Cybercrime is growing in both frequency and sophistication. We all know it is out there but do we know what to look for? Do we know how to combat it? Arm yourself with the latest updates from the X-Force Report of current security risks & trends happening today and our solutions from Trusteer to help you stay one step ahead of cybercriminals.
View the full on-demand webcast: https://www2.gotomeeting.com/register/826914418
Advanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio.As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework.
With more than 6,000 researchers, developers and subject matter experts engaged in security initiatives, IBM operates one of the world’s broadest enterprise security research, development and delivery organizations. This powerful combination of expertise is made up of the award-winning X-Force research and development team—with one of the largest vulnerability databases in the industry—and includes nine security operations centers, nine IBM Research centers, 14 software security development labs and the IBM Institute for Advanced Security with chapters in the United States, Europe and the Asia Pacific region.________________________Security Operations Centers: Atlanta, Georgia; Boulder, Colorado; Brussels, Belgium; Tokyo, Japan; Brisbane, Australia; Hortolandia, Brazil; Bangalore, India; Wroclaw, PolandNO: Detroit, Michigan; Toronto, Canada; ADD: Riyadh, Saudi Arabia; Heredia, Costa RicaSecurity Research Centers: Yorktown Heights, NY; Atlanta, GA; Almaden, CA; Ottawa, Canada; Zurich, CH; Kassel, DE; Herzliya, IL; Haifa, IL; New Delhi, IN; Tokyo, JPSecurity Development Labs: Littleton, MA; Raleigh, NC; Atlanta, GA; Austin, TX; Costa Mesa, CA; Fredericton, Canada; Toronto, CAN; Ottawa, CAN; Belfast, NIR; Delft, NL; Pune, IN; Bangalore, IN, Taipei, TW; Singapore, SG; Gold Coast, AUNote: IBM patent search performed by Paul Landsberg, IBM IP Office
IBM X-Force has a long standing history as one of the best known commercial security research and development groups in the worldCan leverage security expertise across IBM to better understand what is happening in securityHave numerous intelligence sources: database of more than 76k security vulnerability – monitored every dayGlobal web crawlerInternational spam collectorsWork closely with IBM managed security services group who monitor over 15B security events every day from nearly 4,000 security clients in over 133 countriesAll of this is done to stay ahead of continuing threats for our customersOur global web crawler is probably the worlds third largest behind Google and Bing. It crawls the web, and we have analyzed and classified over 17B web pages. XForce is particularly interested in files, images, or pages that contain malicious links or content. The team in Kassel Germany who builds our web crawler also developed an anti spam productWe have spam traps around the world, receive large amounts of spam so that we can analyze and understand the different types so that we can preemptively block that spamOur work covers 4 key areas:ResearchEnginesContent DeliverIndustry/Customer deliverables – such as this X-Force report, blogs, articles, presentations and speaking engagements
Attackers are optimizing their operations around many key initiatives which include a path of least resistance to reach the largest number of potential targets for the minimal amount of exploit effort.For example, attackers are optimizing various points of weak entry: The exploitation of trust via social media.Coordinated operations leaking user data as well as exploiting weak entry points into global brands such as foreign local language or franchise sites.Mobile malware with Android devices as the market expands.Take over of central strategic targets to access and exploit a broader base of end users.Diversion and distraction techniques which throw security administrators off path, while breaching targets under the cover.Cross-platform 0days were an optimization story as well
2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies
Figure 3 illustrates the possible financial impact of a data breach in terms of fines, loss of intellectual property, loss of customer trust, and loss of capital, etc. that an organization of any size might face.Additionally, of the sampling of security incidents reported by X-Force in 2013, in terms of the country where the attack target was located, more than three quarters of those continue to occur in the United States. This could be based on the fact that many websites are operated from the United States, or possibly that it is more common that U.S. companies and websites are disclosing publicly.
Attackers use spear-phishing messages to draw users to websites that contain hidden malicious Java applets (exploit sites). Once the user accesses the exploit site, the hidden Java applet exploits vulnerabilities to cause a chain of events that end with the delivery of the malware to the user’s machine, without the user’s awareness. Fifty percent (50%) of the exploits observed by X-Force malware research (Trusteer) in December 2013 targeted Java vulnerabilities indicating Java as a high risk application and top target, exposing organizations to attacks.
MH note:maybe hint we still didn't reach 10K vulnerabilities in a year, even though we modified the CVE number scheme to handle it, just thinking of interesting things to talk about.The declines in vulnerabilities demonstrated at the end of 2013 in both XSS and SQL injection, shown in Figure 11, couldindicate that developers are doing a better job at writing secure web applications, or possibly that traditional targets like content management systems (CMSs) and plug-ins are maturing as older vulnerabilities have been patched. As noted previously, XSS and SQL injection exploitation continue to be observed in high numbers, indicating there are still legacy systems or other unpatched web applications that remain vulnerable. This is expected, considering there are many thousands of blogs and other websites run by individuals who may not have the skills or awareness to update to later versions of their platform or framework.
The most prevalent consequence of vulnerability exploitation was "Gain Access" at 26% of all vulnerabilities reported in 2013. Cross-Site Scripting was the second most prevalent consequence at 18% and typically involves attacks against Web applications.
However, vulnerabilities in key reporting areas such as Web application, Cross-Site Scripting, and SQL injection all demonstrated downward trends in 2013. Overall web application vulnerabilities accounted for 33 percent of those publically reported, down from 43 percent in 2012. The declines in vulnerabilities demonstrated at the end of 2013 in both XSS and SQL injection could indicate that developers are doing a better job at writing secure web applications or possibly that traditional targets like CMS systems and plugins are maturing as older vulnerabilities have been patched. As noted, XSS and SQL injection exploitation continue to be observed in high numbers, indicating there are still legacy systems or other unpatched web applications which remain vulnerable. This is expected considering there are many thousands of blogs and other websites operated by individuals who may not have the skills or awareness to update to later versions of their platform or framework.
X-Force catalogs two categories of exploit: exploit and true exploit. Simple snippets with proof-of-concept code arecounted as exploits, while fully functional programs capable of standalone attacks are categorized separately as true exploits.Publicly available and disclosed true exploits have continued to decrease over the past five years to the lowest levels we’ve seen since 2006. At the end of 2012 we reported that total true exploits were still down overall and at the end of 2013, we seethis trend continue.
MH already talked about this – Unpatched vulnerabilities are a bit problem. Did you know that 60% of exploits target 1-2yo vulnerabilities
Java is a widely deployed high risk application that exposes organizations to advanced attacks. The number of Java vulnerabilities has continued to rise over the years, and 2013 was no exception. The number of reported Java vulnerabilities jumped significantly between 2012 and 2013, more than tripling.
Java applicative exploits are more difficult to defend against because they allow the applet to gain unrestricted privileges— which makes malicious activities seem legitimate at the OS level. This means that, unlike native exploits, Java applicative exploits completely bypass native OS-level protections. Plus, Java applicative exploits don’t generate buffer overflow, and hence are not prevented by methods such as DEP, ASLR, SEHOP and others.A native exploit results in running native shell code. This type of exploit is accomplished by techniques that include buffer overflow, use-after-free and more.