IBM warns enterprise security to carefully consider the cloud

IBM has finished its X-Force 2011 Trend and Risk Report, which has identified that the web is becoming suprisingly safer in terms of security vulnerabilities, spam and exploits. The downside is this is forcing cyber criminals to think outside the box to really wreak havoc.

Over the course of 2011, there was a 30 percent drop in the availability of exploit code compared to the average throughout the last four years. Software developers are to thank, according to IBM, for making the appropriate architecture and procedural changes which are necessary to stump hackers. At the same time, software vendors have been waking up to the fact that leaving public vulnerabilities unpatched is regarded as a phenomenally bad idea. IBM said that while some vulnerabilities are never patched, the percentage of those has been decreasing – down to 36 percent in 2011 from 43 percent in 2010.

XSS vulnerabilities were down in 2011 but they do still appear in approximately 40 percent of the applications IBM looks at. That is quite remarkable, IBM suggests, because it is a high level for a problem which is “well understood and able to be addressed.”

The bad news: malicious attackers are not resting on their laurels as more traditional methods are mostly quashed by the industry. Attackers are, IBM says, becoming increasingly savvy.

Although SQL injections were down 46 percent for 2011, cyber criminals have been making another attack increasingly popular: shell command injection, which means attackers can execute commands directly on the web server, were up as much as three times during the year.

It also looks like the phenomenal amount of press into password protection still have not made people take notice. “Dave1” or “654321” are easy enough for automated password guessing which became more popular as well. There was a “large spike” in this kind of password guessing, particularly in the second half of the year.

As newer trends continue to proliferate so too do the risks involved. Some CIOs and IT managers in the enterprise are worrying about Bring Your Own Device – a trend which shows absolutely no signs of slowing down. Without the right protection in place, businesses run the risk of letting exploits slip through the net – a big deal because publicly released mobile exploits rose 19 percent in 2011. Social media also became more of an obvious candidate for threats. IBM said its X-Force report noticed a massive increase in phishing emails for social media networks. Pressingly, there are other, more sophisticated attacks taking place. As social media users freely submit so much information about themselves to the web, they are opening themselves up for “pre-attack intelligence gathering” in both public and private sector networks.

Cloud has become firmly rooted as every-day terminology and moved from, according to IBM, an emerging technology to mainstream status still experiencing huge growth way into 2013. IBM suggests that organisations should think long and hard about which of their workloads go to which provider, and recommends that highly sensitive data stay in-house.

Liability in the cloud remains a troubling point of focus for many businesses. IBM says it encourages businesses to look very carefully at Service Level Agreements. IBM security cloud strategist Ryan Berg said in a statement: “Depending upon the type of cloud deployment, most, if not all, of the technology is outside of the  customer’s control. They should focus on information security requirements of the data destined for the cloud, and through due diligence, make certain their cloud provider has the capability to adequately secure the workload.”

Killing prominent botnets has also helped significantly reduce the number of spam traffic. IBM noted that spam in 2011 was down by roughly half the volume of 2010. We can also thank better spam filtering technology.