Your SlideShare is downloading. ×
0
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
2009 X Force Treath And Risk  Wwiscop
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

2009 X Force Treath And Risk Wwiscop

962

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
962
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Speaker’s notes: We take data from a lot of various disciplines including the Web filtering database second only to Google that provides analysis for more than 9 billion Web sites and images, we also see what kind of intrusion attempts the managed services team sees across its customer base currently tracking at 150 million per day, we have more than 40 million documented spam attacks, and 40,000 documented vulnerabilities from both internal research and external disclosures. This report is unique in the fact that the sources listed above provide varying perspectives on the threat landscape to together provide a cohesive look at the industry based on factual data from the various research functions within the broader X-force team and databases.
  • Speaker’s notes: Let’s explore the key findings of the report – all mapped back to the IBM Security Framework. The full X-Force Trend & Threat Report is available for download at: http://www-935.ibm.com/services/us/iss/xforce/trendreports/
  • 6,601 new vulnerabilities in 2009 11% decrease in comparison to 2008 Vulnerability disclosures appear to be reaching a permanently high plateau
  • Speaker’s notes: One of the things that we did this year was to take a slightly differently look at how the vulnerabilities are classified and how they are rated by criticality. We’ve noticed that the traditional way to categorize vulnerabilities is not the same criteria by which a hacker or crime organization might classify the vulnerability. What may appear to rate “high” on a traditional scale may never be exploited because it has too small a target audience or doesn’t provide the appropriate financial payout. The grid on the right hand side of the screen shows the Exploitability Probability Quadrant, on the Y axis is the total opportunity size whereas the X axis shows the cost to exploit the vulnerability. Ideally, the criminal community will look for an exploit that falls in the upper right hand “sweet spot” of a vulnerability that is cheap to exploit with lots of targets or opportunity that can result in a high payout.
  • Speaker’s notes: One of the things that we did this year was to take a slightly differently look at how the vulnerabilities are classified and how they are rated by criticality. We’ve noticed that the traditional way to categorize vulnerabilities is not the same criteria by which a hacker or crime organization might classify the vulnerability. What may appear to rate “high” on a traditional scale may never be exploited because it has too small a target audience or doesn’t provide the appropriate financial payout. The grid on the right hand side of the screen shows the Exploitability Probability Quadrant, on the Y axis is the total opportunity size whereas the X axis shows the cost to exploit the vulnerability. Ideally, the criminal community will look for an exploit that falls in the upper right hand “sweet spot” of a vulnerability that is cheap to exploit with lots of targets or opportunity that can result in a high payout.
  • In the past few reports, X-Force has included several Web application vendors in the top ten vendor list. These Web application platforms reached the top ten list because we included in our totals the vulnerabilities in the base platform as well as vulnerabilities in the plug-ins that operate on that platform. However, many of the plug-ins associated with those Web application platform vulnerabilities were not produced by the vendor themselves. The plug-ins are oftentimes simply hosted on the vendor’s Web sites. Part of the draw of these open-source projects is this diversity of plug-ins that broadens the utility of these platforms. However, these plug-ins fall victim to vulnerabilities like all software, and, without proper accountability, may not receive fixes or patches like software normally supported by commercial or open source vendors.
  • In the 2008 report, X-Force presented an analysis of operating systems with the most vulnerabilities. These vulnerabilities were counted according to how each vendor reports their platforms through the Common Platform Enumeration (or CPE). Instead of counting vulnerabilities according to the named “platforms” in CPE, here is a slightly different analysis that counts each unique vulnerability reported for a genre of operating systems. For example, this analysis compares all vulnerabilities reported for Microsoft operating systems and compares them to all of the vulnerabilities reported for Apple operating systems in any given year. If a certain vulnerability applies to multiple versions of operating systems in that genre, it is only counted one time. For example, if a certain CVE applies to both Apple Mac OS X and also Apple Mac OS X Server, it is only counted one time for the Apple genre.
