- As security technology and services continue to improve, a new IBM X-Force report on enterprise threats notes fewer exploits of application vulnerabilities.
- However, attackers (including a small but particularly threatening new class of ‘hacktivists’) are finding new and unprotected entry points as they use emerging technologies to prey on opportunistic targets.
A pair of security trend reports from Verizon and IBM’s X-Force research and development team released this week paint a complex and nuanced picture of the current threat environment and the way organizations are arming themselves against risk. While there is evidence that the combination of better and more accurate security technology, services, and best practices is helping enterprises limit their exposure, the reports show no reason for IT organizations to declare victory. IBM compiled its “X-Force 2011 Trend and Risk Report” from a massive store of event and vulnerability data gathered by the company’s threat monitoring services. The report shows a 30% drop in the availability of exploit code, a decrease in the number of un-patched software vulnerabilities, and a precipitous 50% decline in cross-site scripting vulnerabilities versus the previous year. However, attackers are proving their resilience by finding new ways into the enterprise.
The X-Force report found attackers exploiting more mobile application vulnerabilities. The report also saw that exploits of shell injection command vulnerabilities have more than doubled from 2010; there was also a big uptick in automated password guessing, where attackers probe systems for weak passwords.
The X-Force report’s observed increase in automated password guessing corresponds with Verizon’s “2012 Data Breach Investigations Report,” which found that 79% of the attacks were opportunistic and 97% of attacks could have been prevented without requiring a significant technology investment. Verizon’s report was conducted with input from five investigative agency partners from North America, Europe, and Australia, based on 855 reported data breaches. Verizon’s report also found an intriguing bit of information on the source of the attacks. While so-called hacktivists – hackers motivated by social or political reasons to attack – accounted for only 2% of all the agents perpetrating the incidents, they were responsible for 58% of the total number of records breached. This finding corresponds with other recent research showing that hacktivists made a big play in the hacking world in 2011.
What do these studies tell us about the current threat environment and real-world enterprise security practices? Just looking at the top-level data and other recent anecdotes and research, it appears organizations are making some big strides in addressing many long-standing vulnerabilities. However, many are still overlooking the obvious (e.g., password management) and failing to get ahead of threats coming through emerging areas such as social media and mobility.