Latest View on the Threat of Information Security and Risk Management Trends

Transcription

1 Latest View on the Threat of Information Security and Risk Management Trends Rob K Lamb, Vice-President, Worldwide Sales - Security, IBM Corporation lambr@us.ibm.com 2009 IBM Corporation

2 Topics IBM security vulnerability research X-Force Trends in attacker motivation Findings/conclusion from 2H/2009 IBM X-Force Vulnerability Research Report Volume of new vulnerabilities discovered Operating systems Web applications Document readers Trends around bad content and web links Malware SPAM Phishing It s easy to become a hacker Summary

3 IBM X-Force Research & Development Unmatched Security Leadership The mission of the IBM X-Force research and development team is to: Research and evaluate threat and protection issues Deliver security protection for today s security problems Develop new technology for tomorrow s security challenges Educate the media and user communities X-Force Research 10B analyzed Web pages & images 150M intrusion attempts daily 40M spam & phishing attacks 48K documented vulnerabilities Millions of unique malware samples Provides Specific Analysis of: Vulnerabilities & exploits Malicious/Unwanted websites Spam and phishing Malware Other emerging trends

4 Only IBM Security Products are backed by X-Force research Research Technology Solutions Original Vulnerability Research Public Vulnerability Analysis Malware Analysis Threat Landscape Forecasting Protection Technology Research X-Force Protection Engines Extensions to existing engines New protection engine creation X-Force XPU s Security Content Update Development Security Content Update QA X-Force Intelligence X-Force Database Feed Monitoring and Collection Intelligence Sharing The X-Force team delivers reduced operational complexity helping to build integrated technologies that feature baked-in simplification

5 Trends in Attacker Motivation

6 2009 Attacker Motivation is to Gain Access and Manipulate Data Gain access remains the primary consequence of vulnerability exploitation. Approaching the 50% mark that was previously seen throughout 2006 and Data Manipulation took a plunge but still higher in comparison to 2006 and Bypass Security and Denial of Service is increasing.

7 Vulnerability Disclosures & Exploitation Declines Declines in some of the largest categories of vulnerabilities. Web applications continue to be the largest category of disclosure. SQL Injection and File Include, have declined. ActiveX controls which mostly impact client applications has also declined. Tuesdays continue to be the busiest day of the week for vulnerability disclosures vulnerability disclosures by severity had no significant changes from 2008 percentages.

8 ? Questions to Ask Yourself IBM Security Offerings How are you compensating for 6,600 vulnerabilities Do you have a vulnerability assessment process? Vulnerability Assessment IBM Security Network Enterprise Scanner Penetration Test

9 Most Vulnerable Operating Systems In the second half of 2009, the number of new vulnerabilities for Linux and Microsoft took a sharp turn upwards while Sun Solaris drastically declined. BSD is in the number five slot, replacing IBM AIX who was fifth in For critical and high vulnerabilities, Microsoft takes first place. Apple is in second place.

10 Web App Vulnerabilities Continue to Dominate 49% of all vulnerabilities are Web application vulnerabilities. Cross-Site Scripting disclosures surpassed SQL injection to take the top spot.

11 Web App Plug-Ins Are Vulnerable 81% of web application vulnerabilities affect plug-ins and not the base platform. 80% or more of the vulnerabilities affecting plug-ins for Apache and Joomla! had no patch.

12 Most Prevalent Web Application Vulnerabilities by Industry Cross Site Request Forgery findings are increasing in all verticals. Highest in Telecommunication sector applications at 74% and the lowest in retail & logistic applications at 16%. SQL Injection is much more likely to occur in Information Technology (including "dot com") applications (37%) than in Financial Services applications (8%). XSS findings differ greatly from one industry to another: Telecommunications is the highest at 95% and Financial Services is the lowest at 58%. Note: Charts show which vulnerabilities were 50% or more likely to appear in a Web assessment for each industry

13 ? Questions to Ask Customers Are you confident your home grown web applications are secure throughout the software development lifecycle? IBM Security Offerings Vulnerability Assessment IBM Rational AppScan IBM AppScan Source Edition Application Security Assessment Services Preemptive web application firewall protection in the IBM Security protection products

14 Vulnerabilities in Document Readers Skyrocket Portable Document Format (PDF) vulnerabilities dominate in Microsoft Office document disclosures are on the decline while Adobe disclosures continue to rise.

15 Bad Web Content Tries to Evade Filters 7.5% of the Internet contains unwanted content such as pornographic or criminal Web sites. Anonymous proxies, which hide a target URL from a Web filter, have steadily increased to more than triple in number since 2007.

16 Websites Hosting Bad Links Since the 1 st half of 2009, Professional bad Web sites like pornography, gambling, or illegal drugs Web sites have increased their links to malware. Blogs and bulletin boards have also seen increases in malware links.

17 Socially Engineered Malware on the Rise Social networks represent a vehicle for malware authors to distribute their programs in ways that are not easily blocked. Examples include: Antivirus 2009, which lures users into downloading a fake AV product. The Koobface Worm which infiltrated Facebook, Myspace, and other social networking sites. The Jahlav Trojan which used Twitter to infect Mac users. These types of attacks are ongoing and increasing in intensity. Another upward trend is the use of software toolkits to deliver malware.

18 Spam Continues to Change to Avoid Detection 80% of spam is classified as URL spam. Spammers continue to use trusted domains and legitimate links in spam messages to avoid anti-spam technologies. Brazil, the U.S., and India account for about 30 percent of worldwide spam in In the second half of 2009, Vietnam appears in second place of spamsending countries.

