Cybercriminals are being forced to change their tactics due to improvements in several areas of internet security, such as a reduction in the number of application vulnerabilities, a study shows.
The report is based on research of public vulnerability disclosures from more than 4,000 clients, and the monitoring and analysis of an average of 13 billion events daily in 2011.
The data revealed a 50% decline in spam e-mail compared with 2010; more diligent patching of security vulnerabilities by software suppliers, with only 36% of software vulnerabilities remaining unpatched in 2011, compared with 43% in 2010; and higher quality of software application code.
Security vulnerabilities in decline
In 2011, 30% fewer exploits were released than were seen on average over the past four years. This improvement is attributable to architectural and procedural changes made by software developers that make it more difficult for attackers to successfully exploit vulnerabilities, the report said.
While some security vulnerabilities are never patched, the percentage of unpatched vulnerabilities has been decreasing steadily over the past few years. In 2011, this number was down to 36%, from 43% in 2010, the report said.
The researchers found that cross-site scripting (XSS) vulnerabilities are half as likely to exist in web applications as they were four years ago. But XSS vulnerabilities still appear in 40% of applications, which is still high for something well understood and easily addressed, the report said.
As long as attackers profit from cybercrime, organisations must remain diligent in prioritising and addressing their security vulnerabilities
Tom Cross, IBM X-Force
Some of the decline in spam can be attributed to the take-down of several large spam botnets, which hindered spammers’ ability to send e-mails. But the IBM X-Force team witnessed spam evolve through several generations over the past seven years as spam filtering technology has improved and spammers have adapted their techniques to successfully reach readers, the report said.
Similarly, in response to the improvements noted by the researchers, attackers are evolving their techniques. The report notes a rise in mobile exploits, automated password guessing, and a surge in phishing attacks.
An increase in automated shell command injection attacks against web servers may be a response to successful efforts to close off other kinds of web application vulnerabilities, the report said.
Despite the improvements, organisations must remain vigilant, warned Tom Cross, manager of threat intelligence and strategy for IBM X-Force.
"As long as attackers profit from cybercrime, organisations must remain diligent in prioritising and addressing their security vulnerabilities," he said.
Managing security in the cloud
With attackers shifting focus to emerging technologies, IT security staff should carefully consider what workloads they send to third-party cloud providers, the report said.
The report notes that cloud security requires foresight on the part of the customer, as well as flexibility, skills and a willingness to negotiate on the part of the cloud provider.
According to the report, the most effective means for managing security in the cloud may be through service level agreements (SLAs) because of the limited impact that an organisation can realistically exercise over the cloud computing service.
Cloud customers should focus on information security requirements of data destined for the cloud and make certain their cloud provider has the capability to adequately secure the workload
Ryan Berg, IBM
"Therefore, careful consideration should be given to ownership, access management, governance and termination when crafting SLAs," the report said. IBM researchers encourage cloud customers to take a lifecycle view of the cloud deployment and fully consider the impact to their overall information security posture.
"Many cloud customers tapping a service worry about securing the technology. Depending upon the type of cloud deployment, most, if not all, of the technology is outside of the customer's control,” said Ryan Berg, IBM security cloud strategist.
“They should focus on information security requirements of the data destined for the cloud, and through due diligence, make certain their cloud provider has the capability to adequately secure the workload," he said.
Other recommendations for helping organisations secure their data in the light of these new threats include performing regular third-party external and internal security audits, segmenting sensitive systems and information, training users about phishing and spear phishing, and examining the policies of business partners.