Cyber-Criminals Change Tactics as Network Security Improves
Cyber-criminals, increasingly stymied by better security around traditional threats like spam and exploit codes, are changing gears and focusing more of their efforts in such areas as mobile devices, social networks and cloud computing, according to a report by IBM.
In Big Blue's "X-Force 2011 Trend and Risk Report," released March 22, IBM found significant reductions in such Internet security threats as spam and improvements in such areas as vulnerability patching and software application code. However, in response to such developments, cyber-criminals are now trying to find new ways to launch their attacks, as well as relying on a well-worn method: phishing.
IBM's report is based on research of public vulnerability disclosures findings from more than 4,000 clients and information gathered from the monitoring of about 13 billion events a day in 2011.
"In 2011, we've seen surprisingly good progress in the fight against attacks through the IT industry's efforts to improve the quality of software," Tom Cross, manager of threat intelligence and strategy for IBM X-Force, said in a statement. "In response, attackers continue to evolve their techniques to find new avenues into an organization. As long as attackers profit from cyber-crime, organizations should remain diligent in prioritizing and addressing their vulnerabilities."
Among the positives IBM saw in 2011 was a 50 percent drop in spam, compared with 2010 levels, and better patching of security vulnerabilities in software. Vendors left only 36 percent of software vulnerabilities unpatched, compared with 43 percent in 2010. IBM officials said some of the decline in spam probably came from authorities taking down several large botnets, such as Rustock.
There also was a higher quality of software application code, IBM found. That was seen in Web application vulnerabilities called cross-site scripting, which were half as likely to exist in clients software as they were four years ago. There also was a 30 percent drop in the availability of exploit code, which is released to help attackers when security vulnerabilities are found. IBM attributes the decline to procedural and architectural changes by software developers that make it more difficult for cyber-criminals to take advantage of vulnerabilities that are disclosed.
But attackers are adapting in a number of ways, including increasing their targeting of shell command injection vulnerabilities instead of using SQL infection attacks against Web applications. The number of SQL injection vulnerabilities in Web applications such vulnerabilities enable attackers to get into the databases behind the applications dropped 46 percent in 2011. However, shell command injection attacks which let cyber-criminals execute commands directly on a Web server grew by almost three times last year.
There also were increases in the second half of 2011 in both automated password guessing and phishing attacks. In particular, phishing attacks in the second half of the year hit levels that hadn't been seen since 2008, according to IBM, with many disguised as coming from social networking sites and mail parcel services.
Mobile devices, social media and the cloud are areas of emerging interest to attackers, according to IBM. There was a 19 percent increase in 2011 in publically released exploits aimed at mobile devices. For IT managers, that becomes a key concern, given the growing bring-your-own-device (BYOD) trend, where employees are using their personal smartphones and tablets to access corporate networks and data. IBM also saw a surge in phishing attacks in social media sites, where users are increasingly offering information about their personal and professional lives.
The rapid adoption of cloud computing is also a growing cause for concern, and IBM recommended that IT administrators give a lot of thought in deciding what data can be put into a public cloud and what should be left inside the firewall, and how service level agreements (SLAs) are written.
"Many cloud customers using a service worry about the security of the technology," Ryan Berg, an IBM security cloud strategist, said in a statement. "Depending upon the type of cloud deployment, most, if not all, of the technology is outside of the customer's control. They should focus on information security requirements of the data destined for the cloud, and through due diligence, make certain their cloud provider has the capability to adequately secure the workload."