IBM X-Force 2012 Trend and Risk Report March 2013 IBM Security Systems IBM X-Force 2012 Trend and Risk Report Contributors Contributors Producing the IBM X-Force Trend and Risk Report is a dedication in collaboration across all of IBM. We would like to thank the following individuals for their attention and contribution to the publication of this report. About IBM X-Force IBM X-Force® research and development teams Contributor Title study and monitor the latest threat trends Andrew Franklin Senior Incident Response Analyst, IBM Professional Services including vulnerabilities, exploits and active Brad Sherrill Manager, IBM X-Force Database Team attacks, viruses and other malware, spam, Bryan Ivey Team Lead, MSS Cyber Threat and Intelligence Analyst phishing, and malicious web content. In addition Carsten Hagemann IBM X-Force Software Engineer, Content Security to advising customers and the general public Cynthia Schneider Technical Editor, IBM Security Systems about emerging and critical threats, IBM X-Force David McMillen Security Intelligence Analyst—IBM Security Services also delivers security content to help protect IBM customers from these threats. David Merrill STSM, IBM Security Solutions, CISA Dr. Jens Thamm Database Management Content Security Gina Stefanelli IBM X-Force Marketing Manager Jason Kravitz Techline Specialist for IBM Security Systems Jay Bretzmann WW Market Segment Manager John Kuhn Senior Threat Analyst—IBM Security Services Larry Oliver Senior Cyber Threat/Security Intelligence Analyst Leslie Horacek IBM X-Force Threat Response Manager Marc Noske Database Administration, Content Security Mark E. Wallis Senior Information Developer, IBM Security Systems Mark Yason IBM X-Force Advanced Research Michael Montecillo Managed Security Services Threat Research and Intelligence Principal Ralf Iffert Manager IBM X-Force Content Security Randy Stone Engagement Lead, IBM Emergency Response Services (ERS) Robert Freeman Manager, IBM X-Force Advanced Research Robert Lelewski Engagement Lead for IBM Emergency Response Services (ERS) Scott Craig Team Lead—IBM Security Services—Data Intelligence Scott Moore IBM X-Force Software Developer and IBM X-Force Database Team Lead Veronica Shelley Identity and Access Management Segment Marketing Manager 2 IBM Security Systems IBM X-Force 2012 Trend and Risk Report IBM Security collaboration IBM Security collaboration IBM Security represents several brands that provide a broad spectrum of security competency. • IBM X-Force research and development team discovers, analyzes, monitors, and records a broad range of computer security threats, vulnerabilities, and the latest trends and methods used by attackers. Other groups within IBM use this rich data to develop protection techniques for our customers. • IBM X-Force content security team independently scours and categorizes the web by means of crawling, independent discoveries, and through the feeds provided by IBM Managed Security Services (MSS). • IBM MSS is responsible for monitoring exploits related to endpoints, servers (including web servers), and general network infrastructure for its clients. MSS tracks exploits delivered over multiple vectors including web, email and instant messaging. • IBM Professional Security Services (PSS) delivers enterprise-wide security assessment, design, and deployment consulting services to help build effective information security solutions. 3 IBM Security Systems IBM X-Force 2012 Trend and Risk Report Contents Contents Contributors 2 About IBM X-Force 2 Exploit kits: the Java connection 31 IBM Security collaboration 3 CVE-2012-0507 timeline 32 CVE-2012-1723 timeline 33 Executive Overview 6 CVE-2012-4681 timeline 34 Interest in Java exploits 35 2012 highlights 7 But why Java? 35 Threats 7 Conclusion and action steps 36 Operational security practices 8 Web content trends 38 Emerging trends in security 9 Analysis methodology 38 IPv6 deployment for websites 38 Section I—Threats 10 Internet usage by content category 40 Rising tide of security incidents 10 Internet penetration of social networks 42 Varying level of sophistication 11 Spam and phishing 43 ABC’s and DDoS’s 13 Slightly increased spam volume in the second term of 2012 43 What have we learned? 