Corporations are Biggest IT Security Threat to Customers, IBM Says

By Matthew Harwood

Corporations are unwittingly becoming the biggest IT security threat to their customers, according to IBM's X-Force Threat Analysis Service.

"With an alarming increase in attacks using legitimate business sites as launching pads for attacks against consumers," according to IBM, "cybercriminals are literally turning businesses against their own customers in the ongoing effort to steal consumers' personal data."

The security intelligence firm said that the biggest vulnerability had to do with web applications, which they called "the Achilles Heal of Corporate IT Security."

"Attackers are intensely focused on attacking Web applications so they can infect end-user machines," said IBM. "Meanwhile, corporations are using off-the-shelf applications that are riddled with vulnerabilities or even worse, custom applications that can host numerous unknown vulnerabilities that can't be patched."

According to the 2008 X-Force report, more than half of all the vulnerabilities found involved web applications. Worse, 74 percent of the vulnerabilities affecting web applications had no available vendor patch by the end of 2008.

SQL injection replaced cross-site scripting as the largest Web application vulnerability, skyrocketing 134 percent since last year. SQL injection is usually used by cybercriminals to redirect their victim from a vulnerable Web site to their own Web site where they can unleash remote code exploits against the victim's browser. SQL injections are a popular way for cybercriminals to steal customer data like credit card information.

Kurt Lamb, senior operations manager of X-Force Research and Development, said he was surprised SQL injection remained so potent.

"It is staggering that we still see SQL injection attacks in widespread use without adequate patching almost 10 years after they were first disclosed," he said. "Cybercriminals target businesses because they provide an easy target to launch attacks against anyone that visits the Web."

But there are ways to detect vulnerable applications and SQL injection while surfing on the Web.

"It is ... possible to use Web search engines such as Google to find sites running vulnerable applications, and there are many publicly available tools that can test for SQL injection, including some plug-ins for Firefox," the report says.

The past year has also been a record-breaking year for discovering vulnerabilities writ large. Known vulnerabilities increased by more than 13.5 percent over 2007. The severity of the vulnerabilities have also increased since last year. High and critical severity vulnerabilities jumped up by 15.3 percent while medium security vulnerabilities grew 67.5 percent.

The report also ranked the most vulnerable operating systems with Apple and Linux kernal dominating the top spots followed by Microsoft operating systems and IBM AIX.



View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.