Unpatched flaws still favourite attack vector: IBM X-Force

Zero day exploits and custom malware pack deadly punches and frequently grab the headlines, but many cyber criminals are focusing on less sophisticated methods to bypass security, according to a recent report from IBM’s X-Force security research team.

Attackers are having easy success in targeting unpatched flaws in commonly used applications such as Adobe Flash and Java and are still using social engineering techniques and they are the most cost effective hacking techniques, according the X-Force 2013 Mid-year Trend and Risk Report.

For example Web app vulnerabilities like coding errors found in content management systems are down this year making up 31 per cent of publicly reported vulnerabilities compared to 42 per cent in 2012. However, cyber criminals are focusing their attacks on third-party builders of plug-ins for CMSs and only 54 per cent of vulnerabilities had a patch supplied in the first half of 2013, according to IBM.

Attackers have also demonstrated enhanced methods in using distributed-denial-of-service (DDoS) that increase the amounts of capable bandwidth as an updated and powerful way to halt business by interrupting online service as well as new DDoS mitigation evasion techniques.

For the first six months of 2013, IBM X-Force analyzed 4,100 new security vulnerabilities, scanned 900 million new Web pages and images. The research also resulted in the creation of 27 million new or updated entries in the IBM Web filter database and insertion of 180 million new or updated signatures in the IBM spam filter database.

“For me personally, the non-technical elements of the findings were the parts that struck me the most,” said Stewart Cawthray, chief security architect for IBM Security Service in Canada. “The use of social media postings for target reconnaissance, the use of so-called ‘watering holes’ as areas to disseminate attacks from trusted sources and exploiting human nature by distracting and diverting attention away from the real attack, are not really new but evidence show they are very effective.”

For example IBM has seen continued growth in the compromising of trusted special interest Web sites and social media sites. Cyber criminals “poison” these “watering holes” by using them to serve up malware to unsuspecting visitors.

Workers should review installed browser plug-ins and uninstall those that are not being used of have not been used for a long time. Users should also disable ActiveX controls in Microsoft Office because it is a favourite target of attackers and enable Click-to-Play in the browser to prevent drive-by attacks.

Many Canadian companies continue to rely on traditional security controls to protect their networks, said Cawthray. Firewalls and intrusion prevention tools are needed but they are not very effective against social media threats.

He said companies need to develop social media policies on how to use various social media services.

“Malware distributed through social media, preys on weak passwords and unpatched vulnerabilities,” he said. “If enterprises ensure they are patching systems quickly the attack surface is reduced and malware becomes ineffective.”
Get the X-Force 2013 Mid-Year Trend and Risk Report here


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Nestor E. Arellano
Nestor E. Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now