Network Security, Threat Management

Mobile malware, “whaling” top challenges of 2011, says IBM report

An unprecedented number of successful attacks on corporate networks in the first half of the year illustrates that "basic network security is not just a technical problem, but rather a complex business challenge," according to the "IBM X-Force 2011 Mid-year Trend and Risk Report," released on Thursday

To address these new challenges, the report said, enterprises need to shape their risk exposure, communication, end-user education and technology in a delicate balance.

One of the newest vectors of attack – the so-called “bring your own device” approach – has sprung up from the burgeoning market for smartphones and tablets and their adaption into the enterprise network, the report said. Security issues seen on the mobile platform are rising with the market – with double the number of mobile exploit releases that were seen in 2010.

Third-party app markets, a Wild West of often unregulated offerings, are the primary bazaar for malicious software created to attack mobile phones. On top of the heap of malicious software for mobile devices are corrupt SMS messaging services, which dupe consumers into sending text messages that result in premium charges. Such services also could also lead to data being siphoned from users' devices, the report found.

Infected mobile applications can also come from peer-to-peer networks hosted on websites. These gray-area venues have been used for years by consumers downloading pirated music and movies (for free or at low cost), and are now serving up knock-off versions of commercial Android applications. The problem is that many of those third-party apps come loaded with malware.

"It is not just a hypothetical risk anymore," Tom Cross, manager of threat intelligence and strategy for IBM X-Force, told on Friday.

Critical vulnerabilities are also causing major concern. In the first half of 2011, such flaws allowed three times as many high-profile attacks as the previous year, causing IBM to call 2011 the “Year of the Security Breach."

“[Mobile malware] is not just a hypothetical risk anymore."

– Tom Cross, manager of threat intelligence and strategy for IBM X-Force

This year's breaches have highlighted the emerging risk of “whaling,” a variant of spear phishing that targets "big fish,” or high-level personnel with access to critical data. These targeted attacks involve the "bad guys" researching online profiles to amass enough personal information on a target so that when they receive a customized message that seems as if it is coming from their boss or IT administrator, etc., they're duped into clicking on a mailicious link.

Of further concern for IT security professionals is the rise of professional teams charged with collecting intellectual property and strategic intelligence, the report found. These nefarious rings have gained access and, in some cases, maintain a presence on critical computer networks – as was seen in Operation Shady RAT – via sophisticated technical capabilities, and are often referred to as advanced persistent threats (APTs), the report said.

"The APT-style attack is not going away," Cross said, nor is growing sophistication in the way attackers break into networks.

In addition, so-called hacktivist groups, such as LulzSec and Anonymous, have used well-worn attack techniques, such as SQL injection, to successfully target websites and computer networks for political ends rather than financial gain.

For IBM's Cross, one of several contributors to the report, the increase in number and variety of these exploits indicates that perhaps enterprise defenses are not being implemented to a necessary degree. "The network is constantly changing, and this requires more focus from executives to remove financial, cultural and operational burdens," he said

But, the good news, he added, is that there were advances in computer security that show progress in fighting these sorts of attacks. Web application vulnerabilities, for example, went from 49 percent of all vulnerability disclosures down to 37 percent, the first time X-Force has seen a decrease in five years.

Web browsers, traditionally a primary target of internet attackers, also were found to be less of a risk for attack than they have been in the past.

Another improvement was a significant decrease in spam, a result of efforts by law enforcement to shut down botnet operations.

"There are signs some battles have been won," Cross said. There is a lot of work being done by security personnel that is having an impact, but they need to be diligent in making certain that security controls are not only implemented, but patched and up-to-date, Cross said.

For mobile malware, particularly, it is essential for IT teams to consistently employ anti-malware and patch management software for phones in enterprise environments, as many mobile phone vendors do not rapidly push out security updates for their devices, the report said.

The IBM X-Force team compiles and analyzes intelligence gathered through public vulnerability disclosures, as well as an average of 12 billion security events each day.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.