Reports Showcase Security Gap
Amidst a slew of information security studies recently released, one by IBM's X-Force and another from Forrester Research show that there is a widening gap between the global security threats and the game of "catch up" being played by security professionals everywhere.
These reports underscore the precarious position held by many industries where security on the Internet is concerned. The gap between the criminal attackers and the information security forces fighting them is widening on a daily basis.
Among the trends: Vulnerability disclosures are increasing and reached record levels in the first six months of this year, says the IBM X-Force report. A mind-boggling 4,396 new vulnerabilities were documented -- a 36 percent increase over the same time in 2009. More than 50 percent of them didn't have any vendor-supplied patch ready. The most troubling part of the report shows that web application vulnerabilities continue to lead the pack, with more than half of all public disclosures. This just doesn't bode well for any businesses, (including financial institutions) that depend on the Internet to do business.
The Forrester Research report also packs some sobering news. The report, "The New Threat Landscape: Proceed With Caution," says what we've all believed - that organizations aren't just facing down individual hackers or small groups of hackers, but are now going to war against highly organized, well-funded crime networks, including even some hackers who are state-sponsored. The report tracks responses from 2800 IT pros from around the world.
The Forrester report also sees web application attacks as the biggest headache for security. Its report shows a shift toward this type of attack, with 79 percent of breached records in 2009 were caused because of web application attacks.
In addition to web application vulnerabilities, covert attacks increased in complexity hidden within JavaScript and Portable Document Formats.
The IBM report notes that enterprises are fighting increasingly sophisticated attacks on their computer networks, including the Advanced Persistent Threat. These attackers are employing covert means to break into networks without being detected by traditional security tools. JavaScript Obfuscation is a particularly popular technique used by all classes of computer criminals to hide their exploits within document files and web pages. IBM says it found a 52 percent increase in obfuscated attacks during the first half of 2010, compared to the same period in 2009.
Phishing activity declined significantly in the first six months of 2010, according to IBM, but financial institutions still top the list of targets, representing 49 percent of all phishing emails. The good news is phishing volume has declined from its peak in 2009, down by 82 percent.
Forrester's report show attacks are becoming much more targeted, sophisticated and resourceful. The report cites information from a Congressional study that states cybercrime costs the U.S. economy about $8 billion each year. The report shows a shift in the criminals' approach toward targeted, low-profile attacks on network applications crafted to steal money or data from the victim over a longer period of time.
What the attackers are looking for is a consistent source of revenue, says Forrester. They go after the network, then the applications, and then the data, covering all traces of their presence as they penetrate. They're also narrowing their focus, targeting organizations that have valuable information -- not just hitting financial institutions to get cash.
Forrester shows the quickening pace of change in the malware variants used by current criminals. There are now more than 90,000 Zeus variants. These can be customer-made, and are crafted to evade anti-virus software detection.
All of this makes the point I stated at the beginning more clear: The gap between the criminals hackers and the defending security professionals is widening. It's as if the criminals are driving sports cars, and the information security pros are on bicycles. The attackers aren't slowing; they will continue to speed along, evolve and morph into more sophisticated creatures. Information security defenders, meanwhile, are pedaling vainly, hoping to someday catch up.