According to the latest IBM X-Force report, CISOs are already aware that tried-and-true attack tactics can cause the most damage to an enterprise. Known vulnerabilities left unpatched in web applications and server and endpoint software especially create opportunities for attacks to occur, and these unpatched applications and software continue to be facilitators of breaches year after year.
However, attackers are improving their skills too, which allows them to increase their return on exploitation. Specifically, these attackers are capitalizing on users’ trust when it comes to new vectors like social media, mobile technology and waterhole attacks.
Social media in particular has quickly become the new playground and a top target for attacks, with mobile devices expanding those targets in different ways, the report found.
“Criminals are selling accounts on social networking sites, some belonging to actual people whose credentials were compromised, others fabricated and designed to be credible through realistic profiles and a web of connections,” said Leslie Horacek, worldwide threat response manager for IBM X-Force security research group, in a blog. “As a minimum function their use is to inflate page ‘likes’ or falsify reviews; though more insidious uses include hiding one’s identity to conduct criminal activities – the online equivalent of a fake ID, but with testimonial friends, adding to the deception.”
IBM X-Force expects to see these newer applications of social engineering become more sophisticated as attackers create complex internetworks of identities while refining the art of deceiving victims.
“Users must adopt a mindset of guilty until proven innocent when it comes to social media and companies should engender suspicion to protect users and assets,” Horacek added. “Technology advancements and controls are available, best practices continue to be refined and taught, but ultimately the trust the user believes they have, may circumvent anything security practitioners put into place.”
Meanwhile, in the past few years there has been explosive growth in Android devices and malware. Older mobile devices are even more vulnerable, as only 6% of Android devices are running the latest version of the platform with any patches and security enhancements.
IBM X-Force expects to see the number of Android malware apps continuing to rise for the rest of the year. “We also anticipate that the degree of sophistication for this malware will eventually rival those found in desktop malware,” Horacek said. “There could be more improvements to combat malware in future versions of Android, but we believe that OS fragmentation (older versions that are being used as much as newer ones) will remain a problem.”
In the first half of 2013, IBM saw just over 4,100 new publicly reported security vulnerabilities across software, both mobile and desktop. If this trend continues throughout the rest of the year, the total projected vulnerabilities would approach 8,200, virtually the same number seen in 2012.
Web application vulnerabilities, which have been on the rise in recent years, are down slightly in 2013. Notably, though, more than half of all web application vulnerabilities are cross-site scripting.
“The most prevalent consequence of vulnerability exploitation for the 1st half of 2013 was ‘gain-access,’ at 28% of all vulnerabilities reported,” said Horacek. “In most cases, gaining access to a system or application provides the attacker complete control over the affected system, which allows them to steal data, manipulate the system, or launch other attacks from that system.”
Meanwhile, when it comes to the malware being distributed by exploits, the US dominates the scene by hosting more than 42% percent of all malicious links. The geography with the second highest concentration of malicious links (a distant competitor to the US) is Germany, with nearly 10%.
The top three campaigns that IBM observed enticing users to click on bad links and attachments in emails used internet payment companies, social networks and internal scanners or fax devices. Together these three focus areas account for more than 55% of all scam and phishing incidents.
“While attackers continue to optimize their operational sophistication, a return to security basics is still one of the most effective strategies to mitigate both old established, as well as evolving techniques,” Horacek said. “If anything is certain, we can see that the concept of trusted devices and services is long gone.”