Pages

Friday, February 6, 2009

X-Force Is With You...


IBM has released it's 2008 X-Force Security Report.  Since I've been detailing how unsafe it is to do e-commerce in a Web browser space (7 words - You should be SwipePIN instead of Typin') I thought I'd share some statistics to back it up.  (click graph on left to enlarge)

X-Force Trend Statistics Report

The X-Force produces the X-Force Trend Statistics report twice per year, once at the end of each year and once at mid-year. These reports provide statistical information about all aspects of threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber-criminal activity. The information in this report is for customers, fellow researchers, and the public at large and is intended to help others understand the changing nature of the threat landscape and what might be done to mitigate it.

First, let's flashback and take a look at their leading paragraph from last years release:

"ARMONK, NY - 11 Feb 2008:
IBM (NYSE: IBM) today released the findings of the 2007 X-Force Security report, detailing a disturbing rise in the sophistication of attacks by criminals on Web browsers worldwide. According to IBM, by attacking the browsers of computer users, cybercriminals are now stealing the identities and controlling the computers of consumers at a rate never before seen on the Internet.
"

Here are some personally selected highlights:
Web-Related Security Threats

• The number of new malicious Web sites in the fourth quarter of 2008 alone surpassed the number seen in the entirety of 2007 by 50 percent. Last year, China replaced the US as the most prolific host of malicious Web sites.
 
Browser-related vulnerabilities are still overwhelming the largest percentage of critical and high vulnerabilities affecting personal computers in 2008. (52 percent of all criticals and highs)

Even good Web sites are facing more issues. Web applications, in particular, are increasingly vulnerable and highly profitable targets for helping the criminal underground build botnet armies

• Web applications in general have become the Achilles heel of Corporate IT Security. Nearly 55% of all vulnerability disclosures in 2008 affect Web applications, and this number does not include custom-developed Web applications (only off-the-shelf packages). 74 percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of 2008.

• Last year, SQL injection jumped 134 percent and replaced cross-site scripting as the predominant type of Web application vulnerability.

• Exploitation of Websites vulnerable to SQL injection has increased from an average of a few thousand per day, when they first took hold early in 2008, to several hundred thousand per day at the end of 2008.

• In addition to these vulnerabilities, many Web sites request the use of known vulnerable ActiveX controls, which leave Web site visitors who do not have updated browsers in a compromised position.

The majority of phishing – nearly 90 percent – was targeted at financial institutions. Over 99% of all financial phishing targets are in North America or Europe, with the majority of targets in North America (58.4 percent).  

• The days of amateurs, college students, or hackers taking joy rides on corporate information systems are largely over. Today’s attackers are economically motivated. They are international criminal organizations who make a living stealing financial information and identities.
 

Remotely Exploitable Vulnerabilities
The most significant vulnerabilities are those that can be exploited remotely, because they do not require physical access to a vulnerable system. Remote vulnerabilities can be exploited over the network or Internet, while local vulnerabilities need direct system access.

2008 marks the third straight year where the percentage of remotely exploitable vulnerabilities has reached a record high.

In 2008, they represented 90.2 percent of all vulnerabilities, up from 89.4 percent and 88.4 percent in 2007 and 2006 respectively.

A factor in the increase that has occurred over the past few years is the growing number of Web application vulnerabilities, which are typically remotely exploitable and an ever-growing percentage of the overall vulnerability count.  See figure 14 above. (click to enlarge)
To take a look at the full 106 page PDF, click here.
Reblog this post [with Zemanta]