  • In the 2008 report, X-Force presented an analysis of operating systems with the most vulnerabilities. These vulnerabilities were counted according to how each vendor reports their platforms through the Common Platform Enumeration (or CPE). Instead of counting vulnerabilities according to the named “platforms” in CPE, here is a slightly different analysis that counts each unique vulnerability reported for a genre of operating systems. For example, this analysis compares all vulnerabilities reported for Microsoft operating systems and compares them to all of the vulnerabilities reported for Apple operating systems in any given year. If a certain vulnerability applies to multiple versions of operating systems in that genre, it is only counted one time. For example, if a certain CVE applies to both Apple Mac OS X and also Apple Mac OS X Server, it is only counted one time for the Apple genre.
  • Speaker’s notes: This slide breaks down the motivation of an attacker. You can see that “gain access” and “data manipulation” still rank extremely high as far as motivation for criminal organizations. Gaining access to a system provides an attacker complete control over the affected system, which would allow them to steal data, manipulate the system, or launch other attacks from that system. The category of data manipulation took a plunge but still higher in comparison to 2006 and 2007
  • This chart shows how X-Force enabled superior security effectiveness in our IPS products. Of the top 61 vulnerabilities in 2009, 35 or 57% were caught ahead of the threat by X-Force. Essentially it means X-Force identified the vulnerability and provided protection technologies in our products well before the vulnerability was exploited in the wild. The vulnerabilities listed in blue were discovered by X-Force team members.
  • Although the number of vulnerabilities affecting Web applications has grown at a staggering rate, the growth demonstrated in the first half of 2009 and continuing through the second half may indicate the start of a plateau, at least in standard (off-the-shelf) software applications for the Web. These figures do not include custom-developed Web applications or customized versions of these standard packages, which also introduce vulnerabilities.
  • Web application platforms represent a special case when it comes to counting vulnerabilities. The utility of these platforms is extended by plug-ins to the base application. These plug-ins may or may not be produced by the Web application vendor themselves, which makes counting vulnerabilities affecting these platforms a bit tricky. In the past few years, several of these platforms have shown up in our top 10 vendor list because we were reporting platform and plug-in vulnerabilities. This year, we will report them separately. Web applications and Web development language platforms that had 20 or more vulnerability reports in 2009 are included in this analysis. The vulnerabilities reported for these platforms make up 8.3 percent of all the disclosures in 2009. 81 percent of these disclosures affect plug-ins and not the base platform. When it comes to providing patches to fix these vulnerabilities, the base platforms for all of these vendors beat the 2009 average for all vendors (52 percent), and exceedingly surpass the average for Web application vulnerabilities (67 percent, a better average in comparison to 2008 when about three-fourths of Web application vulnerabilities were left without a patch.) When it comes to plug-ins however, the sweet song sours, and plug-ins for some applications fare worse than others. Eighty percent or more of the vulnerabilities affecting plug-ins for Apache and Joomla!, for example, had no patch.
  • IBM has collated real-world vulnerability data from 168 security tests conducted over the past three years from the IBM Rational AppScan onDemand Premium service . This service combines application security assessment results obtained from IBM Rational AppScan with manual security testing and verification. In all cases, false positives were removed from the results and the remaining vulnerabilities were categorized into one of the following: • Cross-Site Request Forgery • Cross-Site Scripting • Error Message Information Leak • Improper Access Control • Improper Application Deployment • Improper Use of SSL • Inadequate / Poor Input Control • Information Disclosure • Insufficient Web Server Configuration • Non Standard Encryption • SQL Injection
  • IBM has collated real-world vulnerability data from 168 security tests conducted over the past three years from the IBM Rational AppScan onDemand Premium service . This service combines application security assessment results obtained from IBM Rational AppScan with manual security testing and verification. In all cases, false positives were removed from the results and the remaining vulnerabilities were categorized into one of the following: • Cross-Site Request Forgery • Cross-Site Scripting • Error Message Information Leak • Improper Access Control • Improper Application Deployment • Improper Use of SSL • Inadequate / Poor Input Control • Information Disclosure • Insufficient Web Server Configuration • Non Standard Encryption • SQL Injection
  • Proventia Network Intrusion Prevention System: http://www.ibm.com/software/tivoli/products/security-network-intrusion-prevention/ Proventia Virtualized Network Security Platform: http://www.ibm.com/software/tivoli/products/virtualized-network-security/ Proventia Network Security Controller: http://www.ibm.com/software/tivoli/products/network-security-controller/ Network Intrusion Prevention for Crossbeam: http://www.ibm.com/software/tivoli/products/network-intrusion-prevention-crossbeam/index.html Proventia® Network Active Bypass: http://www.ibm.com/software/tivoli/products/network-active-bypass/ Security Server Protection http://www.ibm.com/software/tivoli/products/security-server-protection/index.html Proventia Desktop Endpoint Security http:/www.ibm.com/software/tivoli/products/desktop-endpoint-security/ Proventia Network Multi-Function Security http://www.ibm.com/software/tivoli/products/network-multifunction-security/ Virtual Server Protection for VMware http://www.ibm.com/software/tivoli/products/virtual-server-protection/ Proventia Network Enterprise Scanner http://www.ibm.com/software/tivoli/products/network-enterprise-scanner/ IBM Security Content Analysis Software Development Kit (SDK) http://www.ibm.com/software/tivoli/products/security-content-analysis-sdk/ IBM Managed Protection Services for IPS: http://www-935.ibm.com/services/us/index.wss/offering/iss/a1026962 IBM Rational Appscan: http://www-01.ibm.com/software/awdtools/appscan/ IBM Rational Appscan Enterprise: http://www-01.ibm.com/software/awdtools/appscan/ IBM Proventia Network Mail: http://www-935.ibm.com/services/us/index.wss/offering/iss/a1027071 Lotus Protector: http://www-01.ibm.com/software/lotus/products/protector/mailsecurity/index.html Tivoli Security Information and Event Manager: http://www-01.ibm.com/software/tivoli/products/security-info-event-mgr/ Tivoli Security Policy Manager: http://www-01.ibm.com/software/tivoli/products/security-policy-mgr/ IBM Secure Web Gateway Service: http://www-935.ibm.com/services/us/index.wss/offering/iss/a1031933 Proventia SiteProtector: http://www.ibm.com/software/tivoli/products/siteprotector-system/
  • Transcript

    • 1. 2009 IBM X-Force® Trend & Risk Report Review Tom Cross, Manager, X-Force Advanced Research
