Security arms race heats up, but IT battles back against attacks

"The number of fronts of risk and war, as some people call it, are definitely multiplying," says Clinton McFadden, senior operations manager for IBM X-Force research and development, which just released the results of its X-Force 2012 Mid-Year Trend and Risk Report.

McFadden points to a sharp increase in browser-related exploits, increasingly sophisticated advanced persistent threats (APTs)-including APTs that are successfully targeting Macs-and rising concern around mobile devices and bring-your-own-device (BYOD) programs.

"We've seen an increase in the number of sophisticated and targeted attacks, specifically on Macs and exposed social network passwords," he adds. "As long as these targets remain lucrative, the attacks will keep coming and, in response, organizations must take proactive approaches to better protect their enterprises and data."

[ Related: Three Steps to Avoid Getting Hacked Like Yahoo ]

As an example of the arms race, the X-Force report points to an incident last year: "In one case, attackers bypassed two-factor authentication-commonly thought to be almost failsafe-simply by convincing a mobile phone provider to relocate a user's voicemail, giving attackers the data they needed to reset a password."

Connected Systems, Policy Enforcement and Humans Big Factors

In fact, as security technology raises the bar to penetrating systems, attackers are increasingly finding their way through cracks that exist at the interstices of systems, policy enforcement and humans, according to the report:

"We've seen several headlines regarding cases where digital identities were decimated, not through malware, key loggers, password cracking or even through access of the victim's computer or device. Instead, the bad guys accomplish their nefarious deeds by culling a small amount of personal data from public sources, using clever social engineering tricks and depending upon the loose policies of a handful of companies who we trust with our private data."

SQL injection, a technique used to attack databases through a website, remains the most commonly exploited vulnerability. In fact, along with cross-site scripting, it is rapidly growing as a favored method of attack. Attackers are now combining different technologies together-like SQL injection, cross-site scripting and shell command injection-to create layered attacks that give them a greater chance of success while making the attacks more difficult to defend against. Criminals are also increasingly using encryption to hide their exploits, making it harder for network security systems to detect them.

[ Why Law Enforcement Can't Stop Hackers ]

"We expect that the use of obfuscation techniques will continue as technologies that identify exploits, malware and data leakage improve," the report says. "Additionally, as new applications are deployed, and as new technologies (cloud services, mobile applications and so on) emerge and influence how we communicate using the Internet, there will be more reason to hide potential attacks, raising the stakes each day."

White Hats See Success

The picture isn't all bleak, McFadden says. The high-profile takedowns of multiple botnets in 2011 (and the Grum botnet in July 2012) drastically reduced spam and phishing levels and they remain low. For now, organizations that have adopted IPv6 technology are seeing less malicious activity, though McFadden notes that may change as attackers adopt IPv6. While overall vulnerabilities are trending upward (possibly to an all-time high by year end), the X-Force data shows a decline in true exploits ("true exploits" being fully functional programs that can attack a computer as opposed to proof-of-concept code). X-Force says only 9.7 percent of all publically disclosed vulnerabilities are subject to true exploits.

"The good news is that the number of disclosures of SQL injection vulnerabilities is actually stabilizing," McFadden says.

While the number of attacks leveraging SQL injection vulnerabilities are still increasing, McFadden says the decline in vulnerability disclosures is a sign that organizations are putting better controls in place to screen code for such vulnerabilities before they deploy it.

Mobile Malware Still Nascent Threat

On the mobile front, attackers are continuing to research how best to exploit mobile devices, but despite a growing number of vulnerabilities in applications and mobile operating systems they have yet to settle upon a way to leverage them.

"Though mobile is still a huge concern, we have not seen the uptick in mobile malware that we suspected," McFadden says.

[ Related: NSA Chief Asks Hackers At Defcon for Help Securing Cyberspace ]

For now, the biggest threat from mobile seems to be premium SMS attacks, in which the attacker sets up a premium SMS service and then uses a phone's internal applications to send messages to that premium SMS service, generating direct-to-pocket revenue for the attacker. Attacks that attempt to ferret out important intellectual property from mobile devices, for instance, have yet to manifest.

"We do expect that to shift as the sophistication of attackers increases," McFadden warns. "The controls don't appear to be properly being put in place by the enterprises that are allowing bring-your-own-device. At some point, this collision of the sophistication of malware, research by the bad guys and the lack of controls on mobile will come to a head."

Sandboxing Technology Makes Documents Safer

In the meantime, though, there is one other bright spot: sandboxing. Sandboxes work by isolating an application from the rest of the system so that if the application is compromises, the attacker code running with the application is limited in what it can do or access. High-profile examples include Adobe, Google and Microsoft. Adobe has implemented sandboxes in Adobe Reader X and later versions as well as Adobe Flash Player 11.3 and later versions. Google has implemented sandboxes in the Chrome browser as well as Chrome's built-in PDF viewer and Pepper Flash (Chrome's built-in Flash viewer). Microsoft has implemented sandboxes in Internet Explorer 7 and later versions on Windows Vista and later versions. For documents it has added a sandbox to Microsoft Office 2010 (in Protected View mode).

"We're seeing that the number of vulnerabilities, most notably in PDF, has really tailed off because of sandboxing to a point where people really are no longer targeting those platforms," McFadden says. "It's no longer fruitful. Now it takes two or three vulnerabilities to break out of the sandbox; it turns into an ordeal. This is something that software vendors can do to actually help their customers and make their products safer to use."

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline and on Facebook. Email Thor at

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts