IBM X-Force 2011 Trend and Risk Report March 2012 IBM Security Systems IBM X-Force 2011 Trend and Risk Report Contributors Contributors Producing the IBM X-Force Trend and Risk Report is a dedication in collaboration across all of IBM. We would About X-Force like to thank the following individuals for their attention and contribution to the publication of this report. The IBM X-Force® research and development teams study and monitor the latest threat trends including Contributor Title Contributor Title vulnerabilities, exploits and active attacks, viruses Bryan Casey Market Manager, Mark E. Wallis Senior Information Developer, and other malware, spam, phishing, and malicious IBM Security Systems IBM Security Systems web content. In addition to advising customers and Carsten Hagemann X-Force Software Engineer, Marne Gordan Regulatory Analyst, Content Security IBM Security Systems the general public about emerging and critical Colin Bell Security Solution Architect, Michael Applebaum Director of Product Marketing, threats, X-Force also delivers security content to help Lab Services & Support, Q1 Labs protect IBM customers from these threats. IBM Security Systems Michael Montecillo Managed Security Services Threat Clay Blankenship Senior Incident Response Analyst Research and Intelligence Principal Cynthia Schneider Information Developer Michelle Alvarez Manager, MSS Global Operations David McMillen Security Intelligence Analyst, Paul Sabanal X-Force Advanced Research ––––––––– D e dicati o n ––––––––– IBM Security Services Phil Neray Q1 Labs Marketing Leader, The IBM X-Force 2011 Trend and Risk David Merrill STSM, IBM Chief Information IBM Security Systems Security Office, CISA Report is dedicated in memory of our friend Ralf Iffert Manager X-Force Content Security Dr. Jens Thamm Database Management and colleague Marne Gordon who passed Randy Burton Senior Incident Response Analyst Content Security away during the production of this report. A Robert Lelewski Senior Incident Response Analyst Dr. Ashok Kallarakkal Sr. Manager, regulatory analyst with the IBM Security Product Management and Beta Ops Ron Black Senior Incident Response Analyst Division’s security strategy team, Marne’s Gina Stefanelli X-Force Marketing Manager Ryan Berg Cloud Security Strategy Lead knowledge and focus on cloud and social Jason Kravitz Techline Specialist for Scott Moore X-Force Software Developer and media security are featured in this report. IBM Security Systems and E-Config X-Force Database Team Lead She was a frequent speaker at industry John C. Pierce Threat Intelligence Analyst, Shane Garrett Team Lead, X-Force AI, MSS Advanced Research events and published numerous articles on the topics of security and compliance. John Kuhn Security Intelligence Analyst, Tom Cross Manager, X-Force Strategy and Threat IBM Security Services Intelligence Marne, and the contributions she made to Kimberly Madia Data Security Strategy, Veronica Shelley Segment Marketing Manager security, compliance, and to IBM will be InfoSphere Guardium & Optim IBM Security Systems greatly missed. Leslie Horacek X-Force Threat Response Manager Marc Noske Database Administration, Content Security 2 IBM Security Systems IBM X-Force 2011 Trend and Risk Report IBM security collaboration IBM security collaboration IBM Security represents several brands that provide a broad spectrum of security competency. • While the X-Force research and development teams are busy at work analyzing the latest trends and methods used by attackers, other groups within IBM use that rich data to develop protection techniques for our customers. • The IBM X-Force research and development team discovers, analyzes, monitors, and records a broad range of computer security threats and vulnerabilities. • IBM Managed Security Services (MSS) is responsible for monitoring exploits related to endpoints, servers (including web servers), and general network infrastructure. MSS tracks exploits delivered over the web as well as other vectors such as email and instant messaging. • Professional Security Services (PSS) delivers enterprise-wide security assessment, design, and deployment services to help build effective information security solutions. • The IBM X-Force content security team independently scours and categorizes the web through crawling, independent discoveries, and through the feeds provided by MSS. • IBM has collated real-world vulnerability data from security tests conducted over the past several years from the IBM AppScan® OnDemand Premium Service. This service combines application security assessment results obtained from IBM AppScan with manual security testing and verification. • IBM Security Services supports the cloud in two ways: Security Services for the Cloud that help clients begin their