    • 2. The mission of the IBM X-Force ® research and development team is to: <ul><li>Research and evaluate threat and protection issues </li></ul><ul><li>Deliver security protection for today’s security problems </li></ul><ul><li>Develop new technology for tomorrow’s security challenges </li></ul><ul><li>Educate the media and user communities </li></ul><ul><li>X-Force Research </li></ul><ul><li>10B analyzed Web pages & images </li></ul><ul><li>150M intrusion attempts daily </li></ul><ul><li>40M spam & phishing attacks </li></ul><ul><li>48K documented vulnerabilities </li></ul><ul><li>Millions of unique malware samples </li></ul><ul><li>Provides Specific Analysis of: </li></ul><ul><ul><li>Vulnerabilities & exploits </li></ul></ul><ul><ul><li>Malicious/Unwanted websites </li></ul></ul><ul><ul><li>Spam and phishing </li></ul></ul><ul><ul><li>Malware </li></ul></ul><ul><ul><li>Other emerging trends </li></ul></ul>X-Force R&D -- Unmatched Security Leadership
    • 3. Report Summary -- Attacks Continue Across all Security Domains <ul><li>PDF-related vulnerabilities have far surpassed those affecting Office documents. </li></ul><ul><li>Vast majority of Web-based exploitation centered around Web exploit toolkits in contrast to purpose-built lone sources. </li></ul><ul><li>US continues as the top hoster of malicious Web links. </li></ul><ul><li>6,601 new vulnerabilities were discovered in 2009, an 11% decrease over 2008, largely due to declines in SQL injection and Active X vulnerability disclosures. </li></ul><ul><li>49% of all vulnerabilities are Web application vulnerabilities. </li></ul><ul><li>52% of all vulnerabilities disclosed had no vendor-supplied patches available at the end of 2009. </li></ul><ul><li>Majority of spam (80%) is still classified as URL spam—spam messages that include URLs that a person clicks to view the spam contents. </li></ul><ul><li>Amount of URL spam using well-known and trusted domain names continue to increase. </li></ul><ul><li>60.9% of phishing is targeted at the finance industry, 20.4% targeted at government organizations. </li></ul><ul><li>7.5 percent of the Internet is considered “socially” unacceptable, unwanted, or flat out malicious. </li></ul><ul><li>New malicious Web links increased by 345% compared to 2008. </li></ul>
    • 4. Disappearance of Low Hanging Fruit: Vulnerability Disclosures & Exploitation Declines <ul><ul><li>Declines in some of the largest categories of vulnerabilities. </li></ul></ul><ul><ul><ul><li>Web applications continue to be the largest category of disclosure. </li></ul></ul></ul><ul><ul><ul><li>SQL Injection and File Include, have declined. </li></ul></ul></ul><ul><ul><ul><li>ActiveX controls which mostly impact client applications has also declined. </li></ul></ul></ul><ul><ul><li>Tuesdays continue to be the busiest day of the week for vulnerability disclosures. </li></ul></ul><ul><ul><li>2009 vulnerability disclosures by severity had no significant changes from 2008 percentages. </li></ul></ul>
    • 5. <ul><ul><li>How are you compensating for 6,600 vulnerabilities? </li></ul></ul><ul><ul><li>Do you have a vulnerability assessment process? </li></ul></ul><ul><ul><li>Are you confident that you are protected from vulnerabilities before a vendor supplied patch is available? </li></ul></ul><ul><ul><li>What about vulnerabilities you don’t know about? </li></ul></ul>Questions & Answers for Customers <ul><ul><li>Vulnerability Assessment </li></ul></ul><ul><ul><ul><li>IBM Security Network Enterprise Scanner </li></ul></ul></ul><ul><ul><ul><li>IBM Rational AppScan </li></ul></ul></ul><ul><ul><ul><li>Vulnerability Management Services </li></ul></ul></ul><ul><ul><ul><li>Application Security Assessment Services </li></ul></ul></ul><ul><ul><li>Preemptive protection with the IBM Protocol Analysis Module (PAM) inside our IBM Security protection products. </li></ul></ul><ul><ul><li>Virtual Patch Protection with IBM Security Network Intrusion Prevention System </li></ul></ul><ul><ul><li>Questions to Ask Customers </li></ul></ul>IBM Security Offerings
    • 6. The Economics of Attacker Exploitation <ul><li>Threat Evolution: </li></ul><ul><ul><li>A flat world has brought about an unprecedented amount of criminals and cons </li></ul></ul><ul><ul><li>Attackers keep ROI in mind as well, and constantly evolve their wares in order to re-purpose it for the next flood of attacks </li></ul></ul><ul><ul><li>High profile vulnerabilities will still be the vehicles for new attacks, however, the low and slow attack vectors cannot be ignored </li></ul></ul><ul><ul><li>The economics of exploitation must be taken into consideration to better prioritize risk </li></ul></ul>
    • 7. The Economics of Attacker Exploitation <ul><ul><li>Economics continue to play heavily into the exploitation probability of a vulnerability </li></ul></ul><ul><ul><li>Web Browser and Document Reader vulnerabilities are very profitable and easily executable </li></ul></ul><ul><ul><li>Economics continue to play heavily into the exploitation probability of a vulnerability. </li></ul></ul><ul><ul><li>Web Browser and Document Reader vulnerabilities are very profitable and easily executable. </li></ul></ul>
    • 8. Apple, Sun and Microsoft Top Vendor List for Disclosures <ul><ul><li>Top ten vendors account for nearly a quarter ( 23% ) of all disclosed vulnerabilities, up from 19% in 2008. </li></ul></ul><ul><ul><li>Significant changes to the Top Ten List including: </li></ul></ul><ul><ul><ul><li>Microsoft dropped from #1 to #3 after holding top spot since 2006. </li></ul></ul></ul><ul><ul><ul><li>Adobe makes it's debut on the top ten list at number nine. </li></ul></ul></ul><ul><ul><ul><ul><li>Note: In 2009, web application vendors are not on the top ten list because we now only count vulnerabilities in the base platform. We are not including plug ins associated with Web application platform vulnerabilities because they are often not produced by the vendor themselves. </li></ul></ul></ul></ul>Customers should also be concerned about vendors not on this list. Are those vendors taking security seriously?
    • 9. Patches Still Unavailable for Over Half of Vulnerabilities <ul><ul><li>Over half ( 52% ) of all vulnerabilities disclosed in 2009 had no vendor-supplied patches to remedy the vulnerability. </li></ul></ul><ul><ul><ul><li>45% of vulnerabilities from 2006, 43% from 2007 and 50% from 2008 still have no patches available at the end of 2009. </li></ul></ul></ul>
    • 10. Most Vulnerable Operating Systems <ul><ul><li>In the second half of 2009, the number of new vulnerabilities for Linux and Microsoft took a sharp turn upwards while Sun Solaris drastically declined. </li></ul></ul><ul><ul><li>BSD is in the number five slot, replacing IBM AIX who was fifth in 2008. </li></ul></ul><ul><ul><li>For critical and high vulnerabilities, Microsoft takes first place. Apple is in second place. </li></ul></ul>
    • 11. 2009 Attacker Motivation is to Gain Access and Manipulate Data <ul><ul><li>“ Gain access” remains the primary consequence of vulnerability exploitation. </li></ul></ul><ul><ul><ul><li>Approaching the 50% mark that was previously seen throughout 2006 and 2007. </li></ul></ul></ul><ul><ul><li>“ Data Manipulation” took a plunge but still higher in comparison to 2006 and 2007. </li></ul></ul><ul><ul><li>“ Bypass Security” and “Denial of Service” is increasing. </li></ul></ul><ul><li>Questions to Ask: </li></ul><ul><li>Are you confident that an attacker can not gain access to your system? </li></ul><ul><li>Is your private data secure? </li></ul><ul><li>IBM Security Offerings: </li></ul><ul><li>IBM Security Network, Server and Endpoint Intrusion Detection and Prevention products and services </li></ul><ul><li>IBM Web Application Security </li></ul><ul><li>IBM Data Security products and services </li></ul>