17 Major spam trends 44 IBM Managed Security Services—A global threat landscape 19 Email scams and phishing 45 MSS—2012 security incident trends 20 Spam—country of origin trends 47 Malicious code 23 Attacker reaction to botnet take downs 49 Probes and scans 24 Unauthorized access attempts 25 Inappropriate use 26 Denial of service (DoS) 27 Injection attacks 29 4 IBM Security Systems IBM X-Force 2012 Trend and Risk Report Contents Contents Section II—Operational security practices 50 Vulnerability disclosures in 2012 50 Identity and access intelligence for the enterprise 81 Web applications 51 The importance of protecting data and reputations 81 Exploits 54 Reduce risk with identity and access governance 83 CVSS scoring 56 Security intelligence for managing insider threats 83 Vulnerabilities in enterprise software 57 Summary 84 Chaos or coordination: how to facilitate an incident response team 61 Risk modeling, assessment and management: brought to you by the letter “T” 66 Section III—Emerging trends in security 85 Treat the Threat 67 Mobile computing devices should be more secure than Transfer the Threat 69 traditional user computing devices by 2014 85 Terminate the Threat 70 Application sandboxing 86 Tolerate the Threat 71 Signed code controls 87 Example server root access threat mitigation 72 Remote device or data wipe 87 Social media and intelligence gathering 74 Biocontextual authentication 87 Introduction 74 Separation of personas or roles 88 Intelligence collection background 75 Secure mobile application development 90 Data availability/vulnerabilities 76 Mobile Enterprise Application Platform (MEAP) 90 Enterprises as a collection of Individuals 77 Mobile Enterprise Management (MEM) 91 Individual privacy 77 Prediction conclusion 91 Tools for assistance 78 Mobile security controls—where are we now? 91 Protecting your enterprise 79 Conclusion 80 5 IBM Security Systems IBM X-Force 2012 Trend and Risk Report Executive overview Executive overview Over the past year, the IT security space has had we looked at some of the pitfalls and perils of for installing malware on end-user systems. Java numerous mainstream headlines. From the implementing BYOD programs without strict vulnerabilities have become a key target for exploit discovery of sophisticated toolkits with ominous formulations of policy and governance to support the kits as attackers take advantage of three key names like Flame to cross-platform zero-day use of these devices. That said, recent developments elements: reliable exploitation, unsandboxed code vulnerabilities, both consumers and corporations have indicated that while these dangers still exist, execution, and cross-platform availability across were inundated with advisories and alerts regarding we believe mobile devices should be more secure multiple operating systems. Java exploits have emerging threats. The frequency of data breaches than traditional user computing devices by 2014. become key targets in 2012 and IBM X-Force and incidents—which had already hit a new high in predicts this attack activity to continue into 2013. 2011—continued their upward trajectory. While this prediction may seem far fetched on the surface, it is based on security control trends and As we reported in the mid-year, spam volume At the mid-year of 2012, we predicted that the requirements that are being driven into the market remained nearly flat in 2012, with India claiming the explosive nature of attacks and security breaches by knowledgeable security executives. In this top country of origin for spam distribution, but the seen in the first half would continue. Indeed this report, we explore how security executives are nature of spam is changing. Broadly targeted was the case. advocating the separation of personas or roles on phishing scams, as well as more personalized employee-owned devices. We also discuss some spear-phishing efforts continue to fool end users While talk of sophisticated attacks and widespread secure software mobile application development with crafty social-engineering email messages that distributed denial-of-service (DDoS) attempts made initiatives that are taking place today. look like legitimate businesses. Also, fake banking the year’s headlines, a large percentage of alerts and package delivery service emails have breaches relied on tried and true techniques such The distribution and installation of malware on been effective as attackers refine their messages to as SQL injection. What continues to be clear is that end-user systems has been greatly enabled by the look like the authentic messages that customers attackers, regardless of operational sophistication, use of Web browser exploit kits built specifically for might normally receive. Whether the target is will pursue a path-of-least-resistance approach to this purpose. Exploit kits first began to appear in individuals or the enterprise, once again, we remind reach their objectives. 2006 and are provided or sold by their authors to readers that many breaches were a result of poorly attackers that want to install malware on a large applied security fundamentals and policies and Integration of mobile devices into the enterprise number of systems. They continue to be popular could have been mitigated by putting some basic continues to be a challenge. In the previous
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages96 Page
-
File Size-