DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
•Als PPT, PDF herunterladen•
1 gefällt mir•864 views
"Data Security Solutions" (Riga, Latvia) presentation at annual autumn conference organized by CERT.LV and ISACA Latvia Chapter. (23.10.2013)
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
Ähnlich wie DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013 (20)
Mehr von Andris Soroka
Mehr von Andris Soroka (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
- 1. IBM Security Systems IBM X-Force 2013 Mid-Year Trend and Risk Report Andris Soroka Thinker at Data Security Solutions andris@dss.lv 23rd of October, 2013 © 2013 IBM Corporation 1 © 2012 IBM Corporation
- 2. About Data Security Solutions Specialization – IT Security •IT Security consulting (vulnerability assessment tests, security audit, architecture & design, new systems integration, training, technical support) •Innovative & selected software / hardware & hybrid solutions from leading IT Security technology vendors from over 15 different countries •Key specializations – SIEM, MDM, NAC, DDoS protection 2 IBM Security © 2013 IBM Corporation
- 3. 4th international annual conference “DSS ITSEC 2013 – IT Security is not enough” (07.11.2013) 3 IBM Security © 2013 IBM Corporation
- 4. For many companies security is like salt, people just sprinkle it on top. 4 IBM Security © 2013 IBM Corporation
- 5. We see whole picture bit more complex way. 5 IBM Security © 2013 IBM Corporation
- 6. We see whole picture bit more complex way. 6 IBM Security © 2013 IBM Corporation
- 7. We see whole picture bit more complex way. 7 IBM Security © 2013 IBM Corporation
- 8. We see whole picture bit more complex way. 8 IBM Security © 2013 IBM Corporation
- 9. We see whole picture bit more complex way. 9 IBM Security © 2013 IBM Corporation
- 10. IBM Security – Intelligence, Integration and Expertise SIEM (Security Intelligence, SIEM (Security Intelligence, Enterprise Compliance) Enterprise Compliance) Security Governance, Security Governance, Risk & Compliance Risk & Compliance = IBM addresses Identity and Identity and Access Management Access Management Identity Management Identity Management Access Management Access Management Data Data Security Security E-mail E-mail Security Security Application Security Application Security Data Loss Prevention Data Loss Prevention Encryption and Key Encryption and Key Lifecycle Management Lifecycle Management Messaging Security Messaging Security Database Monitoring and Database Monitoring and Protection Protection Data Masking Data Masking App Vulnerability Scanning App Vulnerability Scanning Web Application Firewall Web Application Firewall App Source Code Scanning App Source Code Scanning Web // URL Web URL Filtering Filtering Infrastructure Security Infrastructure Security Note: Unlike the IBM heterogeneous security framework, Oracle focuses on the people level and (partially) the compliance, data, and application levels only. 10 IBM Security Threat Assessment Threat Assessment Firewall, IDS/IPS, MFS, End Point Mgmt. Access and Entitlement Access and Entitlement Management Management SOA Security SOA Security Vulnerability Vulnerability Assessment Assessment Mainframe Security Mainframe Security Web/URL Filtering Web/URL Filtering Security Event Security Event Management Management X-Force Research & Development T.J. Watson & 8 other security research centers Intrusion Prevention Intrusion Prevention System System Virtual System Security Virtual System Security IBM Kassel content security team Managed Security Services 2,000+ security engineers in 11 centers © 2013 IBM Corporation
- 11. Intelligent: Context & Correlation Drive the Deepest Insight Sources 11 IBM Security + Intelligence = Most Accurate & Actionable Insight © 2013 IBM Corporation
- 12. End to end, IBM has a strong security competitive posture Intelligence, Analytics, GRC People Data Applications Infrastructure Updated February 2013 12 IBM Security © 2013 IBM Corporation
- 13. X-Force is the foundation for advanced security and threat research across the IBM Security Framework The mission of X-Force is to: The mission of X-Force is to: Monitorand evaluate the Monitor and evaluate the rapidly changing threat landscape rapidly changing threat landscape Researchnew attack techniques Research new attack techniques and develop protection for and develop protection for tomorrow’s security challenges tomorrow’s security challenges Educateour customers and Educate our customers and the general public the general public 13 IBM Security © 2013 IBM Corporation
- 14. Collaborative IBM teams monitor and analyze the changing threat landscape Coverage 20,000+ devices under contract 3,700+ managed clients worldwide 15B+ events managed per day Depth 17B analyzed web pages & images 40M spam & phishing attacks 73K documented vulnerabilities 133 monitored Billions of intrusion countries (MSS) attempts daily 1,000+ security related patents 14 IBM Security Millions of unique malware samples © 2013 IBM Corporation
