An IBM X-Force report published this month says corporations are becoming the largest reason their customers are at risk. When you consider the state of Web Application Security, and the trend of using a legitimate Web site or application against the user for criminal intent, IBM has a point.
IBM X-Force report points to corporations as biggest threat to their own customers.(IMG:J.Anderson)
The X-Force report published this month centers on two trends from 2008 that are carrying over into 2009. The first trend surrounds Web applications, which, off-the-shelf, are plastered with bugs and flaws attackers exploit. These built-in vulnerabilities are seen frequently in SQL Injection attacks (SQLi), Cross Site Scripting attacks (XSS), and Cross Site Request Forgery attacks (CSRF). The attack vectors are so common criminals are simply automating them and focusing energies and efforts on selling stolen data or managing infected systems.
This point in the X-Force report is mirrored from a 2008 Webroot report of the same nature. Webroot, in a report investigating the impact of Web 2.0 on the Enterprise sector, said over 80 percent of Malware is now being distributed on the Web. Adding to this is the claim that businesses are lacking when it comes to properly protecting themselves from the threat.
"The purpose of these automated attacks is to deceive and redirect Web surfers to Web browser exploit toolkits," said Kris Lamb, senior operations manager at X-Force Research and Development for IBM Internet Security Systems.
"This is one of the oldest forms of mass attack still in existence today. It is staggering that we still see SQL injection attacks in widespread use without adequate patching almost 10 years after they were first disclosed. Cybercriminals target businesses because they provide an easy target to launch attacks against anyone that visits the Web," he added.
The second trend, according to X-Force, is that attackers are expanding the vector of attack. While they still exploit ActiveX and browser security issues, they also look towards new media.
For example, exploiting Flash content for malicious activities, exploiting Adobe and the PDF format, or also targeting inter-office productivity by spamming malicious Office applications (Word documents, PowerPoint documents, Excel documents) to targeted staff members.
Another discovery in the X-Force report is that, by the end of 2008, 53 percent of all vulnerabilities disclosed during the year had no vendor-supplied patches. Further, 46 percent of vulnerabilities from 2006, and 44 percent from 2007, were still left with no available patch by the end of 2008.
Moreover, 2008 was the busiest year for discovering vulnerabilities with a 13.5 percent year-on-year increase when measured agaisnt 2007.
You can read the full report online by simply clicking here.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story