Improvements in Internet Security amidst the "Year of the Security Breach"
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  security vulnerability data threat xforce ibm internet
0 Comments | 8,966 Visits
Twice a year IBM's X-Force Research and Development team, in partnership with several other organizations from around the IBM Security team come together to publish data, analysis and operational advice for security professionals and the broader community of internet and computer users around the trends we are seeing in IT security. You can visit X-Force on the web at ibm.com/security/xforce and download this report, as well as any of the other threat reports we have published, on the downloads tab of that site.
We've been doing the X-Force Trend and Risk Report for many years and for a long time we've been reporting on things that are essentially gloom and doom. The amount of vulnerabilities were steadily rising along with a similar rising trajectory in the number of exploits. While 2011 may not be the last year we ever refer to as "Year of the Security Breach," the security issues we knew existed, and had been seeing grow in significance over the years, really came into sharp focus as a number of somewhat independent variables all collided with one another at the same time.
We've seen APT (advanced persistent threat) articles that date all the way back to 2006, but in 2011 it became a focus in a way it really hadn't been previously. I can't recall how many conversations I saw just on Twitter debating what APT meant, whether "advanced" referred to operational capabilities or technical ones, whether "persistent" meant an attacker would keep attempting to break in until they succeeded or if it meant an attacker invested in doing long-term network surveillance. In addition to these attackers who were invested in silence, you had the more politically motivated hacktivists who were invested in noise. Their campaigns were often based on making sure that a targeted organization wound up in the headlines that day. Much was made about the extent of this group's technical capabilities, but after calling 2011 the "Year of the Security Breach," there isn't much left to be said about their success.
In security it does frequently seem like we wind up in conversations around what was old is new again, and this year actually didn't prove to be much of departure from that. I like to read many of the other threat reports that come out because every one tells a piece of the story from a different angle. However, one theme I'm picking up on from this year is around passwords. Mandiant reported that in 100% of the targeted attacks they investigated the attackers were using stolen, valid credentials. Trustwave just published their report of security breaches and found that over 80% of incidents were due to weak administrative controls, such as bad passwords. In fact, the most common password they found was, "password1." We see some of this same activity but from a different angle. We noticed a dramatic spike in the amount of SSH brute force activity (programs designed to break bad passwords).
This particular challenge was something that came up on a podcast I did today with Tom Cross and Caleb Barlow that covered much of the data new report. You can listen to that full podcast here.
We also saw a sustained increase in the amount of shell command injection over the course of the year. Similar to SQL Injection in the way the attack is delivered, shell command injection is delivered through the inputs in web applications. However, while SQL Injection is an attack on the database, shell command injection is aimed at the web server itself. The results of this tactic basically give the attacker control of the web server, at which point they can do a number of different things depending on their motives. This would include using the site to deliver malware, defacing the website or even just taking it down altogether.
All of this came to deliver a year in which security really began to move its way into board level conversations as senior level executives were all wondering if this could happen to them, or worse yet, if it was currently happening to them and they just didn't realize it yet. However, despite the increased focus on security, this is also not an issue that many organizations, to their credit, are just waking up to. In fact, years of hard work and awareness (hopefully through reports like this one and those of our peers) have begun to yield progress in certain areas. First off, many vendors seem to be doing a better job with security. We have noted dramatic improvements in patching coverage and processes over the course of the last 4 years. In 2008, over 50% of all vulnerabilities had no patch and that number is now in the mid 30s. Secondly, using things like sandboxes, vendors are also making it more difficult for exploits to yield any real results, and this is likely one of the reasons why the number of exploits is going down. The number of web application vulnerabilities also went down for the first time since recently reaching 50% of all disclosed vulnerabilities. Today, that number is down to 41%. Why is this such an important stat? Given the sheer volume of new web apps springing up every day, the security with which they are designed, developed and deployed is often questionable. The average developer might not take the time to do something like secure input and output validation to combat the attempts at the various types of code injection I mentioned above. However, a decline in web application vulnerabilities could speak to the larger development community beginning to take the problem more seriously and using security tools and best practices as part of their development processes. While we will need to see this trend sustained over time before we start feeling all warm and fuzzy, it is a positive indicator.
Cloud and mobile continue to be hot topics and the Trend Report has some valuable insight on both. In the mobile space we continue to see a rise in the number of exploits YtY. As more and more employees bring their own devices into the office, the opportunity that these devices represent will only continue to grow. Taking a somewhat different approach than we typically do, the cloud article is not about the technology as much as it looks at the nature of the relationship between consumer and provider and the key considerations organizations need to make, especially around what an exit strategy would look like. It seems cynical to consider the relationship in this manner, but it's best to enter into this marriage planning for divorce. That's not to say that the relationship won't be mutually beneficial for all parties and for a long time, but the consequences of not planning this way are too great.
While security will never be a solved problem, and new technologies and new attack techniques will always drive this back and forth between attackers and the security community, it is good to see progress being made in some of the areas that are central to computer and internet security even during a year that was defined by breach headlines.
Each of the below videos contain overviews of the report given by Tom Cross, Manager of Threat Intelligence and Strategy, with varying levels of depth. The first is a quick overview while the second is about 15 minutes on the top trends.