gAtO rEaD – Cyber-criminals are slowing their web app attack and working there VoDoo with social networks and mobile devices. IBM’s semiannual report show’s interesting trends. On the Spam email attacks front +++ we are on the decline compare to 2010 but APT (Advance persistent Threats) were up. Commercial Criminals are quickly adapting to lateral and supply china intrusions.
This is now true for the financial sector traditional Dump and run – the method of grabbing as much financial data and running now they put in time to stay persistent in the system shadows to draw out not just the CC (Credit Cards $$ data) but the PII (personal Identifiable Information) and the company’s intellectual property is becoming more lucrative than hard cash scams. IBM also found that 36% of the companies it compared previously identified vulnerabilities were still unpatched by the end of the year, compared to 43 percent in 2010.
** — “if the patches were maintained then they wouldn’t of hack the network”. always test your patch first with everything on your network or else your putting your company on the line. — **
Web applications are safer, with the number of applications vulnerable to cross-site scripting attacks down 50 percent compared with 2007. SQL injection attacks, in particular, continue to be a thorn in the side of Web applications due to the availability of automated tools. IBM also detected a 200 to 300 percent jump in so-called “shell injection” attacks from January to December. And toward the end of the year, IBM researchers noticed a spike in SSH password cracking attempts.
The decline in vulnerabilities belies the rise in security breaches, and raises the question: Are cyber-criminals getting smarter than the IT professionals charged with securing their company’s IT systems? Or maybe we’re just expecting too much from the security pros? It may be the latter. In February, security software firm LogRhythm declared that 75 percent of security professionals “lack confidence in their ability to address cyber threats.” The number is the result of an unscientific study of only 200 people who answered a questionnaire online. But it does hint at the existence of a skills gap when it comes to defending corporate IT systems.
Just as the tools and tactics are changing in the ongoing IT cyber war, so is the battleground. In the future, corporate security pros will need to focus a lot more on social media and mobile computing than they are now–especially as corporations continue to connect their core business systems to mobile devices and social networking tools.-gAtO oUt
For a copy of the X-Force 2011 Trend and Risk Report, see www.ibm.com/security/xforce