IBM X-Force 2012 Trend and Risk Report

Executive overview
(PresseBox) (Ehningen, ) Over the past year, the IT security space has had numerous mainstream headlines. From the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, both consumers and corporations were inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents-which had already hit a new high in 2011-continued their upward trajectory. At the mid-year of 2012, we predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case.

While talk of sophisticated attacks and widespread distributed denial-of-service (DDoS) attempts made the year's headlines, a large percentage of breaches relied on tried and true techniques such as SQL injection. What continues to be clear is that attackers, regardless of operational sophistication, will pursue a path-of-least-resistance approach to reach their objectives. Integration of mobile devices into the enterprise continues to be a challenge. In the previous report, we looked at some of the pitfalls and perils of implementing BYOD programs without strict formulations of policy and governance to support the use of these devices. That said, recent developments have indicated that while these dangers still exist, we believe mobile devices should be more secure than traditional user computing devices by 2014.

While this prediction may seem far fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives. In this report, we explore how security executives are advocating the separation of personas or roles on employee-owned devices. We also discuss some secure software mobile application development initiatives that are taking place today. The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose. Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems. Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013. As we reported in the mid-year, spam volume remained nearly flat in 2012, with India claiming the top country of origin for spam distribution, but the nature of spam is changing.

Broadly targeted phishing scams, as well as more personalized spear-phishing efforts continue to fool end users with crafty social-engineering email messages that look like legitimate businesses. Also, fake banking alerts and package delivery service emails have been effective as attackers refine their messages to look like the authentic messages that customers might normally receive. Whether the target is individuals or the enterprise, once again, we remind readers that many breaches were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.

Web applications are still topping the chart of most disclosed vulnerabilities, rising 14% in 2012 over the 2011 end of year numbers. As reported earlier in the mid-year report, cross-site scripting (XSS) dominated the web vulnerability disclosures at 53% of all publicly released vulnerabilities. Although SQL injection attack methods remain as a top attack technique, the actual disclosures of new SQL injection vulnerabilities remain lower than the 2010 peak we recorded. Social media has changed our lives with new ways to connect, personally and professionally. From this constant availability of information about individuals, attackers can readily access data to use in their activities. Now, more than ever, individual employees who share personal details in their social profiles can be targeted for attacks. Let's take a closer look at how things shifted from the mid-year through the end of 2012.

2012 highlights


Malware and the malicious web
- In 2012, near daily leaks of private information about victims were announced like game scoreboards through tweets and other social media. Personal details, such as email addresses, passwords (both encrypted and clear text), and even national ID numbers were put on public display. (page 10)
- Based on data for 2012, it is not surprising that the bulk of the security incidents disclosed were carried out with the majority of attackers going after a broad target base while using off-the-shelf tools and techniques. We attribute this to the wide public availability of toolkits and to the large number of vulnerable web applications that exist on the Internet. (page 12)
- The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers.1 This technique assisted in much higher connected uptime as well as having more bandwidth than home PC's to carry out the attacks. (page 14)
- In the sampling of security incidents from 2012, the United States had the most breaches, at 46%. The United Kingdom was second at 8% of total incidents, with Australia and India tied for third at 3%. (page 16)
- IBM Managed Security Services (MSS) security incident trends are markers that represent the state of security across the globe. The relative volume of the various alerts can help to describe how attacks are established and launched. They also frequently provide hints about how methods have evolved. Based on this, the main focus in 2012 may have been the subversion of systems, with larger coordinated attacks being executed across fairly broad swaths of the Internet. (page 20) IBM MSS has noted a dramatic and sustained rise in SQL injection-based traffic due, in large part, to a consistent effort from the Asia Pacific region. The alerts came from all industry sectors, with a bias toward banking and finance targets. (page 23)
- Web browser exploit kits (also known as exploit packs) are built for one particular purpose: to install malware on end-user systems. In 2012 we observed an upsurge in web browser exploit kit development and activity-the primary target of which are Java vulnerabilities-and we supply some strategies and tips to help protect against future attacks. (page 31)
- Java continues to be a key target for attackers. It has the advantage of being both cross-browser and cross-platform-a rare combination that affords attackers a lot of value for their investment. (page 35)

Web content trends, spam, and phishing

Web content trends
- Top used websites are readily deployed as IPv6-ready, although attackers do not yet seem to be targeting IPv6 on a large scale. (page 38)
- One third of all web access is done on websites which allow users to submit content such as web applications and social media. (page 40)
- Nearly 50% of the relevant websites now link to a social network platform, and this intense proliferation poses new challenges to companies that need to control the sharing of confidential information. (page 42)

