IBM urges rethink on vulnerability assessments

The security industry needs to reprioritise its response to disclosed software vulnerabilities in order to determine more effectively when emergency patching is most needed, according to the latest annual security trends report from IBM.

The 2008 X-Force Trends and Risk report found that a number of critical vulnerabilities disclosed in 2008 did not actually see widespread exploitation in the field.

IBM argues that the current Common Vulnerability Scoring System focuses on the technical aspects of a vulnerability, such as severity and ease of exploitation, and does not acknowledge that the main motivation for online criminals today is economic.

"We realise that cyber criminals are motivated by money, and we need to fully consider how attackers balance the economic opportunity of a vulnerability against the costs of exploitation," said Kris Lamb, senior operations manager of X-Force research and development for IBM Internet Security Systems.

"If the security industry can better understand the motivations of computer criminals we can be more precise about determining when widespread exploitation of a vulnerability will take a long time to emerge, and when it is unlikely to ever emerge. This analysis could result in more efficient use of time and resources."

The report also found a 13.5 per cent increase in newly discovered vulnerabilities last year compared to 2007, and that 53 per cent of all vulnerabilities disclosed during 2008 ended the year with no vendor patches issued.

In related news, a new wave of botnet activity has driven up spam volumes to the same levels they were before the McColo shutdown, according to new figures from managed security service provider MessageLabs.

"With botnets now responsible for as much as 80 per cent of all spam, the likelihood is that the increase in spam volumes in the last few days can be attributed to a new wave of activity from the Mega-D and Xarvester [botnets]," said Paul Wood, MessageLabs intelligence analyst at Symantec.

"As the botnet community becomes even more crowded, 2009 could be the year when spam levels reach an all-time high."