    • 12. Security Effectiveness: Ahead of the Threat – Top Vulnerabilities of 2009 <ul><li>Top 61 Vulnerabilities </li></ul><ul><ul><li>341 Average days Ahead of the Threat </li></ul></ul><ul><ul><li>91 Median days Ahead of the Threat </li></ul></ul><ul><ul><li>35 Vulnerabilities Ahead of the Threat </li></ul></ul><ul><ul><li>57% Percentage of Top Vulnerabilities – Ahead of the Threat </li></ul></ul><ul><ul><li>9 Protection released post announcement </li></ul></ul><ul><ul><li>17 same day coverage </li></ul></ul>
    • 13. Web App Vulnerabilities Continue to Dominate <ul><ul><li>49% of all vulnerabilities are Web application vulnerabilities. </li></ul></ul><ul><ul><li>Cross-Site Scripting disclosures surpassed SQL injection to take the top spot. </li></ul></ul><ul><ul><li>67% of web application vulnerabilities had no patch available at the end of 2009. </li></ul></ul>
    • 14. Web App Plug-Ins Are Vulnerable <ul><ul><li>81% of web application vulnerabilities affect plug-ins and not the base platform. </li></ul></ul><ul><ul><li>80% or more of the vulnerabilities affecting plug-ins for Apache and Joomla! had no patch. </li></ul></ul>
    • 15. Real World Conclusions from Web App Assessments <ul><ul><li>Cross-Site Request Forgery (CRSF) vulnerabilities increased from 22% in 2007 to 59% in 2009. </li></ul></ul><ul><ul><li>SQL Injection vulnerabilities dropped from 33% in 2007 to 18% in 2009. </li></ul></ul><ul><ul><li>Cross-Site Scripting (XSS) vulnerabilities dropped from 83% in 2007 to 64% in 2009. </li></ul></ul><ul><ul><li>Inadequate Input control is the most prevalent developer-related issue, and the likelihood of finding it in 2009 is almost 70% . </li></ul></ul>
    • 16. Most Prevalent Web Application Vulnerabilities by Industry <ul><ul><li>CSRF findings are increasing in all verticals. </li></ul></ul><ul><ul><ul><li>Highest in Telecommunication sector applications at 74% and the lowest in retail & logistic applications at 16% . </li></ul></ul></ul><ul><ul><li>SQL Injection is much more likely to occur in Information Technology (including &quot;dot com&quot;) applications ( 37% ) than in Financial Services applications ( 8% ). </li></ul></ul><ul><ul><li>XSS findings differ greatly from one industry to another: Telecommunications is the highest at 95% and Financial Services is the lowest at 58% . </li></ul></ul>Note: Charts show which vulnerabilities were 50% or more likely to appear in a Web assessment for each industry
    • 17. Questions & Answers for Customers <ul><ul><li>Vulnerability Assessment </li></ul></ul><ul><ul><ul><li>IBM Rational AppScan </li></ul></ul></ul><ul><ul><ul><li>IBM AppScan Source Edition </li></ul></ul></ul><ul><ul><ul><li>Application Security Assessment Services </li></ul></ul></ul><ul><ul><li>Preemptive protection with the IBM Protocol Analysis Module (PAM) inside our IBM Security protection products. </li></ul></ul><ul><ul><li>IBM Web Application Security Bundle </li></ul></ul><ul><ul><li>IBM Secure Web Gateway Service </li></ul></ul><ul><ul><li>Do you have a vulnerability assessment process in place for web applications? </li></ul></ul><ul><ul><li>Are you confident your home grown web applications are secure throughout the software development lifecycle? </li></ul></ul><ul><ul><li>What about vulnerabilities you don’t know about? </li></ul></ul><ul><ul><li>Questions to Ask Customers </li></ul></ul>IBM Security Offerings
    • 18. Client-Side Vulnerabilities: Document and Multimedia Vulnerabilities are on the Rise <ul><ul><li>Largest number of client-side vulnerabilities in 2009 affects Web browsers and their plug-ins. </li></ul></ul><ul><ul><li>Document Reader and Multimedia vulnerabilities surpass OS vulnerabilities in 2009. </li></ul></ul>
    • 19. Attackers Target the Most Popular Software
