Related Stories

Top 5 Stories


IBM: Top threats include data breaches, BYOD, browser exploits

20 September 2012

When it comes to trends in security for 2012 so far, the landscape has seen a sharp increase in browser-related exploits, like recent ones for Internet Explorer and Java, along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.

That’s the word from the IBM X-Force 2012 Mid-Year Trend and Risk Report, which shows that a continuing trend for attackers is to target individuals by directing them to a trusted URL or site that has been injected with malicious code. Through browser vulnerabilities, the attackers are able to install malware on the target system. Further, the growth of SQL injection, a technique used by attackers to access a database through a website, is keeping pace with the increased usage of cross-site scripting and directory traversal commands.

IBM also noted that attackers are no longer primarily attracted to the Windows universe. The user base for the Mac operating system continues to grow worldwide, so it is increasingly becoming a target of advanced persistent threats (APTs) and exploits.

“We’ve seen an increase in the number of sophisticated and targeted attacks, specifically on Macs and exposed social network passwords”, said Clinton McFadden, senior operations manager for IBM X-Force research and development. "As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data."

At the mid-year point in 2012, IBM sees an upward trend in overall vulnerabilities, with the possibility of an all-time high by year-end. Even so, IBM X-Force data continues to demonstrate declines in true exploits, with only 9.7% of all publically disclosed vulnerabilities subjected to exploits. That’s mainly due to improvements from the top ten vendors on patching vulnerabilities and a significant decrease in the area of portable document format (PDF) vulnerabilities. IBM said that that this area of improvement is directly related to the new technology of sandboxing provided by the Adobe Reader X release.

Sandboxing technology works by isolating an application from the rest of the system, so that if compromised, the attacker code running within the application is limited in what it can do or access. Sandboxes are proving to be a successful investment from a security perspective, IBM noted. In the X-Force report, there was a significant drop in Adobe PDF vulnerability disclosures during the first half of 2012, which coincides nicely with the adoption of Adobe Reader X, the first version of Acrobat Reader released with sandboxing technology.

In terms of mobile security, the BYOD phenomenon continues to be the main game-changing transformation. Many companies are still in their infancy in adapting policies for allowing employees to connect their personal laptops or smartphones to the company network.

While there are reports of exotic mobile malware, most smartphone users are still most at risk of premium SMS scams, which automatically send text messages to premium phone numbers in a variety of different countries automatfrom installed applications. There are multiple scam infection approaches for this, such as offering users an application that looks legitimate in an app store but only has malicious intent; presenting an application that is a clone of a real application with a different name and some malicious code; or hacking a real application to wrap it with malicious code. The latter is typically presented in an alternative app store.

Passwords in the cloud services era is another rising focus, IBM said. The connection between websites, cloud-based services and webmail provides a seamless experience from device to device, but users should be cautious about how these accounts are connected, the security of their password and what private data has been provided for password recovery or account resetting.

“X-Force recommends the use of a lengthy password comprised of multiple words instead of an awkward combination of characters, numbers and symbols, researchers said. “On the server-side, X-Force recommends encrypting passwords to the database using a hash function that is suitable for password storage. The hash function should be computationally expensive to calculate and use a salt value for each user account which helps limit the effectiveness of 'rainbow tables' and brute force dictionary attacks.”

Early in 2011, IBM X-Force declared it the year of the security breach. Enterprises both large and small were targeted. The overall breach trend continues into 2012, IBM said, with the healthcare industry in particular seeming to have been hit hard.

“While security products and technology could have mitigated many of these unfortunate events, we are seeing more than ever how systems interconnectedness, poor policy enforcement, and human error, is far more influential than any single security vulnerability,” IBM researchers noted. “We’ve seen several headlines regarding cases where digital identities were decimated, not through malware, key loggers, password cracking or even through access of the victim’s computer or device. Instead, the bad guys accomplish their nefarious deeds by culling a small amount of personal data from public sources, using clever social engineering tricks and depending upon the loose policies of a handful of companies who we trust with our private data. Now, more than ever, the delicate balance between security, convenience and privacy takes center stage.”

In one case, attackers bypassed two-factor authentication – commonly thought to be almost failsafe – simply by convincing a mobile phone provider to relocate a user’s voicemail, giving attackers the data they needed to reset a password. In another, the last four digits visible on one site was used by another service as a key piece of identification data, and used to reset the account. For each one of these types of high profile incidents, there are hundreds of similar breaches going on beneath the radar.

Through the disclosure of breaches in 2012, IBM continues to see SQL injection reigning as the top attack technique. In addition, attackers seem to be taking advantage of cross-site scripting vulnerabilities for web applications. Over 51% of all web application vulnerabilities reported so far in 2012 are now categorized as cross-site scripting.

Even with all of this abundant attack activity, IBM points out that there are bright spots as well.

“Spam and phishing levels remain low with the take down of botnets in 2011, and as recently as July 2012, we witnessed yet another botnet take down with the removal of Grum”, the IBM report noted. “The data clearly demonstrates declines from this activity. Positive web trends continue with the adoption of IPv6 technology. Currently, enterprises and governments taking advantage of IPv6 find less malicious activity occurring, although we don’t know when attackers will decide to adopt IPv6 technology.”

Overall, going forward IBM concludes that a more holistic approach to the entire ecosystem is required. Users should become more aware of how visible their personal data is online, more aware of who has access to it, and more aware of how it can be used against them. This affects not only their social networking, but also their choices of mobile application selection and usage.

This article is featured in:
Application Security  •  Cloud Computing  •  Data Loss  •  Encryption  •  Identity and Access Management  •  Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security  •  Security Training and Education  •  Wireless and Mobile Security



White_Hat says:

21 September 2012
This was very nicely written and informative article. We all need to be more proactive about our personal account security. I wish would have been mentioned Two-Factor Authentication. I use 2FA across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. It would be nice to see more of the leading companies in their respective verticals start giving their users the perfect balance between security and user experience. I know some will claim that 2FA makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I'm hoping that more companies start to offer this awesome functionality. To me this should be a prerequisite to any system that wants to promote itself as being secure.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×