Researchers see security improve

Are you secure?

Researchers have found that overall safety online is improving overall, but that criminals are adapting their techniques to compensate.

Results from the IBM X-Force 2011 Trend and Risk report show an improvement to online security practices. 2011 saw a 50 per cent decline in spam email, against 2010 figures. Patching of security vulnerabilities by software vendors improved as well, with a seven per cent decrease in the number of vulnerabilities remaining unpatched. The report shows that cross-site scripting is half as likely to exist in clients' software as it was four years ago.

However, the advancements in security measures has prompted online criminals to evolve their techniques. Mobile exploits, automated password guessing, and phishing attacks are on the rise.

"In 2011 we've seen surprisingly good progress in the fight against computer crime through the IT industry's efforts to improve the quality of software," said Tom Cross, manager of threat intelligence and strategy for IBM X-Force.

"In response, criminals continue to evolve their techniques to find new avenues into an organisation. As long as attackers profit from cyber crime, organisations must remain diligent in prioritising and addressing their security vulnerabilities."

Some of the top examples of security improvements in 2011 include a 30 per cent decline in the availability of exploit codes, a 50 per cent reduction in cross-site scripting, and an overall decline in spam.

IBM noted new attack trends being used by hackers. According to the report, there are documented increases in three key areas of attack activity.

Attacks targeting shell command injection vulnerabilities have more than doubled. As improvements have been made to prevent SQL injections, which allow hackers to manipulate the database behind a website, attackers are now targeting shell command injection vulnerabilities instead. This type of vulnerability enables the attacker to execute commands directly on a web server. IBM is encouraging web application developers to pay close attention to these types of attacks, as they have increased by two to three times over the course of 2011.

There have been increases in phishing attacks that impersonate social networking sties and mail parcel services. Phishing attacks have returned to the scene reaching volumes that not seen since 2008. The emails entice victims to click on links to web pages that my try to infect their PCs with malware.

Social networking is helping hackers to make phishing emails more persuasive. People who share too much information on social networking sites such as Facebook and Twitter make it easy for criminals to use their information to target phishing ads and spam specifically at them, making attacks more personal and convincing.

New technologies are accompanied by new avenues for virtual attacks. According to IBM, mobile and cloud computing in particular continue to cause problems for security in enterprises. 2011 also saw a number of high-profile company cloud breaches.

"IT security staff should carefully consider what workloads they should send to third-party cloud providers and what should be kept in-house due to sensitivity of data," the report said.

"Cloud security requires foresight on the part of the customer as well as flexibility, skills, and a willingness to negotiate on the part of the cloud provider."

The X-Force report recommends service level agreements (SLAs) for managing security in the cloud, because of the limited control an organisation can exercise over cloud computing services.

"Many cloud customers tapping a service worry about securing the technology. Depending upon the type of cloud deployment, most, if not all, of the technology is outside of the customer's control," said Ryan Berg, IBM security cloud strategist.

"They should focus on information security requirements of the data destined for the cloud, and through due diligence, make certain their cloud provider has the capability to adequately secure the workload."

IBM recommends performing regular third-party external and internal security audits, segmentation of sensitive systems and information and training end users about phishing and spear phishing. Enterprises should also examine the security policies of business partners.