IBM X-Force Reports: Insight to Shield Your

Solving the security conundrum

SERVICE MANAGEMENT IN ACTION Effective IT security is, among many other things, current IT security. But how do you stay current?

Few industries have evolved as rapidly as IT…and within IT, few domains have evolved as rapidly as security. Every year, the total array of security threats increases not just in number, but also in sophistication, intelligence, and persistence. Keeping abreast of new developments is, by itself, a full-time job.

Furthermore, as services are delivered in new ways, via new platforms and to new end-user solutions, each represents a double-sided coin—one side of which is business value, and the other side of which is new opportunities for security breaches.

Two prominent examples of this problem at work:

The X-Force Team: Keeping a vigilant watch on the evolving security landscape

“2011 has been dubbed the Year of the Security Breach just on the basis of the first six months alone, and for good reason. This year, the ongoing trend in which financially motivated malware and botnet builders are responsible for the most daunting external threats has only picked up speed—to devastating effect.”

In the face of so many new complexities to consider, security professionals will really benefit from accurate, timely information on emerging security trends and risks.

That's why the X-Force ® trend reports, issued twice a year, are so popular and so influential. The X-Force team focuses on how the world of Internet security has changed in recent months, what potential those changes have to create a negative business impact, and what organizations can do to best mitigate that impact—often in a proactive manner to preclude the threat from manifesting in the first place.

What's informing and guiding these reports? In addition to leveraging the world's largest database about such threats, a collection of more than 50,000 entries, the X-Force team does sophisticated analyses that discover and quantify trends and patterns as viewed through many different lenses.

That means not just the targeted platforms, the types of malware, and the major botnets, but also related information such as the most common countries of malware origin, the technical sophistication of the threats and the attackers, and unveiling of entirely new attack vectors never seen before.

All of that comes as welcome news to security professionals, who can bring themselves up to speed on the major trends in a quick, convenient, yet comprehensive way. And once informed, they can put both their technical infrastructures and business operations on a sounder, more confident footing.

The report is organized into four categories: threats, operating secure infrastructure, secure software, and emerging trends.


Malware and the malicious web

2011 has been dubbed the Year of the Security Breach just on the basis of the first six months alone, and for good reason. This year, the ongoing trend in which financially motivated malware and botnet builders are responsible for the most daunting external threats has only picked up speed—to devastating effect.

Security threats coming via the web are also showing increasing intelligence, insight, and patience on the part of attackers, who now quite commonly design these threats in a tailored way (example: spear phishing). Advanced persistent threats of this type are usually going to be beyond the scope of off-the-shelf point solutions such as anti-malware, because they were designed not for mass targets on a global scale, but with the specific resources, processes, and security infrastructure of a particular organization or even individual in mind. Should one particular approach or attack vector fail, others will be tried in order to achieve the overarching goal.

That said, golden-oldie attacks such as SQL injection are still quite popular and in widespread use—suggesting the need for enterprise security teams to continue to cover all bases, rather than simply shift their focus from the old to the new. As has been the case for many years, automated scanning is used to reveal the low-hanging fruit—easy targets—on which a more dedicated, sustained attack might then be launched to obtain brute-force access to key databases, shared volumes, or services. Fortunately, the SQL Slammer worm, a historical problem of note, has largely vanished from the recent statistics.

Spam and phishing

One disturbing trend: the increasing popularity of anonymous proxy servers, which disguise all information about the source of an attack and thus provide a layer of protection for attackers. The X-Force team has observed an increase in both the number of these and their overall utilization.

Spam volumes, on the other hand, are in a state of decline, thanks in part to the elimination of the infamous Rustock botnet, and spammers have largely abandoned old-school, mass-mail phishing practices, which appear less effective now that they are better known and understood. While the USA leads all countries in e-mail phishing, it comes in a distant tenth for total spam sent; India, Russia, and Brazil lead the pack.

