IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Researchers see security improve

Firms are improving security performance but threats continue to grow, says IBM.

Are you secure?

Researchers have found that overall safety online is improving overall, but that criminals are adapting their techniques to compensate.

Results from the IBM X-Force 2011 Trend and Risk report show an improvement to online security practices. 2011 saw a 50 per cent decline in spam email, against 2010 figures. Patching of security vulnerabilities by software vendors improved as well, with a seven per cent decrease in the number of vulnerabilities remaining unpatched. The report shows that cross-site scripting is half as likely to exist in clients' software as it was four years ago.

However, the advancements in security measures has prompted online criminals to evolve their techniques. Mobile exploits, automated password guessing, and phishing attacks are on the rise.

"In 2011 we've seen surprisingly good progress in the fight against computer crime through the IT industry's efforts to improve the quality of software," said Tom Cross, manager of threat intelligence and strategy for IBM X-Force.

"In response, criminals continue to evolve their techniques to find new avenues into an organisation. As long as attackers profit from cyber crime, organisations must remain diligent in prioritising and addressing their security vulnerabilities."

Some of the top examples of security improvements in 2011 include a 30 per cent decline in the availability of exploit codes, a 50 per cent reduction in cross-site scripting, and an overall decline in spam.

IBM noted new attack trends being used by hackers. According to the report, there are documented increases in three key areas of attack activity.

Attacks targeting shell command injection vulnerabilities have more than doubled. As improvements have been made to prevent SQL injections, which allow hackers to manipulate the database behind a website, attackers are now targeting shell command injection vulnerabilities instead. This type of vulnerability enables the attacker to execute commands directly on a web server. IBM is encouraging web application developers to pay close attention to these types of attacks, as they have increased by two to three times over the course of 2011.

There have been increases in phishing attacks that impersonate social networking sties and mail parcel services. Phishing attacks have returned to the scene reaching volumes that not seen since 2008. The emails entice victims to click on links to web pages that my try to infect their PCs with malware.

Social networking is helping hackers to make phishing emails more persuasive. People who share too much information on social networking sites such as Facebook and Twitter make it easy for criminals to use their information to target phishing ads and spam specifically at them, making attacks more personal and convincing.

New technologies are accompanied by new avenues for virtual attacks. According to IBM, mobile and cloud computing in particular continue to cause problems for security in enterprises. 2011 also saw a number of high-profile company cloud breaches.

"IT security staff should carefully consider what workloads they should send to third-party cloud providers and what should be kept in-house due to sensitivity of data," the report said.

"Cloud security requires foresight on the part of the customer as well as flexibility, skills, and a willingness to negotiate on the part of the cloud provider."

The X-Force report recommends service level agreements (SLAs) for managing security in the cloud, because of the limited control an organisation can exercise over cloud computing services.

"Many cloud customers tapping a service worry about securing the technology. Depending upon the type of cloud deployment, most, if not all, of the technology is outside of the customer's control," said Ryan Berg, IBM security cloud strategist.

"They should focus on information security requirements of the data destined for the cloud, and through due diligence, make certain their cloud provider has the capability to adequately secure the workload."

IBM recommends performing regular third-party external and internal security audits, segmentation of sensitive systems and information and training end users about phishing and spear phishing. Enterprises should also examine the security policies of business partners.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

IT Pro News In Review: UK 4 day week, ransomware payment rise, IBM cut ties with Russia
Business operations

IT Pro News In Review: UK 4 day week, ransomware payment rise, IBM cut ties with Russia

10 Jun 2022
IBM bolsters cyber security offerings with Randori acquisition
mergers and acquisitions

IBM bolsters cyber security offerings with Randori acquisition

7 Jun 2022
IBM's new z16 mainframe brings two industry-firsts and quantum-proof data encryption
Hardware

IBM's new z16 mainframe brings two industry-firsts and quantum-proof data encryption

5 Apr 2022
Software-defined storage for dummies
Whitepaper

Software-defined storage for dummies

1 Apr 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022