Reports Showcase Security Gap
These reports underscore the precarious position held by many industries where security on the Internet is concerned. The gap between the criminal attackers and the information security forces fighting them is widening on a daily basis.
Among the trends: Vulnerability disclosures are increasing and reached record levels in the first six months of this year, says the IBM X-Force report. A mind-boggling 4,396 new vulnerabilities were documented -- a 36 percent increase over the same time in 2009. More than 50 percent of them didn't have any vendor-supplied patch ready. The most troubling part of the report shows that web application vulnerabilities continue to lead the pack, with more than half of all public disclosures. This just doesn't bode well for any businesses, (including financial institutions) that depend on the Internet to do business.
It's as if the criminals are driving sports cars, and the information security pros are on bicycles.
The Forrester Research report also packs some sobering news. The report, "The New Threat Landscape: Proceed With Caution," says what we've all believed - that organizations aren't just facing down individual hackers or small groups of hackers, but are now going to war against highly organized, well-funded crime networks, including even some hackers who are state-sponsored. The report tracks responses from 2800 IT pros from around the world.
The Forrester report also sees web application attacks as the biggest headache for security. Its report shows a shift toward this type of attack, with 79 percent of breached records in 2009 were caused because of web application attacks.
Phishing activity declined significantly in the first six months of 2010, according to IBM, but financial institutions still top the list of targets, representing 49 percent of all phishing emails. The good news is phishing volume has declined from its peak in 2009, down by 82 percent.
Forrester's report show attacks are becoming much more targeted, sophisticated and resourceful. The report cites information from a Congressional study that states cybercrime costs the U.S. economy about $8 billion each year. The report shows a shift in the criminals' approach toward targeted, low-profile attacks on network applications crafted to steal money or data from the victim over a longer period of time.
What the attackers are looking for is a consistent source of revenue, says Forrester. They go after the network, then the applications, and then the data, covering all traces of their presence as they penetrate. They're also narrowing their focus, targeting organizations that have valuable information -- not just hitting financial institutions to get cash.
Forrester shows the quickening pace of change in the malware variants used by current criminals. There are now more than 90,000 Zeus variants. These can be customer-made, and are crafted to evade anti-virus software detection.
All of this makes the point I stated at the beginning more clear: The gap between the criminals hackers and the defending security professionals is widening. It's as if the criminals are driving sports cars, and the information security pros are on bicycles. The attackers aren't slowing; they will continue to speed along, evolve and morph into more sophisticated creatures. Information security defenders, meanwhile, are pedaling vainly, hoping to someday catch up.