- 15. Mid-year 2013 theme: 15 IBM Security © 2013 IBM Corporation
- 16. 3 Chapters of this Trend Report presentation Operational sophistication Watering hole attacks Compromised websites far from home DDoS diversions 16 IBM Security © 2013 IBM Corporation
- 17. Security professionals should understand how attackers are taking advantage of trust in relationships to: - Breach an organization - Target groups of users - Create methods of diversion 17 IBM Security © 2013 IBM Corporation
- 18. Exploiting trust is one example of attackers becoming more operationally sophisticated to breach targets Many breaches are not the result of custom malware and zero-day exploits, attackers look for paths of least resistance 18 IBM Security © 2013 IBM Corporation
- 19. Security Incidents in the first half of 19 IBM Security © 2013 IBM Corporation
- 20. still reliable for breaching databases of tracked disclosed breaches Low risk / high reward Old CMS installations CMS Plugins Forum software Other popular 3rd party scripts 20 IBM Security © 2013 IBM Corporation
- 21. continue to disrupt businesses High traffic volume as much as Industries affected: Banks Governments DNS Providers 21 IBM Security © 2013 IBM Corporation
- 22. attacks compromise end user trust Tainting legitimate sites with zero-day exploits Targeting Savvy Users Tech company developers Government Employees Unsuspecting viewers of trusted sites 22 IBM Security © 2013 IBM Corporation
- 23. foreign branch or local language sites tarnish brands Global brands targeted in foreign countries outside of home office Attackers rely on Lower security on local language sites Temporary micro-sites which gather user data Tarnish brands with path of least resistance 23 IBM Security © 2013 IBM Corporation
- 24. countries most impacted by security incidents The United States most reported breach target location Taiwan was targeted in several foreign branch security incidents 24 IBM Security © 2013 IBM Corporation
- 25. 3 Chapters of this Trend Report presentation Targeting users and abusing trust Economic and reputational impact Social media Black Market Recent advances in Android malware 25 IBM Security © 2013 IBM Corporation
- 26. has become a new playground for attackers Social Media top target for attacks and mobile devices are expanding those targets -Pre-attack intelligence gathering -Criminals selling accounts -Campaigns enticing user to click on malicious links 26 IBM Security © 2013 IBM Corporation
- 27. Economic and Reputational impact as widespread adoption promotes both personal and business Instead of blocking services, organizations should determine how to monitor and mitigate abuses of these platforms -Social Media exploits can impact brand and financial loss -Effective defense is education and to engender suspicion 27 IBM Security © 2013 IBM Corporation
- 28. wherever you go, attackers will follow Explosive market growth for Android gets attention of malware authors Viable targets with strong intent related to specific organizations ROI: Malware authors are investing more effort into malware that are more resilient and dangerous 28 IBM Security © 2013 IBM Corporation
- 29. Advances in Android Malware Chuli Very targeted attack -Compromised address book -Emails sent to targets -Hooks into Android’s SMS service -Messages routed to remote C&C server Obad Spread primarily through SMS spam -Spreading through Bluetooth -Device Administration -Anti-analysis techniques -Code obfuscation 29 IBM Security © 2013 IBM Corporation
- 30. X-Force expects the number of Android Malware applications to continue rising Degree of sophistication for this malware will eventually rival those found in desktop malware Android Security Enhancements Older devices more at risk with only 6% running latest version Mobile operating system (OS) fragmentation will remain a problem 30 IBM Security © 2013 IBM Corporation
- 31. 3 Chapters of this Trend Report presentation Vulnerabilities Exploits Web trends Spam and Phishing 31 IBM Security © 2013 IBM Corporation
- 32. Vulnerabilities Disclosures publicly disclosed vulnerabilities If trend continues, roughly same as 2012 32 IBM Security © 2013 IBM Corporation
- 33. Vulnerabilities affecting Mobile Software have increased since 2009 Although still small percentage of total overall Affecting both mobile and desktop software 33 IBM Security © 2013 IBM Corporation
- 34. Zero-Day Vulnerabilities vulnerabilities affect Windows and OSX 34 IBM Security © 2013 IBM Corporation
- 35. Oracle Java, Adobe Flash, Microsoft IE crucial to protect & patch Java – 0-days quickly utilized in exploit tool kits – Recent updates allow you to “disable” java – Default security settings are now “high” Adobe Flash – Most common delivery method, since 2010 Reader sandbox, is via MS Office docs Microsoft Internet Explorer How to do better: – Very targeted attacks and water hole technique •Reduce attack surface •Update installed software •Get educated on spear-phishing 35 IBM Security © 2013 IBM Corporation
