Vulnerabilities surge: 8,000 recorded in 2010

IBM today released results from its annual X-Force 2010 Trend and Risk Report, highlighting that public and private organizations around the world faced increasingly sophisticated, customized IT security threats in 2010.

Based on the intelligence gathered through research of public vulnerability disclosures, and the monitoring and analysis of more than 150,000 security events per second during every day of 2010, key observations from the IBM X-Force Research team included:

  • More than 8,000 new vulnerabilities were documented, a 27 percent rise from 2009. Public exploit releases were also up 21 percent from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.
  • The historically high growth in spam volume leveled off by the end of 2010. This indicates that spammers may be seeing less value from increasing the volume of spam, and instead are focused on making sure it is bypassing filters.
  • While overall there were significantly fewer phishing attacks relative to previous years, “spear phishing,” a more targeted attack technique, grew in importance in 2010. This further indicates that cyber criminals have become more focused on quality of attacks, rather than quantity.
  • As end user adoption of smartphones and other mobile devices increased, IT security departments have struggled to determine the right way to bring these devices safely into corporate networks. Although attacks against the latest generation of mobile devices were not yet widely prevalent in 2010, IBM X-Force data showed a rise in vulnerability disclosures and exploits that target these devices.

“From Stuxnet to Zeus Botnets to mobile exploits, a widening variety of attack methodologies is popping up each day,” said Tom Cross, threat intelligence manager, IBM X-Force. “The numerous, high profile targeted attacks in 2010 shed light on a crop of highly sophisticated cyber criminals, who may be well-funded and operating with knowledge of security vulnerabilities that no one else has. Staying ahead of these growing threats and designing software and services that are secure from the start has never been more critical.”

The new, sophisticated face of cyber crime – From a security standpoint, 2010 will be most remembered as a year that was marked by some of the most high profile, targeted attacks that the industry has ever witnessed. For example, the Stuxnet worm demonstrated that the risk of attacks against highly specialized industrial control systems is not just theoretical.

These types of attacks are indicative of the high level of organization and funding behind computer espionage and sabotage that continues to threaten a widening variety of public and private networks.

A significant decline in phishing – If the IT security world is looking for a victory to chalk up in 2010, they should consider the relative decline in phishing attacks. Although phishing attacks still occurred, the peak volume of phishing emails in 2010 was less than a quarter of the peak volumes in the previous two years. This may indicate a shift toward other, more profitable, attack methodologies such as botnets and ATM skimming.

Despite this decline, spear phishing, a more targeted attack technique, grew in importance in 2010, as meticulously crafted emails with malicious attachments or links became one of the hallmarks of sophisticated attacks launched against enterprise networks.

Spam volumes peaked, and then leveled off – In 2010 spam volumes increased dramatically, reaching their highest levels in history. However, the growth in volume leveled off by the end of the year. In fact, by year’s end, spammers seemed to go on vacation, with a 70 percent decline in traffic volumes occurring just before Christmas and returning early in the new year. Has the market for spam become saturated? It is possible that there are diminishing returns associated with increasing the total volume of spam, and we are starting to see spammers focus more on bypassing spam filters.

Web applications accounted for nearly half of vulnerabilities disclosed in 2010 – Web applications continued to be the category of software affected by the largest number of vulnerability disclosures, representing 49 percent of all vulnerabilities disclosed in 2010. The majority represented cross site scripting and SQL injection issues and the IBM X-Force data showed that these vulnerabilities are being targeted by attackers. According to the report results, every summer for the past three years there has been a globally scaled SQL injection attack some time during the months of May through August. The anatomy of these attacks has been similar across the board, targeting .asp pages that are vulnerable to SQL injection.

A Secure by design approach can improve security – IBM X-Force has determined that taking proactive steps to evaluate web application security and improve development and quality assurance processes can result in a significant improvement in the security of web application software. The report included data showing that web applications that have been scanned for vulnerabilities often showed significant improvements upon being retested – exhibiting less than half of the number of particular classes of vulnerabilities, on average, the second time they are assessed. This encouraging information points the way toward sustained improvements in Internet security.

Nearly half of vulnerabilities remain unpatched – To help prevent attackers from exploiting vulnerabilities, organizations must focus on shortening the window of time between vulnerability disclosure and patch installation. Almost half of all security vulnerabilities, or 44 percent, had no vendor-supplied patch at the end of 2010. However, even in cases where patches are made available on the same day that a vulnerability is publicly disclosed, there may be a significant gap in time before those patches are installed on vulnerable systems. Computer criminals often privately develop exploits that target publicly disclosed security vulnerabilities, and use those exploits to launch attacks. Later, when these private exploits have ceased to be valuable as attack tools, they are publicly disclosed. The IBM X-Force report data showed that exploits are often publicly disclosed tens or hundreds of days after the vulnerabilities they target. If it is taking a long time for these exploits to surface, it may be taking a long time for networks to patch.

Continued growth of botnets – IBM X-Force saw an upward trend in Trojan botnet activity during 2010. This growth is significant because despite increasing coordinated efforts to shut down botnet activity, this threat appeared to be gaining momentum. However, IBM X-Force’s data did illustrate the dramatic impact of a successful effort in early 2010 to shutdown the Waledac botnet, which resulted in an instantaneous drop off in observed command and control traffic. On the other hand, the Zeus botnet continued to evolve and constituted a significant portion of the botnet activity detected by IBM X-Force in 2010. Due to its extreme popularity with attackers, there are hundreds, or even thousands, of separate Zeus botnets active at any given time. The Zeus botnet malware is commonly used by attackers to steal banking information from infected computers.

The complete report is available here (registration required).

Share this