RISE OF THE NEW LOOP HOLES

 

 

 

According to IBM the loop holes are up and so too are the number left unpathched.

The annual IBM X-Force 2010 Trend and Risk Report reveals that in 2010, there was a 27 percent year-over-year increase in the number of new security vulnerabilities. In total, IBM documented more than 8,000 new vulnerabilities in 2010.

"In conjunction with that there was also a 21 percent increase in the public release of exploit code that targets vulnerabilities," Tom Cross, threat intelligence manager at IBM X-Force told InternetNews.com. "This data means that we were busier in 2010 than 2009, it's also indicative of the progress that has been made."

"There is a window of opportunity that an attacker has to target vulnerabilities," Cross said. "That window opens when a vulnerability is discovered and it closes when the system the attacker goes after has been patched."

"We think attackers develop exploits shortly after vulnerabilities are publicly disclosed," Cross said. "Talking about the window of opportunity is important for vendors to make sure they deliver patches quickly and also to make sure that people that operate computer networks are installing the patches quickly."seem to be on the decline.

"Phishing attacks all but disappeared in 2010," Cross said. "We still see a fair amount of them, but relative to the volumes that we were seeing in 2009 and 2008 there is less than a quarter of the volume of phishing attacks, so that may represent some progress."

 

Cross suspects that phishers have moved on to other techniques, including ATM skimming, which can prove to be more effective. Overall, Cross suggest that it is critical for organization to be aware of what is running in their organization and what need to be patched.

"IBM has been working with partners in the industry on a standard called the Common Vulnerability Reporting Framework, which is an XML format for reporting security vulnerabilities," Cross said. "We want to make security vulnerability disclosure easier to keep track off."

 

Saurabh Srivastava

M.S.2011 cyberlaw information security