- 36. Exploit Effort vs. Potential Reward IE & Java targeted Easy exploitation with high potential reward – still the sweet spot 36 IBM Security © 2013 IBM Corporation
- 37. Web Application Vulnerabilities of all web application vulnerabilities are XSS Total slightly down in comparison to 2012 37 IBM Security © 2013 IBM Corporation
- 38. Content Management System plug-ins continue to provide soft targets Attackers know that CMS vendors more readily address and patch their exposures 38 IBM Security Compared to smaller organizations and individuals producing the add-ons and plug-ins © 2013 IBM Corporation
- 39. Consequences of Exploitation “gain access” Provides attacker complete control of system to steal data or launch other attacks 39 IBM Security © 2013 IBM Corporation
- 40. Scam and Phishing Targets bad links and attachments - Social networks - Payment / shops - Scanners / Fax 40 IBM Security © 2013 IBM Corporation
- 41. Malware Hosting malware distributed in U.S. Germany in second at nearly 10% 41 IBM Security © 2013 IBM Corporation
- 42. Botnet Command & Control Hosting botnet C&C servers in U.S. Russia in second at nearly 10% 42 IBM Security © 2013 IBM Corporation
- 43. Key takeaways for Don’t forget the basics scanning, patching, configurations, passwords Social Defense needs Socialization educate users and engender suspicion Defragment your Mobile posture constantly apply updates and review BYOD policies Optimize ahead of Attackers identify critical assets, analyze behavior, spot anomalies 43 IBM Security © 2013 IBM Corporation
- 44. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 44 © 2012 IBM Corporation
- 45. 4th international annual conference “DSS ITSEC 2013 – IT Security is not enough” (07.11.2013) 45 IBM Security © 2013 IBM Corporation
Hinweis der Redaktion
- Advanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio. As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework. The rest of this deck will talk to the specific capabilities of this team, as well as some specific integration points between the X-Force research and the products to which they add value.
- IBM X-Force has a long standing history as one of the best known commercial security research and development groups in the world Can leverage security expertise across IBM to better understand what is happening in security Have numerous intelligence sources: database of more than 73k security vulnerability – monitored every day Global web crawler International spam collectors Work closely with IBM managed security services group who monitor over 15B security events every day from nearly 4,000 security clients in over 133 countries All of this is done to stay ahead of continuing threats for our customers Our global web crawler is probably the worlds third largest behind Google and Bing. It crawls the web, and we have analyzed and classified over 17B web pages. XForce is particularly interested in files, images, or pages that contain malicious links or content. The team in Kassel Germany who builds our web crawler also developed an anti spam product We have spam traps around the world, receive large amounts of spam so that we can analyze and understand the different types so that we can preemptively block that spam Our work covers 4 key areas: Research Engines Content Deliver Industry/Customer deliverables – such as this X-Force report, blogs, articles, presentations and speaking engagements
- Attackers are optimizing their operations around many key initiatives which include a path of least resistance to reach the largest number of potential targets for the minimal amount of exploit effort. For example, attackers are optimizing various points of weak entry: The exploitation of trust via social media. Coordinated operations leaking user data as well as exploiting weak entry points into global brands such as foreign local language or franchise sites. Mobile malware with Android devices as the market expands. Take over of central strategic targets to access and exploit a broader base of end users. Diversion and distraction techniques which throw security administrators off path, while breaching targets under the cover. Cross-platform 0days were an optimization story as well
- Examples that demonstrate diminished trust: Enterprises who trust the correct security procedures and policies are implemented on their networks but are shown differently by high breach activity that continues. Users who trust that a company is protecting their personal data. Enterprises that “want to trust” the growing wave of infrastructure that is social media and mobile as it expands the fluidity of our lives. Network and security admins who trust that “old attack methods and historic vulnerabilities” are not as important as other more current issues. Software developers and technical, security-savvy people who visit a trusted site not thinking that they have to protect themselves from drive-by-downloads.
