IBM report: Vulnerabilities fell in '09, attacks rose

Powered by SC Magazine
 

The number of new and unpatched vulnerabilities decreased last year compared to 2008, but attack volume grew substantially, according to a new report from IBM ISS.

The 2009 cybersecurity landscape had its peaks and its valleys – the number of new and unpatched vulnerabilities decreased compared to 2008, but attack volume grew substantially, according to a research report from IBM ISS.

There were 6601 new vulnerabilities discovered last year, an 11 percent decrease compared to 2008, according to the annual "X-Force Trend and Risk Report."

And the number of vulnerabilities in web browsers and document readers with no patch also decreased last year compared to 2008.

The number of unpatched “critical” vulnerabilities is significantly lower than years past, indicating that software vendors have become more responsive when dealing with security issues, the report stated.

“The computer industry is getting better at building secure software and being responsive to vulnerabilities,” Tom Cross, manager of IBM X-Force Research, told SCMagazineUS.com on Thursday. “But the volume of attack activity is expanding at a very rapid pace.”

For example, the number of new malicious websites increased by 345 percent in 2009 compared to 2008, according to the report. Spam and phishing volumes also rose dramatically during the second half of the year.

The highly publicised takedown of web-hosting company McColo caused worldwide spam levels to drop by around 70 percent at the end of 2008. By last May, spam levels were back up to pre-McColo levels and, in November, spammers sent out twice as much spam as they did before the takedown.

Phishing attacks decreased dramatically in the beginning of 2009, but phishers came back with a vengeance in the third quarter of the year, the report stated. In September, the amount of phishing attacks surpassed the volume seen during any month of 2008.

Web application vulnerabilities made up 49 percent, or the largest category, of security disclosures in 2009, the report stated. Web application vendors have done well in patching vulnerabilities in their base platforms, but the majority of flaws affecting these platforms are present in plug-ins that are produced to add functionality to the application. Often, vulnerabilities in web application plug-ins are not patched, the report stated.

Open-source content management platforms used for building websites often have plug-ins available, for example, Cross said.

“Some plug-ins are great, others are not,” he said. “If you are using one of those platforms you need to be careful of the plug-ins you are using.”
The main types of vulnerabilities affecting web applications during 2009 were cross-site scripting (XSS) and SQL injection, the report stated. There was a “significant increase” in the number of SQL injection attacks last year, as attackers used automated tools to find susceptible websites, Cross said.

“Businesses need to look at their infrastructure and see what web applications they are using and the processes they have for ensuring they are secure,” he said.

Enterprises must assess their network to determine whether there are any vulnerabilities in off-the-shelf or custom-built web applications, Cross said. Also, enterprises can protect their networks against SQL injection attacks with intrusion prevention systems and should seek to eliminate these bugs in the company's software development lifecycle.

“If they haven't eliminated SQL injection vulnerabilities on their network, they are certainly being subject to attack today,” Cross said. “There is no doubt about that.”

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1454

Vote