    • 20. Vulnerabilities in Document Readers Skyrocket <ul><ul><li>Portable Document Format (PDF) vulnerabilities dominate in 2009. </li></ul></ul><ul><ul><li>Microsoft Office document disclosures are on the decline while Adobe disclosures continue to rise. </li></ul></ul>
    • 21. Attackers Turn to Adobe Products to Launch Exploits <ul><ul><li>Four of the top five web based exploits are related to Adobe products. </li></ul></ul><ul><ul><li>Core browser vulnerabiities have taken a back seat to malicious PDFs and ActiveX vulnerabilities. </li></ul></ul>
    • 22. “ Bad” Web Content Tries to Evade Filters <ul><ul><li>7.5% of the Internet contains unwanted content such as pornographic or criminal Web sites. </li></ul></ul><ul><ul><li>Anonymous proxies, which hide a target URL from a Web filter, have steadily increased to more than triple in number since 2007. </li></ul></ul>
    • 23. Suspicious Web Pages and Files are on the Rise <ul><ul><li>The level of obfuscation found in Web exploits continues to rise. </li></ul></ul><ul><ul><li>Exploit toolkit packages have started to include both malicious Adobe Flash and PDF files. </li></ul></ul><ul><ul><li>Adobe PDF files saw increases in obfuscation complexity throughout 2009. </li></ul></ul>
    • 24. Malicious Web Links Increase by 345% <ul><ul><li>United States and China continue to reign as the top hosting countries for malicious links. </li></ul></ul><ul><ul><li>Many more second tier countries are jumping into this game. </li></ul></ul><ul><ul><ul><li>Countries hosting at least one malicious link nearly doubled from 2008 to 2009 </li></ul></ul></ul>
    • 25. Websites Hosting Bad Links <ul><ul><li>Since the 1 st half of 2009, Professional “bad” Web sites like pornography, gambling, or illegal drugs Web sites have increased their links to malware. </li></ul></ul><ul><ul><li>Blogs and bulletin boards have also seen increases in malware links. </li></ul></ul>
    • 26. Socially Engineered Malware on the Rise <ul><ul><li>Social networks represent a vehicle for malware authors to distribute their programs in ways that are not easily blocked. Examples include: </li></ul></ul><ul><ul><ul><li>Antivirus 2009, which lures users into downloading a fake AV product. </li></ul></ul></ul><ul><ul><ul><li>The Koobface Worm which infiltrated Facebook, Myspace, and other social networking sites. </li></ul></ul></ul><ul><ul><ul><li>The Jahlav Trojan which used Twitter to infect Mac users. </li></ul></ul></ul><ul><ul><li>These types of attacks are ongoing and increasing in intensity. </li></ul></ul><ul><ul><li>Another upward trend is the use of software toolkits to deliver malware. </li></ul></ul>
    • 27. Zeus Crimeware Service Hosting for costs $50 for 3 months. This includes the following: # Fully set up ZeuS Trojan with configured FUD binary. # Log all information via internet explorer # Log all FTP connections # Steal banking data # Steal credit cards # Phish US, UK and RU banks # Host file override # All other ZeuS Trojan features # Fully set up MalKit with stats viewer inter graded. # 10 IE 4/5/6/7 exploits # 2 Firefox exploits # 1 Opera exploit“ We also host normal ZeuS clients for $10/month. This includes a fully set up zeus panel/configured binary
    • 28. Spam Continues to Change to Avoid Detection <ul><ul><li>80% of spam is classified as URL spam. </li></ul></ul><ul><ul><li>Spammers continue to use “trusted” domains and “legitimate links” in spam messages to avoid anti-spam technologies. </li></ul></ul><ul><ul><li>Brazil, the U.S., and India account for about 30 percent of worldwide spam in 2009. </li></ul></ul><ul><ul><ul><li>In the second half of 2009, Vietnam appears in second place of spam-sending countries. </li></ul></ul></ul>
    • 29. HTML Spam Recovers <ul><ul><li>Spam volume increased through 2009. </li></ul></ul><ul><ul><li>Image-based spam declined in the second half of 2009 and HTML-based spam recovered. </li></ul></ul>
    • 30. Commercial Spam Tools