Spam and phishing
- Spam volume remained nearly flat in 2012. (page 43)
- India remains the top country for distributing spam, sending out more than 20% of all spam in the autumn of 2012. Following India was the United States where more than 8% of all spam was generated in the second half of the year. Rounding out the top five spam sending countries of origin were Vietnam, Peru, and Spain. (page 47)
- At the end of 2012, IBM reports that traditional spam is on the retreat, while scam and spam containing malicious attachments is on the rise. In addition, attackers are demonstrating more resiliency to botnet take downs which results in an uninterrupted flow of spam volume. (page 49)

Operational security practices

Vulnerabilities and exploitation
- In 2012, we saw 8,168 publicly disclosed vulnerabilities. While not the record amount we expected to see after reviewing our mid-year data, it still represents an increase of over 14% over 2011. (page 50)
- Web application vulnerabilities surged 14% from 2,921 vulnerabilities in 2011 to 3,551 vulnerabilities in 2012. Cross-site scripting vulnerabilities accounted for over half of the total web application vulnerabilities disclosed in 2012. (page 51)
- Cross-site scripting dominated the web vulnerability disclosures. Fifty-three percent of all publicly released web application vulnerabilities were cross-site scripting related. This is the highest rate we have ever seen. This dramatic increase occurred while SQL injection vulnerabilities enjoyed a higher rate than 2011 but were still down significantly since 2010. (page 52)
- There were 3,436 public exploits in 2012. This is 42% of the total number of vulnerabilities, up 4% from 2011 levels. (page 54)
- Web browser vulnerabilities declined slightly for 2012, but not at as high a rate as document format issues. While the overall number of web browser vulnerabilities dropped by a nominal 6% from 2011, the number of high- and criticalseverity web browser vulnerabilities saw an increase of 59% for the year. (page 59)
- Few innovations have impacted the way the world communicates quite as much as social media. However, with the mass interconnection and constant availability of individuals, new vulnerabilities and a fundamental shift in intelligence-gathering capabilities has provided attackers and security professionals alike with information useful for enhancing their activities. (page 74)
- Rather than seeing a particular enterprise as an individual entity, attackers can view enterprises as a collection of personalities. This gives attackers the opportunity to target specific people rather than enterprise infrastructures or applications. Furthermore, targeted people may also be targeted as individuals and not just as employees. In other words, the personal activities and lives of employees can be leveraged to target an enterprise. (page 77)

Emerging trends in security

- Prediction: Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on security control trends and requirements that are being driven into the market by knowledgeable security executives. (page 85)
- Separation of personas or roles: While a small percentage of enterprises have dealt with BYOD by using virtualized desktop solutions to separate and control enterprise applications and data from the rest of the personally owned device, a greater number of enterprises have wanted or required some form of separation or dual persona on mobile devices. This difference in use or adoption could be the result of greater numbers of devices driving greater risk in the percentage of personally owned mobile devices versus personally owned PCs in a BYOD program. (page 88)
- In many cases, enterprises have made significant investments into implementing Secure Software Development Life Cycle (SSDLC) processes. Today's mobile application development benefits from this. Tools exist to support secure development as part of the process instead of being conducted in qualification or production. As a result, it should be more common for enterprises to have more securely developed mobile applications than their existing legacy applications. Closure of vulnerabilities in some traditional computing applications may only conclude as existing versions are sunset and replaced with newer, more securely developed replacements. (page 90)
- Over 2012, it is safe to conclude that more enterprises are supporting BYOD or the use of personally owned devices than previously. In the last two years, IBM Security has spoken to hundreds of global 2000 customers and out of those interviewed, only three said they had no plans to implement any kind of BYOD program. (page 91)

REPORT Contents

Contributors 2
About IBM X-Force 2
IBM Security collaboration 3
Executive Overview 6
2012 highlights 7
Threats 7
Operational security practices 8
Emerging trends in security 9
Section I—Threats 10
Rising tide of security incidents 10
Varying level of sophistication 11
ABC’s and DDoS’s 13
What have we learned? 17
IBM Managed Security Services—A global threat landscape 19
MSS—2012 security incident trends 20
Malicious code 23
Probes and scans 24
Unauthorized access attempts 25
Inappropriate use 26
Denial of service (DoS) 27
Injection attacks 29
Exploit kits: the Java connection 31
CVE-2012-0507 timeline 32
CVE-2012-1723 timeline 33
CVE-2012-4681 timeline 34
Interest in Java exploits 35
But why Java? 35
Conclusion and action steps 36
Web content trends 38
Analysis methodology 38
IPv6 deployment for websites 38
Internet usage by content category 40
Internet penetration of social networks 42
Spam and phishing 43
Slightly increased spam volume in the second term of 2012 43
Major spam trends 44
Email scams and phishing 45
Spam—country of origin trends 47
Attacker reaction to botnet take downs 49


IBM Deutschland GmbH
IBM-Allee 1
D-71139 Ehningen
Hans-Juergen Rehm
IBM Deutschland
Social Media