of exploits will be double what they were in 2010. A key target: mobile devices.

The X-Force team says many mobile phone vendors don't issue security updates quickly enough. Mobile devices are an increasingly popular target simply because of the incredible size of the market, and the team notes that mobile computing threats are enabled, in part, though malware distributed using third-party app sites. Some of this malware collects users’ personal information which can be used for identity theft or for phishing attacks. Other malware can spy on users' personal communications or track physical movements using GPS features built in to their devices.

Speaking of phishing, the report uses a term new to me -- whaling -- to describe "a type of spear phishing which targets 'big fish' or those positioned in high levels of an organization with access to critical data." Forget sending messages to everyone hoping to play the law of averages to be successful. Whaling attacks are "often launched after careful study of a person's online profiles" that give attackers the information they need to be successful. Through a combination of "stealth, sophisticated technical capabilities, and careful planning," teams of professional hackers are collecting the information they need to access critical network resources.

There are some bright spots in the X-Force report. For instance, in the first half of this year, Web application vulnerabilities dropped from 49 percent of all vulnerability disclosures to just 37 percent -- a first in the five years the team has been tracking such data. Also encouraging: "High and critical vulnerabilities in Web browsers were also at their lowest point since 2007" and spam volume has declined "significantly" through the first half of this year. To no one's surprise, when botnet operators are stopped, the number of spam messages drops and phishing attacks decline.

The biggest source of spam has moved to the Asia Pacific region; India accounts for 10 percent of all spam, with South Korea and Indonesia making it into the top five as well. That explains why IBM has opened a new IBM Institute for Advanced Security in the region (joining existing Institutes in Brussels, Belgium and Washington, D.C.).

Financial gain is a key driver, but increasingly attacks are done for political reasons. The X-Force team says "hacktivist" groups are using well-known techniques such as SQL injection against Web sites. Also highlighted in the report: a tripling in the number of anonymous proxies in the last three years.

What isn't new: some of the techniques hackers use. For example, attacks on weak passwords are still a popular approach, as are SQL Injection attacks. Exploitation of JavaScript is still successful; of the nearly 700 Web sites of Fortune 500 and other company sites IBM tested, 40 percent contain client-side JavaScript vulnerabilities.

The report warns that "Although we understand how to defend against many of these attacks on a technical level, organizations don't always have the cross-company operational practices in place to protect themselves."

As the "eyes and ears of thousands of IBM clients", the X-Force team gathers security intelligence using public disclosures and its own monitoring of 12 billion daily security events. The full report is available at no cost here (though a short registration is required).

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 10/03/2011