IBM Trend and Risk Report offers industry-leading insight at no cost
No field changes as fast as IT—and within IT, few domains change as fast as security. Staying on top of this incredibly dynamic area is simultaneously very important and very difficult.
That’s why the IBM X-Force Trend and Risk Reports—released twice per year—are so compelling. For anyone interested in minimizing the odds of a breach and the business consequences that can follow, these reports offer the latest information on emerging security threats, best practices, specific vulnerabilities, and many related topics.
Included is detailed, quantified analysis of just how attacks and attackers have evolved over the last six months, as well as the best available guidance on how to respond. (And, naturally, this insight also continually informs IBM's own security solutions and services, as utilized by thousands of IT operations and IT development groups around the world.)
If you'd like to come up to speed on all of these subjects, just download the latest report. You'll soon find that forewarned is forearmed—and your organization will be the direct beneficiary of your time.
A changing world demands a new approach to security
While certain security threats like spam and phishing are in decline, overall vulnerabilities are on the rise. Partly, this is due to the way IT infrastructures themselves have changed. For example, as the fixed perimeter of corporate networks becomes instead a roving group of endpoints such as smart mobile devices like phones and tablets, security managers will have to find new strategies to minimize the added risk.
"The complete ecosystem of security—spanning both human and technological dimensions—needs to become smarter and more sophisticated to keep pace with new developments and new attacks."
Services and applications are also more cross-linked—both within and across organizations—than ever. This means that cascade effects, in which a breach of “A” can theoretically lead to a breach of “B-Z” as well, are more likely to occur, demanding special effort to recognize and mitigate such situations as much as possible.
In much the same way, users today need to play a more thoughtful, engaged role in security, taking into account how their personal data is increasingly exposed (or can be exposed) online, often via social networking services, and what the consequences might be. Similarly important: creating strong and unique passwords for each account, and understanding the reset processes used by different services so that attackers can’t simply change the password to something else.
In short, the complete ecosystem of security—spanning both human and technological dimensions—needs to become smarter and more sophisticated to keep pace with new developments and new attacks.
Malware and the malicious Web
This is particularly clear when you consider how something as simple as news headlines can be used to create security breaches. As attackers become aware that end users are conducting searches on new hot topics (e.g. Olympics, Mayan prophecy, 2012 elections), they can leverage that knowledge by drawing more attention and traffic to malicious Web sites. This works very simply: by pre-loading them with meta-text on such subjects.
This same approach can work in miniature to create a targeted advanced persistent threat (APT); if an attacker is very familiar with an individual or organization's special interests, a special malicious site can be created for exactly that audience.
Cross-site scripting, historically a favorite among attackers, continues to be widely utilized—often, these days, in order to compromise a trusted site via a special URL. Using this approach, it's actually possible to achieve complete control of end user computers. And matters get worse when you realize how cross-site scripting can be augmented via SQL injection, perhaps the most common of all Internet attacks, to multiply the effect of the exploit.
The success of Apple as an endpoint solution provider has also led to predictable security consequences. Today's Macs, running OS X, have become increasingly attractive targets to malware developers. The result? Mac-specific APTs and malware, one example being the widely reported Flashback Trojan horse. Macs are also susceptible to Java exploits, because Java's cross-platform execution means attackers can create code that will run on any Java-capable OS (whether OS X, Windows, Linux, or other platforms).
Web content, spam, and phishing tactics
One measure of malicious Web content is, of course, anonymous proxy registrations—and 2012 has witnessed three times as many registrations as in past years, the majority originating in New Zealand.
On the other hand, the United States is the world's leading source of malicious Web links (more than 43 percent), with Germany and Russia far behind (under 10 percent each), and China falling to fourth place. Nearly half of such links exist on sites dedicated to pornography or gambling.
Spam continues to evolve; these days, in contrast to previous years, it quite often utilizes large messages, possibly in an attempt to evade detection. India, Vietnam, and the U.S. are the top three source nations for spam.
And phishing, similarly, has gone through rapid changes, not all of which are readily explained. In the first half of 2012, roughly two-thirds of phishing e-mails targeted nonprofit organizations, but that has since fallen to seven percent—and many of those e-mails don't link directly to a site known to involve a traditional phishing attack.
Vulnerabilities and exploits
IBM has witnessed a decline in the number of "true" exploits that can actually attack a computer, estimating that less than 10 percent of all vulnerabilities fall into this class. Similarly, PDF-based vulnerabilities are far down compared to previous years, likely due to changes in Adobe's security design.
Vulnerability patches at the top 10 vendors are up—in fact, almost 95 percent of their disclosed vulnerabilities can be patched—but this isn't true of the larger software community. As a result, just under half of all vulnerabilities disclosed in 2012 remain unpatched.
Mobile malware and enterprise best practices
Smart phones and tablets, due to their increasing popularity, are increasingly used by the workforce for business purposes even though they were often never purchased or configured by the organization with security in mind.
Fortunately, this situation hasn't resulted in as many new exploits as you might imagine. The X-Force team reports that mobile vulnerabilities and exploits are both down to levels not seen since 2008, due to the increasing focus on security by operating system providers as well as the growing awareness by organizations that this is an area demanding special attention. Though specialized malware does exist, the most common form of attack remains SMS scams, typically orchestrated via insecure applications installed by the user.
For this reason, the X-Force team recommends that organizations consider creating a formal bring-your-own-device policy that addresses just how, and to what extent, user-owned mobile devices can access organizational services and data.
Also potentially helpful: an in-house, IT-controlled application store that offers pre-verified, trusted applications to users. One solution capable of creating such a store is IBM Endpoint Manager for Mobile Devices.
Pulse 2013 Call for Speakers is now open!
Did you know clients who present at Pulse may receive free admission? Submit your proposal today!
Speak at Pulse
Leverage and contribute to the collective wisdom around Tivoli