As the title says, the 2008 security trend and risk report is now out from IBM Internet Security Systems.
It’s taken a while, but the X-Force analysts who've obviously been beavering away since year end (and quite a bit before that too) have finally put down their pens and completed their investigations of the major security trends and risks of 2008. Yay!
The tome is a must read for any security professional out there – and I don’t use the word “tome” lightly. At 106 pages in length, the X-Force team have outdone themselves, and there’s something in there for everyone.
Given the breadth of security analysis covered within the report, I’m not going to list the highlights. You can find a 2008 summary within the report itself (which stretches on for 3 pages!) or, if you want something even shorter, you’ll find highlights of the highlights within the official press announcement.
What are some of the most interesting findings from my perspective?
The X-Force vulnerability analysis team recorded 7,406 new publicly disclosed vulnerabilities in 2008. That’s a new record – up 13.5 percent from the previous year, and representing 19 percent of all publicly disclosed vulnerabilities. While not quite an exponential growth, that curve continues to go the wrong way.
Also, the absolute number of vulnerabilities that businesses should be worrying about also increased in absolute terms – with Critical and High impact vulnerabilities representing 39 percent of public disclosures.
However, the really important thing to note is that this number – 7,406 – represents the minimum count of new vulnerabilities that were actually discovered in 2008. Many, many more vulnerabilities than that were uncovered during the year and never publicly disclosed – and probably won’t ever be made public. On the other hand though, it’s more than likely that the vast majority of those discovered-but-undisclosed vulnerabilities will be low on the CVSS scale and not something to loose sleep over. After all, which researchers want to go through all the effort of public disclosure write-ups for a low risk local DoS in “Jim’s Rifle Ballistics Calculator”.
Public Exploit Code Availability
Another critical finding is that 89 percent of public exploits were released on the same day (or before) the official disclosure of the vulnerability. What this really means is that preemptive protection is where modern security defenses need to focus.
Sure, while there’s only so much you can do for some new 0-day exploit for an unpatched default service on a popular operating system, a sizable chunk of this number has to do with entire families of vulnerabilities that are exploited the same way (using the same tools) – e.g. SQL Injection. If you have the right protection technology against SQL Injection, you’ll probably find it protects against last year’s SQL injection vulnerabilities as easily as it does for today’s 0-day and ones that’ll appear throughout 2009.
One word of warning though. The way in which Web browser vulnerabilities are being exploited (through the use of mass interconnected drive-by-download networks) means that 0-day threats are a real danger to anyone using a Web browser today. New exploits can find their way propagating to tens-of-thousands of new Web malicious sites within minutes. So, if theres one area of patching that now has to be at the top of any corporate security teams mind, it’s that of Web browser patching. I wrote about this and the new studies last year on the Frequency-X Blog (and more recently here) – Web browser auto-updating technologies need to improve. They need to get even faster and need to better encompass the myriad of plug-ins too.
Read the Report
I really do recommend that you take some time out to read the report. It’s a fascinating story of how Internet security has evolved throughout 2009.
However, try to be green and not print it out. 106 pages is a lot of dead tree.