    • 31. Phishing Attacks Increase Dramatically <ul><ul><li>Contrary to the 1st half of 2009, phishers came back with a vengance in the 2nd half of 2009. </li></ul></ul><ul><ul><li>Country of Origin also changed dramatically: </li></ul></ul><ul><ul><ul><li>Spain and Italy took top slots in 2008, but both have completely dropped from the top ten for 2009. </li></ul></ul></ul><ul><ul><ul><li>The top sender is Brazil, runner-up is the USA and third place goes to Russia, who was not even in the top ten last year. </li></ul></ul></ul><ul><ul><li>Top subject lines are back </li></ul></ul><ul><ul><ul><li>Top 10 subject lines represent more than 38% of all phishing e-mails. </li></ul></ul></ul><ul><ul><ul><li>In 2008 the top subject lines made up only 6.23%. </li></ul></ul></ul>
    • 32. Phishing Targets Financial & Government Organizations <ul><ul><li>60.9% of phishing is targeted at the financial industry vs. 90% in 2008. </li></ul></ul><ul><ul><li>Over 95% of all financial phishing targets in 2009 are located in North America. </li></ul></ul><ul><ul><ul><li>During the 4 th quarter of 2009, 0.3% of all financial phishing emails were targeted to Australia or New Zealand, making them bigger targets than all of Europe ( 0.2% ). </li></ul></ul></ul><ul><ul><li>20.4% of phishing emails were targeted at government organizations. </li></ul></ul>
    • 33. Phishing Tools <ul><li>Commercial phishing kits make it easy for a novice to start in the business </li></ul>
    • 34. 2009 X-Force Trend & Risk Report – Mapping to IBM Portfolio Area of Risk IBM Security Solutions Vulnerabilities - IBM Security Intrusion Prevention System (IPS) products: Network IPS, Server IPS, RealSecure Server Sensor, Desktop & Multifunction Security (MFS) - (Formerly IBM ISS Proventia products) - IBM Managed Protection Services for IPS - Tivoli Security Information and Event Manager (TSIEM) Web Application Vulnerabilities - Web application security for Network IPS, Server IPS and MFS - Managed Protection Services for IPS - Rational Appscan for assessment - IBM AppScan Source Edition - Rational Appscan Enterprise - Tivoli Security Information and Event Manager - Tivoli Security Policy Manager - IBM Secure Web Gateway Service PC Vulnerabilities including Malicious Web Exploits - IBM Security Intrusion Prevention System (IPS) product lines (see above list under vulnerabilities) - (Formerly IBM ISS Proventia products) - Managed Protection Services for IPS - Managed Security Services for Web Security Spam - IBM Lotus Protector/ Network Mail - IBM Multifunction Security (MFS) - Managed Security Services for Mail Security - IBM Security Content Analysis Software Development Kit (SDK) Unwanted Web Content <ul><li>- IBM Multifunction Security </li></ul><ul><li>- Managed Security Services for Web Security </li></ul><ul><li>- IBM Secure Web Gateway Service </li></ul>Malware <ul><li>- IBM Desktop & Multifunction Security (MFS) </li></ul><ul><li>- Managed Security Services for Mail and Web Security </li></ul><ul><li>IBM Lotus Protector/Network Mail </li></ul>
    • 35. X-Force Trend Reports The IBM X-Force Trend & Risk Reports provide statistical information about all aspects of threats that affect Internet security,. Find out more at http://www-935.ibm.com/services/us/iss/xforce/trendreports/ <ul><li>X-Force Security Alerts and Advisories </li></ul><ul><ul><li>Only IBM X-Force can deliver preemptive security due to our unwavering commitment to research and development and 24/7 global attack monitoring. Find out more at http:// xforce.iss.net / </li></ul></ul><ul><li>X-Force Blogs and Feeds </li></ul><ul><ul><li>For a real-time update of Alerts, Advisories, and other security issues, subscribe to the X-Force RSS feeds. You can subscribe to the X-Force alerts and advisories feed at http:// iss.net/rss.php or the Frequency X Blog at http:// blogs.iss.net/rss.php </li></ul></ul>For More IBM X-Force Security Leadership

    ×