- Email: [email protected]
IBM finds new and old threats
CALENDAR ...Continued from page 3 critical national infrastructure. It looked at what the key considerations are in this context, how safe such infrastructure is today and where there are holes. In the feature, Everett also examined whether existing governance models are adequate and how important risk management is in this context.
Cath Everett, award-winning journalist.
IBM finds new and old threats
I
BM’s new ‘X-Force 2011 MidYear Trend and Risk Report’ has highlighted a number of emerging threats, including an increase in mobile vulnerabilities and the new phenomenon of ‘whaling’ – a version of spear-phishing performed on high-value and high-profile targets.
The company has also announced that it is opening the Institute for Advanced Security for Asia Pacific, which joins current IBM Institutes in North America and Europe. The report is based on intelligence gathered through IBM’s research of public vulnerability disclosures as well as the monitoring and analysis of an average of 12 billion security events daily since the beginning of 2011. The firm says it has seen a steady rise in security vulnerabilities related to consumer devices such as smartphones and it’s predicting that 2011 will see twice the number of mobile exploit releases that occurred in 2010. Mobile phones have become a very attractive target for malware writers because of the sheer size of the user base and the fact that it’s growing so rapidly. IBM specifically highlights 20
Computer Fraud & Security
malware that sends SMS messages to premium-rate services and other malicious programs that gather user information for phishing attacks or identity theft. The proportion of vulnerabilities that X-Force characterises as critical has tripled thus far in 2011 and IBM is declaring 2011 the “Year of the Security Breach”, due to the large number of high-profile attacks and network compromises. Notable emerging threats include: • Teams of professional attackers motivated by a desire to collect strategic intelligence using multiple methods – so-called Advanced Persistent Threats (APTs). • The rise of ‘whaling’, a type of spearphishing that targets ‘big fish’ – people at high levels of an organisation with access to critical data. • Attacks from ‘hacktivist’ groups, who target web sites and computer networks for political ends rather than just financial gain. • The quadrupling of the number of anonymous proxies, compared to three years ago. The report also uncovered some improvements in computer security that show headway in the fight against crime on the Internet. The first half of 2011 saw an unexpected decrease in web application vulnerabilities, from 49% of all vulnerability disclosures down to 37%. This is the first time in five years that X-Force has seen a decrease. High and critical vulnerabilities in web browsers were also at their lowest point since 2007. And spam has declined as major botnet operators are taken offline. However, many old vulnerabilities remain. According to the report, attacks on weak passwords are commonplace on the Internet, as are attacks that leverage SQL injection vulnerabilities in web applications to compromise backend databases. Databases have become an important target for attackers and they contain data that’s critical to the organisation – financial/ERP, customer, employee and intellectual property information. IBM researchers tested nearly 700 websites and found that 40% contain client-side JavaScript vulnerabilities. The report is available here:.
Calendar 2–3 November 2011 RSA Conference China 2011 Beijing, China Website: www.rsaconference.com/events. htm
3 November 2011 HouSecCon2011 Houston, Texas, US Website: http://houstonseccon.com
10–11 November 2011 6th Annual Data Protection Practical Compliance Conference Dublin, Ireland Website: www.pdp.ie/conference
11–19 November 2011 SANS Sydney 2011 Sydney, Australia Website: www.sans.org/info/78514
21–22 November 2011 Oil and Gas Cyber Security Forum London, UK Website: www.smi-online. co.uk/2011cyber-security1.asp
22–23 November 2011 Information Security Solutions Europe Management Prague, Czech Republic Website: http://www.isse.eu.com/
23–25 November 2011 International Conference on Communications, Information and Network Security Venice, Italy Website: www.waset.org/conferences/2011/Venice/iccins/
12–15 December 2011 Black Hat Abu Dhabi 2011 Abu Dhabi, UAE Website: www.blackhat.com
October 2011
Cath Everett, award-winning journalist.
IBM finds new and old threats
I
BM’s new ‘X-Force 2011 MidYear Trend and Risk Report’ has highlighted a number of emerging threats, including an increase in mobile vulnerabilities and the new phenomenon of ‘whaling’ – a version of spear-phishing performed on high-value and high-profile targets.
The company has also announced that it is opening the Institute for Advanced Security for Asia Pacific, which joins current IBM Institutes in North America and Europe. The report is based on intelligence gathered through IBM’s research of public vulnerability disclosures as well as the monitoring and analysis of an average of 12 billion security events daily since the beginning of 2011. The firm says it has seen a steady rise in security vulnerabilities related to consumer devices such as smartphones and it’s predicting that 2011 will see twice the number of mobile exploit releases that occurred in 2010. Mobile phones have become a very attractive target for malware writers because of the sheer size of the user base and the fact that it’s growing so rapidly. IBM specifically highlights 20
Computer Fraud & Security
malware that sends SMS messages to premium-rate services and other malicious programs that gather user information for phishing attacks or identity theft. The proportion of vulnerabilities that X-Force characterises as critical has tripled thus far in 2011 and IBM is declaring 2011 the “Year of the Security Breach”, due to the large number of high-profile attacks and network compromises. Notable emerging threats include: • Teams of professional attackers motivated by a desire to collect strategic intelligence using multiple methods – so-called Advanced Persistent Threats (APTs). • The rise of ‘whaling’, a type of spearphishing that targets ‘big fish’ – people at high levels of an organisation with access to critical data. • Attacks from ‘hacktivist’ groups, who target web sites and computer networks for political ends rather than just financial gain. • The quadrupling of the number of anonymous proxies, compared to three years ago. The report also uncovered some improvements in computer security that show headway in the fight against crime on the Internet. The first half of 2011 saw an unexpected decrease in web application vulnerabilities, from 49% of all vulnerability disclosures down to 37%. This is the first time in five years that X-Force has seen a decrease. High and critical vulnerabilities in web browsers were also at their lowest point since 2007. And spam has declined as major botnet operators are taken offline. However, many old vulnerabilities remain. According to the report, attacks on weak passwords are commonplace on the Internet, as are attacks that leverage SQL injection vulnerabilities in web applications to compromise backend databases. Databases have become an important target for attackers and they contain data that’s critical to the organisation – financial/ERP, customer, employee and intellectual property information. IBM researchers tested nearly 700 websites and found that 40% contain client-side JavaScript vulnerabilities. The report is available here:
Calendar 2–3 November 2011 RSA Conference China 2011 Beijing, China Website: www.rsaconference.com/events. htm
3 November 2011 HouSecCon2011 Houston, Texas, US Website: http://houstonseccon.com
10–11 November 2011 6th Annual Data Protection Practical Compliance Conference Dublin, Ireland Website: www.pdp.ie/conference
11–19 November 2011 SANS Sydney 2011 Sydney, Australia Website: www.sans.org/info/78514
21–22 November 2011 Oil and Gas Cyber Security Forum London, UK Website: www.smi-online. co.uk/2011cyber-security1.asp
22–23 November 2011 Information Security Solutions Europe Management Prague, Czech Republic Website: http://www.isse.eu.com/
23–25 November 2011 International Conference on Communications, Information and Network Security Venice, Italy Website: www.waset.org/conferences/2011/Venice/iccins/
12–15 December 2011 Black Hat Abu Dhabi 2011 Abu Dhabi, UAE Website: www.blackhat.com
October 2011