- What we are attempting to demonstrate in this graphic are the types of “Operational Sophistication” that is being utilized in many of these recent breaches and security incidents. It doesn’t mean there is not technical sophistication, because there can be ,but we see are attackers organizing strongly to create return on their development investments – getting, if you will – “the biggest bang for the buck!” They often look first for the path of least resistance. Some examples seen are: - attackers are organized and well funded (maintenance of botnets and ability to evolve techniques) - attackers are using social media and other public info to target key individuals (persons of interest) - spear phishing still a common point of entry to get a foothold - They are using "watering hole" techniques where they are scoping out where potential targets might congregate (like putting a Java vuln on the Mobile Dev site that resulted in infection of Apple and Facebook developers) - other "tried and true" techniques like XSS to target individuals and SQLi to breach web servers - using layered approach - for example... vulnerable CMS systems easily taken over to install malware/bots which are then used to DDoS other targets
- 2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012. This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies
- Based on the incidents we have covered, SQL Injection (SQLi) remains the most common breach paradigm. We have not been surprised by this as SQLi is the most direct way to gain access to records in the database. In terms of return on exploit, SQLi is an effective attack of opportunity, where automated scripts can scan wide ranges of potential targets that run common web application software with known SQLi vulnerabilities. Several of the incidents displayed in the graphic were the result of unpatched or vulnerable web forums or other widely used third party products.
- High volume distributed denial-of-service (DDoS) attacks against prominent targets persisted from 2012 into the first half of this year. The banking industry has been heavily attacked, causing downtime and business interruptions for online banking customers. Spamhaus,17 a non-profit organization dedicated to tracking spam abuse, was hit with what some consider to be the largest DDoS attack in the world, with traffic rates reported as high as 300 Gbps. These high bandwidth DDoS attacks escalated last year and continue to present a challenge in terms of successful attack mitigation. DDoS incidents also continue to provide an excellent distraction technique where the true motivation is to breach systems under the cover of the DDoS attack. Targeting the DNS provider is another example of the pattern of attacking a centralized strategic target to reach a larger group of potential victims.
- A relatively recent attack type—and newly debuting on our charts this time—is the watering hole attack. Attackers have successfully breached several high tech companies by injecting browser exploits on websites frequently visited by targeted employees. These exploits lead to trojan malware installation. This same type of attack has also been used this year to target government employees. Watering hole attacks are good examples of operational sophistication because they reach a large number of select targets by compromising a single centralized location. In contrast, with spear phishing for example, an attacker has to individually connect with a larger group of people and only a small percentage might be successfully compromised. Often these attacks are successful because there is enough traffic from target organizations, and by nature they break through a certain layer of trust between the target and what the target believes is a legitimate and safe website.
- Companies often have local language websites representing their brand, but these sites are not always secured with the same standard as the sites at the home office. Such was the case with several well-known brands that suffered damage to their reputation as well as legal implications for leaking large amounts of customer data. These types of leaks affected the food, consumer electronics, automotive, and entertainment industries in particular.
- In the breaches tracked by IBM X-Force and in terms of the country where the attack target was located, the United States is the country with the most disclosed breaches by a large margin. This could be based on the fact that many websites are operated from the United States, or possibly that it is more common that U.S. companies and websites are disclosing publicly.
- Because attackers have learned to monetize social media vulnerabilities, a black market has cropped up to trade compromised and fabricated accounts on social media sites Criminals are selling accounts on social networking sites, some belonging to actual people whose credentials were compromised, others fabricated and designed to be credible through realistic profiles and a web of connections. As a minimum function their use is to inflate page ‘likes’ or falsify reviews; though more insidious uses include hiding one's identity to conduct criminal activities – the online equivalent of a fake ID, but with testimonial friends, adding to the deception.
- Social media exploits affect more than individuals; they can negatively impact enterprise brand reputation and cause financial losses IBM X-Force expects to see these newer applications of social engineering become more sophisticated as attackers create complex internetworks of identities while refining the art of deceiving victims. Users must adopt a mindset of guilty until proven innocent when it comes to social media and companies should engender suspicion to protect users and assets. Technology advancements and controls are available, best practices continue to be refined and taught, but ultimately the trust the user believes they have, may circumvent anything security practitioners put into place. Technology controls are in place, but are often either not enabled or are circumvented by the user’s extended network. The only effective defense is education and to engender suspicion
- Obad was spread primarily through short message service (SMS) spam, and gained attention in June 2013 when it was dubbed “The most sophisticated Android Trojan.” We have seen the core functionality of Obad—such as information stealing and premium SMS sending—in other Android malware before, but the features that made it stand out include: Spreading through Bluetooth Device administration Anti-analysis techniques and code obfuscation X-Force believes this release is significant in that it reveals how malware authors are now investing more effort into creating increasingly resilient and dangerous Android malware.
