The security battle continues

Despite strides to improve security, existing threats such as phishing and document format vulnerabilities continue to expand.

This is according to the IBM X-Force 2009 Trend and Risk Report. The report reveals three main threats demonstrating how attackers increasingly target Internet users for monetary gain or data theft.

These threats include the massive increase of new global malicious Web links. Last year saw a 345% increase in malicious Web pages compared to 2008, the report reveals. This trend is further proof that attackers are successful at hosting malicious Web pages, and that Web browser-related vulnerabilities and exploitation are likely netting a serious return, comments the company.

The second major security threat includes the proliferation of phishing activity, the report found, in which an attacker attempts to acquire sensitive information by masquerading as a legitimate organisation.

While some phishing scams target logins and passwords, others attempt to entice victims into entering detailed personal information by posing as government institutions. By industry, 61% of phishing e-mails claim to be sent by financial institutions, whereas 20% claim to come from government organisations.

The report also found that vulnerability disclosures for document readers and editors continued to soar in 2009, specifically with PDF documents.

However, the report states that vulnerabilities with Web browsers, document readers and editors with no patch have decreased, which indicates that software vendors have become more responsive to security issues. The year 2009 saw a more than 50% increase in vulnerability disclosures for these categories versus 2008.

“Despite the ever-changing threat landscape, this report indicates that overall, vendors are doing a better job at responding to security vulnerabilities,” says Tom Cross, manager of IBM X-Force Research. “However, attackers have clearly not been deterred, as the use of malicious exploit code in Web sites is expanding at a dramatic rate.”

Overall, 6 601 new vulnerabilities were discovered in 2009, an 11% decrease over 2008.

The report indicates declines in the largest categories of vulnerabilities such as SQL Injection, in which criminals inject malicious code into legitimate Web sites, and ActiveX, an Internet Explorer plug-in to help with tasks, may indicate some of the more easily discovered vulnerabilities in these classes have been eliminated and security is improving.