Select a topic or year
ARMONK, N.Y. - 26 Aug 2009: IBM (NYSE: IBM ) today released results from its X-Force 2009 Mid-Year Trend and Risk Report. The report's findings show an unprecedented state of Web insecurity as Web client, server, and content threats converge to create an untenable risk landscape.
According to the report, there has been a 508 percent increase in the number of new malicious Web links discovered in the first half of 2009. This problem is no longer limited to malicious domains or untrusted Web sites. The X-Force report notes an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites. The ability to gain access and manipulate data remains the primary consequence of vulnerability exploitations.
The X-Force report also reveals that the level of veiled Web exploits, especially PDF files, are at an all time high, pointing to increased sophistication of attackers. PDF vulnerabilities disclosed in the first half of 2009 surpassed disclosures from all of 2008. From Q1 to Q2 alone, the amount of suspicious, obfuscated or concealed content monitored by the IBM ISS Managed Security Services team nearly doubled.
"The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted," said X-Force Director Kris Lamb. "There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity."
Web security is no longer just a browser or client-side issue; criminals are leveraging insecure Web applications to target the users of legitimate Web sites. The X-Force report found a significant rise in Web application attacks with the intent to steal and manipulate data and take command and control of infected computers. For example, SQL injection attacks - attacks where criminals inject malicious code into legitimate Web sites, usually for the purpose of infecting visitors - rose 50 percent from Q4 2008 to Q1 2009 and then nearly doubled from Q1 to Q2.
"Two of the major themes for the first half of 2009 are the increase in sites hosting malware and the doubling of obfuscated Web attacks," Lamb said. "The trends seem to reveal a fundamental security weakness in the Web ecosystem where interoperability between browsers, plugins, content and server applications dramatically increase the complexity and risk. Criminals are taking advantage of the fact that there is no such thing as a safe browsing environment and are leveraging insecure Web applications to target legitimate Web site users."
The 2009 Midyear X-Force report also finds that:
The X-Force research team has been cataloguing, analyzing and researching vulnerability disclosures since 1997. With more than 43,000 security vulnerabilities catalogued, it has the largest vulnerability database in the world. This unique database helps X-Force researchers to understand the dynamics that make up vulnerability discovery and disclosure.
IBM is one of the world's leading providers of risk and security solutions. Clients around the world partner with IBM to help reduce the complexities of security and strategically manage risk. IBM's experience and range of risk and security solutions -- from dedicated research, software, hardware, services and global Business Partner value -- are unsurpassed, helping clients secure business operations and implement company-wide, integrated risk management programs.
For more security trends and predictions from IBM, including graphical representations of security statistics, download the 2009 IBM X-Force Mid-Year Trend and Risk Report today.
For more information about IBM, visit www.ibm.com.
News of interest to IBM investors
|Security and Risk
IBM solutions that help with security, risk management, and compliance