- In the past few years, there has been an explosive growth in Android devices and malware authors are turning their attention in that area of growth. As the number of users who own and operate Android devices is rapidly expanding, so too have malware authors increased their effort to take advantage of this larger market. Within the report, we discuss two types of Android malware that entered the stage in 2013 – Obad and Chuli. We also discuss some of the security enhancements and steps that could help thwart malware. When email opened, it (Chuli) displays a message about the conference. In the background, Chuli sets up hooks into Android’s SMS service so that it can intercept incoming SMS messages and send them to a remote Command and Control (C&C) server. It also sends the user’s SMS history, call history, contacts, and geolocation to the C&C server. Chuli is a very targeted attack and is only intended for specific individuals, thus the risk of infection to the common user is low. The existence of this malware indicates that Android users are increasingly becoming viable targets for these types of sophisticated attacks. Of course, in this case, the sophistication is related to the organization and intent of the attack—the raw technology in Chuli is not particularly novel. 2013 witnessed the release of a Trojan named Obad, which is notable for some new and technically sophisticated features. X-Force believes this release is significant in that it reveals how malware authors are now investing more effort into creating increasingly resilient and dangerous Android malware. Obad was spread primarily through SMS spam, and gained attention in June 2013 when it was dubbed “The most sophisticated Android Trojan.” We have seen the core functionality of Obad – such as information stealing and premium SMS sending – in other Android malware before, but the features that made it stand out include: spreading through Bluetooth, device administration, anti-analysis techniques and code obfuscation.
- Older mobile devices are even more vulnerable as only 6% of Android devices are running the latest version of the platform which has the security enhancements needed to combat these threats. For the rest of 2013, X-Force expects to see the number of Android malware apps continuing to rise. We also anticipate that the degree of sophistication for this malware will eventually rival those found in desktop malware. There could be more improvements to combat malware in future versions of Android, but we believe that OS fragmentation (older versions that are being used as much as newer ones) will remain a problem. Footnote link: http://developer.android.com/about/dashboards/index.html
- In the first half of 2013, we entered just over 4,100 new publicly reported security vulnerabilities. If this trend continues throughout the rest of the year, the total projected vulnerabilities would approach 8200 total vulnerabilities, virtually the same number we saw in 2012.
- Although vulnerabilities affecting mobile applications and operating systems represent a relatively small percentage of total disclosures (projected at just over four percent in 2013), we have seen the total number of disclosures increase significantly since 2009 when mobile vulnerabilities represented less than one percent of total disclosures. After a substantial jump in 2009, the number decreased slightly from 2010 to 2011 before another substantial jump in 2012. Many of the vulnerabilities affecting mobile platforms originate in components that are used in both mobile and desktop software. The remaining vulnerabilities are specific to mobile applications and represent a large portion of the increase in disclosures seen in 2012 and 2013. One significant development of note regarding mobile vulnerabilities in 2013 has to do with the number of public exploits available. In 2013, fewer than 30 percent of all mobile disclosures had public exploits or proof-of-concept code available. In comparison, only nine percent of mobile vulnerabilities disclosed between 2009 and 2012 had public exploits. Most of these exploits are targeted specifically towards mobile applications and are primarily disclosed on popular public exploit repositories.
- Another example of how attackers are increasing their return on exploit is in the way they are targeting cross platform services to reach a maximum number of potential targets. It is worth noting that almost 80 % of the zero-day vulnerabilities covered by IBM X-Force in the first half of 2013, were vulnerable on Microsoft Windows and Apple Mac OSX. Nearly half were also vulnerable on some Linux distributions. This cross-platform reach emphasizes the operational sophistication which has been utilized for widespread exploitation.
- Java The first was made in the Java 7u10 release which was the addition of a feature to easily disable Java in a browser. The second important change was made in the Java 7u11 release which was the change of the default security settings level to “High” which means that the user is prompted before running unsigned Java applications in the browser. This latter change makes it less attractive for attackers to use Java exploits because of the added effort to create exploit. Adobe Flash Adobe noted that since the introduction of the Reader sandbox in 2010, the most common delivery method for Flash Player zero-day attacks had been Office documents. In addition to the first two Flash zero-day attacks discussed earlier, a notable example of this is the RSA breach in 2011 in which attackers embedded a Flash zero-day exploit in an Excel document. IE September 2013: Water hole attack in Japan – CVE-2013-3893, effecting all versions of IE and exploit code readily available. In June, Microsoft reported and patched a zero-day vulnerability (CVE-2013-1331) in Microsoft Office. Microsoft describes the initial attacks as extremely targeted. This is why not much was known about the attack before the Microsoft advisory was published. The vulnerability affected the latest version of Office for Mac (Office 2011) but only affected an older version of Office in Windows (Office 2003).
