IBM report: Vulnerabilities fell in '09, attacks rose

Powered by SC Magazine
 

The number of new and unpatched vulnerabilities decreased last year compared to 2008, but attack volume grew substantially, according to a new report from IBM ISS.

The 2009 cybersecurity landscape had its peaks and its valleys – the number of new and unpatched vulnerabilities decreased compared to 2008, but attack volume grew substantially, according to a research report from IBM ISS.

There were 6601 new vulnerabilities discovered last year, an 11 percent decrease compared to 2008, according to the annual "X-Force Trend and Risk Report."

And the number of vulnerabilities in web browsers and document readers with no patch also decreased last year compared to 2008.

The number of unpatched “critical” vulnerabilities is significantly lower than years past, indicating that software vendors have become more responsive when dealing with security issues, the report stated.

“The computer industry is getting better at building secure software and being responsive to vulnerabilities,” Tom Cross, manager of IBM X-Force Research, told SCMagazineUS.com on Thursday. “But the volume of attack activity is expanding at a very rapid pace.”

For example, the number of new malicious websites increased by 345 percent in 2009 compared to 2008, according to the report. Spam and phishing volumes also rose dramatically during the second half of the year.

The highly publicised takedown of web-hosting company McColo caused worldwide spam levels to drop by around 70 percent at the end of 2008. By last May, spam levels were back up to pre-McColo levels and, in November, spammers sent out twice as much spam as they did before the takedown.

Phishing attacks decreased dramatically in the beginning of 2009, but phishers came back with a vengeance in the third quarter of the year, the report stated. In September, the amount of phishing attacks surpassed the volume seen during any month of 2008.

Web application vulnerabilities made up 49 percent, or the largest category, of security disclosures in 2009, the report stated. Web application vendors have done well in patching vulnerabilities in their base platforms, but the majority of flaws affecting these platforms are present in plug-ins that are produced to add functionality to the application. Often, vulnerabilities in web application plug-ins are not patched, the report stated.

Open-source content management platforms used for building websites often have plug-ins available, for example, Cross said.

“Some plug-ins are great, others are not,” he said. “If you are using one of those platforms you need to be careful of the plug-ins you are using.”
The main types of vulnerabilities affecting web applications during 2009 were cross-site scripting (XSS) and SQL injection, the report stated. There was a “significant increase” in the number of SQL injection attacks last year, as attackers used automated tools to find susceptible websites, Cross said.

“Businesses need to look at their infrastructure and see what web applications they are using and the processes they have for ensuring they are secure,” he said.

Enterprises must assess their network to determine whether there are any vulnerabilities in off-the-shelf or custom-built web applications, Cross said. Also, enterprises can protect their networks against SQL injection attacks with intrusion prevention systems and should seek to eliminate these bugs in the company's software development lifecycle.

“If they haven't eliminated SQL injection vulnerabilities on their network, they are certainly being subject to attack today,” Cross said. “There is no doubt about that.”

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
Will Nutanix be outflanked before reaching IPO?
VMware muscles in on storage startup in hyper-converged infrastructure.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 650

Vote