IBM Trend and Risk Report: New Threats, New Strategies

Get free, expert insight into some of today’s most pressing security challenges

Service Management in Action

The 2011 IBM X-Force Trend and Risk Report is available now! For security-conscious organizations—which is to say practically all organizations—this year’s report provides important information on:

IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. The annual and mid-year Trend and Risk Report produced by IBM X-Force provides an assessment of the security landscape, designed to help readers better understand the latest security risks, and stay ahead of these threats. The report gathers facts from numerous intelligence sources, including its database of more than 50,000 computer security vulnerabilities, its global Web crawler and its international spam collectors, and the real-time monitoring of 13 billion events every day for nearly 4,000 clients in more than 130 countries. This is the result of the work done in IBM's nine global Security Operations Centers,

Truly a collaborative effort, this research includes contributions from the IBM X-Force Research & Development team, IBM Security Managed Services, IBM Professional Services, the IBM Security Content team, IBM Security AppScan OnDemand Managed Services, product teams from IBM Identity and Access Management, IBM Data and Information Security, IBM InfoSphere Guardium, and QRadar from Q1 Labs, an IBM company.

That's a tremendous value proposition... especially when you consider that the report is free. We encourage you to download and read it. You could come away with a much better understanding of the potential security risks your organization may face, as well as new challenges on the horizon.

New Attack Trends

"2011 was a remarkable year for IT security. By mid-year, in the midst of frequent reports of data leaks, DoS attacks, and social hacktivism, IBM X-Force declared 2011 “year of the security breach.” By the end of the year, the frequency and scope of these incidents have persisted, and continues to bring awareness to the basic tenets of operating a business and for protecting its assets in an increasingly connected world. The sheer number of high profile and highly public incidents throughout 2011 has been a catalyst for executives and business leaders to reevaluate the effectiveness of existing structures, policy, and technology in the enterprise."

What kinds of risks might those be? This year's report posits a clear answer to that question by singling out 2011 as the "year of the security breach." Going far beyond potential threats and theoretical security shortcomings, 2011 served as a proof of concept that security needs to become much more proactive, comprehensive, and integrated going forward.

For years, SQL injection attacks against Web applications have been a popular vector for attackers of all types. SQL injection vulnerabilities allow an attacker to manipulate the database behind a Web site. As progress has been made to close those vulnerabilities—the number of SQL injection vulnerabilities in publicly maintained Web applications dropped by 46 percent in 2011—some attackers have now started to target shell command injection vulnerabilities instead. These vulnerabilities allow the attacker to execute commands directly on a Web server.

Once control of the server has been achieved, the attacker can often modify it to manipulate the site's users—wherever they may be—by, for instance, arranging for the hidden download and installation of malware onto those users' systems. Since the site itself is typically seen as legitimate and trusted, and often widely trafficked, threats of this type have tremendous potential to create extraordinarily widespread damage.

Additionally, because servers are logically linked to other elements of the organization's IT infrastructure, they can in some cases serve as a stepping stone for further access. Thus, an inadequately-secured Web host represents a major threat both to the organization itself and the organization's clients, customers, and business partners—essentially, the entire ecosystem of organizations and individuals associated with the site. As shell command injection attacks rose by two to three times over the course of 2011, Web application developers should pay close attention to this increasingly popular attack vector.

Toward mitigating that threat, the X-Force team recommends strongly that Web servers should be a primary point of security strategies. In particular, the latest security patches should be applied; known vulnerabilities should be eliminated as rapidly as possible; and weak, static, or default passwords should be replaced with stronger, longer, and more dynamically changing passwords.

Now for the good news!

There is, however, positive news as well. When security vulnerabilities are disclosed, exploit code is sometimes released that attackers can download and use to break into computers. Approximately 30 percent fewer exploits were released in 2011 than were seen on average over the past four years. This improvement can be attributed to architectural and procedural changes made by software developers that help make it more difficult for attackers to successfully exploit vulnerabilities. And that’s not all! Consider the following data points:

In short, the IT industry's best practices and increased collaboration in the pursuit of holistic security, through widely adopted measures such as application security analysis and testing, intrusion prevention techniques, end-point management, and security intelligence and event management is having a measurably positive effect. And going forward, IBM's X-Force team expects that trend to continue.

New developments in cloud and mobile require a new outlook—and maybe new IT solutions

Also explored in the new Trend and Risk Report is the way IT security is evolving—or, at least, should evolve—in parallel with IT infrastructures as a whole. As service delivery platforms and user endpoint solutions both develop, organizations that utilize them will have to move rapidly to develop new best practices and strategies that match the change they are experiencing.

In the case of cloud architectures, for instance, there is a long-running discussion concerning how best to secure the environment, due to the fact that clouds are incredibly dynamic, deeply virtualized, and extensively integrated across services and resources. The 2011 Trend and Risk Report takes the position that doing so will require a new outlook on security, and new strategies as a result.

What does that mean? While the historic security focus on organizations has applied to the technology itself, in a cloud context a more holistic perspective is needed—one that applies not just to the technology of the cloud per se, but also to the total security posture of cloud-based services over their complete lifecycle.

In particular, it will be essential to consider matters from the standpoint of workloads. IT security staff should carefully consider which workloads are sent to third-party cloud providers and what should be kept in-house due to the sensitivity of data. Cloud security requires foresight on the part of the customer as well as flexibility and skills on the part of the cloud provider. The IBM X-Force report notes that the most effective means for managing security in the cloud may be through Service Level Agreements (SLAs) because of the limited impact that an organization can exercise over the cloud computing service. Therefore, careful consideration should be given to ownership, access management, governance, and termination when crafting SLAs. The IBM X-Force report encourages cloud customers to take a lifecycle view of the cloud deployment and fully consider the impact to their overall information security posture.

Another area of considerable change and impact on organizational security is mobile device access. While devices like tablets and browser-equipped smart phones have become incredibly popular incredibly fast, they are not always as fully secured as traditional endpoints, like laptops and desktop computers. This means they are not as suitable for accessing business data and services.

IT should therefore take steps to understand how mobile devices are being used by the organization's employees, then develop measures to address security in this context—certainly in the form of best practices and guidelines, and also perhaps through deploying new security solutions with features specifically designed to address this issue.

Get the report today for complete insight

Of course, this only scratches the surface of the 2011 Trend and Risk Report. For a more comprehensive and detailed look at all the relevant topics, including: and read a copy of the complete report today!

Additional information

Recent Articles

Contact IBM

Considering a purchase?

A new breed of information security leader

Security and resilience

IBM examines what it will take to expand the role of information security to confront the challenges facing enterprises today.

Meet tomorrow's CISOs


Subscribe to the Service Management in Action RSS feed.

Help with subscribing