- As cyber-attacks intensify, monitoring the numerous vulnerability disclosures every day becomes daunting. Within IBM X-Force, we track publicly issued vulnerabilities through a triage process to identify which ones are most likely to be used by an attack, and then determine which ones require deeper research. By performing this review, we recognize that all vulnerabilities are characterized by two factors; the exploit “potential reward” that entices the attacker and the “exploit effort to achieve” that deters the attacker from further development. The exploit-probability matrix is devised by charting the “exploit reward” and “exploit effort to achieve” along the axes. By assigning vulnerabilities to the appropriate quadrant, it becomes clear which are favored by attackers. As illustrated in the exploit-probability matrix, easy exploitation with high potential reward – aka target impact, is still the sweet spot for the most prevalent attacks.
- Web Application vulnerabilities, which have been on the rise in recent years, are down slightly in 2013. More than half of all web application vulnerabilities are cross-site scripting.
- Most of these fall into the category of third party add-ons or plug-ins for Content Management Systems. Content Management System (CMS) programs are some of the most widely deployed software on the World Wide Web because of their ease of use, utility, and simplicity to maintain and administer. Attackers like to target these systems to find vulnerabilities and flaws that they can exploit. Because CMS applications and their plugins are web enabled, they can often be targeted with automated scanning tools to identify web application vulnerabilities. In addition to automation, attackers will also manually review CMS applications and plugins.
- The most prevalent consequence of vulnerability exploitation for the 1st half of 2013 was “gain access” at 28 percent of all vulnerabilities reported. In most cases, gaining access to a system or application provides the attacker complete control over the affected system, which allows them to steal data, manipulate the system, or launch other attacks from that system.
- The top three campaigns observed, enticing users to click on bad links and attachments in emails, are Internet payment companies, social networks, and internal scanners or fax devices. Together these three focus areas account for more than 55 percent of all scam and phishing incidents.
- In countries where malware is distributed, we see the United States dominates the scene by hosting more than 42 percent of all malicious links. The geography with the second highest concentration of malicious links is Germany, with nearly 10 percent.
- The country with the largest number of C&C servers in the month of June 2013 with nearly one-third of all C&C Servers is the United States. • The country with the second highest number of C&C servers is Russia with nearly 10 percent. • Germany, South Korea, China, and United Kingdom are close together, hosting between 7.0 and 4.2 percent of the C&C Servers
- IBM X-Force continues to see operationally sophisticated attacks as the primary point of entry. Social Media Insights: We expect to see applications of psychological manipulation become more sophisticated as attackers create complex internetworks of identities while refining the art of deceiving victims. Technology controls are in place, but are often either not enabled or are circumvented by the user's extended network. The only effective defense is education and to engender suspicion. Mobile Device Malware Insights: X-Force recommends Android users check to see if a firmware update is available and consider upgrading. CISOs should also review their bring your own device (BYOD) security policies and their risk assessment of which devices and device profiles are allowed access. Poisoning the Watering Hole Insights: Website administrators can help lower the risk of your website being compromised from a watering hole attack by: hardening your servers, ensuring currency of software and web applications, and hardening client machines used to log into servers. Distraction and Diversion Insights: As the scope and frequency of data breaches continue in an upward trajectory, a return to basic security fundamentals is essential. Throughout the IBM X-Force 2013 Mid-Year Trend and Risk Report we look at many facets of secure computing from both the IT and network administrative perspective, as well as for end users. While technical mitigation is a necessity, conditioning users throughout the enterprise to view security as a mindset—not an exception—can go a long way toward reducing these incidents. Old Techniques, New Success Insights: Some of these gaps could be prevented by maintaining a consistent, high level of patching on both endpoints and servers. Keeping software and operating systems at the most current versions is another preventative measure. And even best practice security policy enforcement, such as enforcing the use of strong passwords, using different passwords for different accounts, and enabling two-factor authentication can help.
- Mandatory Thank You Slide (available in English only).