Finally, financial institutions continue to be the primary target for phishing attempts, at almost 70% of the total, because of the relatively high potential payoff in the event of success.

Operating a secure infrastructure

Enterprise security managers looking for good news will find it here: there was a year-over-year decline of more than 15% in total security vulnerability disclosures. Web applications, too, are improving; while last year they represented half of all disclosures, this year they come to only 37%. And while in the past, disclosed vulnerabilities were actually exploited roughly 15% of the time, in 2011 that figure has fallen to 12%—still uncomfortably high, but clearly an improvement.

But there's also bad news. The total number of vulnerabilities scoring a perfect 10 (which is worst) on the Common Vulnerability Scoring System has tripled in the first half of 2011, and already exceeds the total from 2010 as a whole. And because the browser market is becoming more fragmented, attackers have responded by attacking software shared by all browsers, such as multimedia players or document readers, to compensate, and maximize their odds of success.

Developing secure software

Toward making the enterprise secure, it's essential to lock down web applications as much as possible. Unfortunately, that goal has yet to be achieved at many organizations.

For proof of that assertion, consider the fact that when 678 major corporate sites were tested by the IBM Rational Application Security Group, a full 40% had client-side JavaScript vulnerabilities. In fact, 90% of vulnerable applications were vulnerable in whole or in part because of third-party JavaScript included with and used by them, such as AJAX libraries or embedded Flash animation.

One new vulnerability of note is DOM (Document Object Model)-based e-mail attribute spoofing. Here, malicious JavaScript is used to modify or add addresses to the recipient fields of organizational e-mail, so that extra copies go out not just to the intended parties, but also to the attackers—very helpful for them indeed.

Emerging Trends


As suggested earlier, mobile platforms represent a whole new Petri dish in which attackers can breed new attacks, and many are doing so with startling speed and sophistication.

For instance, mobile platforms are an easy way to monetize malware. This is because SMS services can be created that actually charge users for received text messages; furthermore, it is possible to create malware that infects common smart phone operating systems, such as Google's Android, and thus force infected phones to send those messages.

How does the infection happen? Often, via infecting an established application the user voluntarily downloads and installs—or via a new application that claims to do X (such as crack another application so it will run for free), but actually does Y (infects the phone and sends text messages to the SMS service).

This has led to a situation in which users' phones are actually doing the work of generating money for attackers in real time. And as smart phones proliferate, so, too, does the monetization opportunity and the incentive for attackers to continue to develop variations on this theme—at least until such time as vulnerabilities remain unpatched. Unfortunately, many phones will remain unpatched indefinitely because the phone vendors don't push out updates automatically and the users are unaware of the problem.


Databases are also increasingly vulnerable, in part because they're accessed in more ways, via more platforms and networks, than ever before. And while this extra access to core databases is essential to IT services, it's also something that multiplies the odds of a breach, particularly given the added intelligence and targeted capabilities of today's security threats.

Security managers must therefore take pains to govern database access in such a way as to balance convenience with risk. Given a set of stolen credentials, for instance, it's relatively easy for an attacker to simply log in to services as an authorized user, thus essentially defeating perimeter defenses. Where do the credentials come from? Any of several methods, such as via a traditional attack (example: SQL injection).

Thus, one form of breach leads to another in short order, which in turn leads ultimately to compromised databases. And because databases are now being utilized for cross-domain value more than ever, spanning many different operational groups, services, and business processes, the importance of governing their security has reached an all-time high.

Learn more

Recent Articles

Contact IBM

Considering a purchase?

Speak at Pulse

Pulse2012. Optimizing the World's Infrastructure

Submit a session proposal by November 7! Share your experience and join an elite group of professionals: speak at Pulse 2012! Client presentations will demonstrate how organizations have used IBM products to gain an end-to-end view of business services across boundaries to effectively manage risk and compliance, improve the economics of service delivery, and achieve measured business objectives. Contribute your company’s story to the body of knowledge shared at Pulse 2012.