19 Phishing Attacks Increase Dramatically Contrary to the 1st half of 2009, phishers came back with a vengance in the 2nd half of Country of Origin also changed dramatically: Spain and Italy took top slots in 2008, but both have completely dropped from the top ten for The top sender is Brazil, runner-up is the USA and third place goes to Russia, who was not even in the top ten last year. Top subject lines are back Top 10 subject lines represent more than 38% of all phishing s. In 2008 the top subject lines made up only 6.23%.

20 Phishing Targets Financial & Government Organizations 60.9% of phishing is targeted at the financial industry vs. 90% in Over 95% of all financial phishing targets in 2009 are located in North America. During the 4 th quarter of 2009, 0.3% of all financial phishing s were targeted to Australia or New Zealand, making them bigger targets than all of Europe (0.2%). 20.4% of phishing s were targeted at government organizations.

21 Hacking Tools

22 Zeus Crimeware Service Hosting for costs $50 for 3 months. This includes the following: # Fully set up ZeuS Trojan with configured FUD binary. # Log all information via internet explorer # Log all FTP connections # Steal banking data # Steal credit cards # Phish US, UK and RU banks # Host file override # All other ZeuS Trojan features # Fully set up MalKit with stats viewer inter graded. # 10 IE 4/5/6/7 exploits # 2 Firefox exploits # 1 Opera exploit We also host normal ZeuS clients for $10/month. This includes a fully set up zeus panel/configured binary

23 Commercial Spam Tools

24 Phishing Tools Commercial phishing kits make it easy for a novice to start in the business

25 Report Summary -- Attacks Continue Across all Security Domains 6,601 new vulnerabilities were discovered in 2009, an 11% decrease over 2008, largely due to declines in SQL injection and Active X vulnerability disclosures. 49% of all vulnerabilities are Web application vulnerabilities. 52% of all vulnerabilities disclosed had no vendor-supplied patches available at the end of PDF-related vulnerabilities have far surpassed those affecting Office documents. Vast majority of Web-based exploitation centered around Web exploit toolkits in contrast to purpose-built lone sources. US continues as the top hoster of malicious Web links. 7.5 percent of the Internet is considered socially unacceptable, unwanted, or flat out malicious. New malicious Web links increased by 345% compared to Majority of spam (80%) is still classified as URL spam spam messages that include URLs that a person clicks to view the spam contents. Amount of URL spam using well-known and trusted domain names continue to increase. 60.9% of phishing is targeted at the finance industry, 20.4% targeted at government organizations.

26 Patches Still Unavailable for Over Half of Vulnerabilities. Over half (52%) of all vulnerabilities disclosed in 2009 had no vendor-supplied patches to remedy the vulnerability. 45% of vulnerabilities from 2006, 43% from 2007 and 50% from 2008 still have no patches available at the end of 2009.

27 ? Questions to Ask Customers Are you confident that you are protected from vulnerabilities before a vendor supplied patch is available? What about vulnerabilities you don t know about? IBM Security Offerings Preemptive protection with the IBM Protocol Analysis Module (PAM) inside our IBM Security protection products. Virtual Patch Protection with IBM Security Network Intrusion Prevention System

28 IBM Security Effectiveness: Ahead of the Threat Top Vulnerabilities of 2009 Top 61 Vulnerabilities 341 Average days Ahead of the Threat 91 Median days Ahead of the Threat 35 Vulnerabilities Ahead of the Threat 57% Percentage of Top Vulnerabilities Ahead of the Threat 9 Protection released post announcement 17 same day coverage

29 IBM: Comprehensive Security Risk & Compliance Management The only security vendor in the market with end-toend coverage of the security foundation 15,000 researchers, developers and SMEs on security initiatives 3,000+ security & risk management patents 200+ security customer references and 50+ published case studies 40+ years of proven success securing the zseries environment $1.5 Billion security spend in 2008 and 2009 ALL PRODUCTS BACKED BY X-FORCE RESEARCH

30 2009 X-Force Trend & Risk Report Mapping to IBM Portfolio Area of Risk IBM Security Solutions Vulnerabilities Web Application Vulnerabilities PC Vulnerabilities including Malicious Web Exploits Spam Unwanted Web Content Malware - IBM Security Intrusion Prevention System (IPS) products: Network IPS, Server IPS, RealSecure Server Sensor, Desktop & Multifunction Security (MFS) - (Formerly IBM ISS Proventia products) - IBM Managed Protection Services for IPS - Tivoli Security Information and Event Manager (TSIEM) - Web application security for Network IPS, Server IPS and MFS - Managed Protection Services for IPS - Rational Appscan for assessment - IBM AppScan Source Edition - Rational Appscan Enterprise - Tivoli Security Information and Event Manager - Tivoli Security Policy Manager - IBM Secure Web Gateway Service - IBM Security Intrusion Prevention System (IPS) product lines (see above list under vulnerabilities) - (Formerly IBM ISS Proventia products) - Managed Protection Services for IPS - Managed Security Services for Web Security - IBM Lotus Protector/ Network Mail - IBM Multifunction Security (MFS) - Managed Security Services for Mail Security - IBM Security Content Analysis Software Development Kit (SDK) - IBM Multifunction Security - Managed Security Services for Web Security - - IBM Secure Web Gateway Service - IBM Desktop & Multifunction Security (MFS) - Managed Security Services for Mail and Web Security - IBM Lotus Protector/Network Mail

31 For More IBM X-Force Security Leadership X-Force Trend Reports The IBM X-Force Trend & Risk Reports provide statistical information about all aspects of threats that affect Internet security,. Find out more at X-Force Security Alerts and Advisories Only IBM X-Force can deliver preemptive security due to our unwavering commitment to research and development and 24/7 global attack monitoring. Find out more at X-Force Blogs and Feeds For a real-time update of Alerts, Advisories, and other security issues, subscribe to the X-Force RSS feeds. You can subscribe to the X-Force alerts and advisories feed at or the Frequency X Blog at