journey to the cloud by providing security expertise and Security from a cloud-based model that helps reduce costs and complexity, improve security posture and meet compliance requirements. • IBM Identity and access management solutions enable organizations to efficiently centralize and automate the management of identity profiles and access privileges for authorized users. These solutions can further strengthen security with strong authentication, single sign-on, and audit/reporting tools for monitoring user access activity. • IBM data and information security solutions deliver capabilities to help protect data and access management that helps address information lifecycle security across the enterprise. • IBM InfoSphere® Guardium® provides a scalable enterprise solution for database security and compliance that can be rapidly deployed and managed with minimal resources. • The QRadar Security Intelligence Platform from Q1 Labs, an IBM Company, offers an integrated solution for SIEM, log management, configuration management and anomaly detection. It provides a unified dashboard and real-time insight into security and compliance risks across people, data, applications and infrastructure. 3 IBM Security Systems IBM X-Force 2011 Trend and Risk Report Contents > Section I Contents Section I Contributors 2 The BEAST 35 About X-Force 2 Mitigation 36 IBM security collaboration 3 DigiNotar and Comodo compromises 36 Section I –Threats 6 Certificate revocation 37 Executive overview 6 SSL trust model 37 2011 Highlights 8 Problems with the SSL trust model 38 Threats 8 Revising SSL trust 38 Operating secure infrastructure 9 What does the future hold? 39 Software development security practices 10 The emergence of Mac malware 39 Emerging trends in security 10 Introduction 39 2011—Year of the security breach 12 MacDefender 39 From mid-year to the new year—the breach plays on 12 Flashback 40 Game changers in the second half of 2011 13 DevilRobber 41 Lessons learned 14 Conclusion 41 The way forward 15 Web content trends 43 IBM Managed Security Services— A global threat landscape 16 Analysis methodology 43 MSS—2011 top high-volume signatures 16 IPv6 deployment for websites 43 The continuing threat of SQL injection 27 Increase of anonymous proxies 44 SQL injection 27 Malicious websites 46 The nature of the threat 28 Spam and phishing 49 Helping to protect your code 29 Spam volume continues to decline 49 Helping to protect your server 30 Major spam trends 2011 50 Helping to protect your network 31 Common top-level domains in URL spam including long-term trends 53 Conclusion 32 Spam—country of origin trends 55 Challenges to SSL security 33 Email scam and phishing 56 THC-SSL-DOS 33 Evolution of spam 61 The TLS Handshake 33 Future prospects on spam 65 Mitigation 34 4 IBM Security Systems IBM X-Force 2011 Trend and Risk Report Contents > Section II, III and IV Contents Section II, III and IV Section II—Operational Security Practices 66 Changes in IT environments and evolving business initiatives 106 Introducing Security Intelligence: An integrated approach to real-time security 66 Smarter, more sophisticated attackers 106 Defining Security Intelligence 66 Compliance mandates 106 The analogy to Business Intelligence 67 Leveraging a holistic data security and privacy approach 108 The tenets of Security Intelligence 68 A three-tiered approach to ensure holistic data protection 109 How does Security Intelligence differ from SIEM? 69 Section III—Software Development Security Practices 111 What are the main benefits? 70 Conclusions from real-world web application assessments 111 Best practices for Security Intelligence 72 Methodology 111 Conclusion 73 Metric points 112 Vulnerability disclosures in 2011 74 2011 application vulnerability trends 113 Web application 74 Annual trends (2007—2011) 114 Declines in exploitation 78 Business segments 116 Attackers shifting attention to new areas of focus 82 Application security test cycle 118 Vulnerabilities in enterprise software 84 Section IV—Emerging Trends in Security 120 Social engineering social media: How the attackers do It 89 Mobile security and the enterprise—a year in review 120 Overview 89 Mobile malware perspective 121 Intelligence gathering 90 BYOD and secure isolation 123 Open source intelligence gathering 90 Importance of device management convergence in role-based enterprises 124 How it works—not rocket science 91 A retrospective look at the state of security in the cloud 126 Steps organizations can take to mitigate social media risks 93 Adopting security for the cloud 127 Future trends 96 Design considerations 127 Top 10 common CSIRP mistakes 97 Deployment considerations 127 Incident response—preparing your infrastructure for response at scale 100 Consume considerations 128 Preparation: