CIO and CSO should take a follow the money approach to security: IBM X-Force

CIOs and CSOs could do well to consider the monetisation cost and overall profitability of security risks when considering how to safeguard their organisations, according to the findings of a new report from IBM’s Internet Security Systems X-Force research and development team.

The 2008 X-Force Threat and Risk Report finds that despite there being many headline security issues in 2008, a number if these never amounted to mass exploitation.

This is in part due to the economics of IT security wherein criminal attackers out for profit, however, have considerations that the security industry does not always take into account, such as monetisation cost and overall profitability.

According to the report, the security industry currently prioritises threats almost entirely on the basis of technical measures of the risks that they present, while largely failing to capture the economic opportunity that a vulnerability presents to an attacker.

“The result of this new reality is that there have been several vulnerabilities this year that received very high Common Vulnerability Scoring System (CVSS) scores and raised widespread alarm within the security industry,” the report says. “However, they were not widely exploited in the wild. In most cases, these vulnerabilities did not fit well into the current business models of computer criminals.”

While CIOs and CSO shouldn’t ignore less obvious money-spinning risks, more careful consideration of the way that vulnerabilities fit into the business models of criminal organisations will help better prioritise IT protection and patching efforts, the report says.

The report suggests that enterprises should assess individual risks using a quadrant with low to high opportunity on the x axis and high to low monetisation and exploit cost on the y axis. Any risk that falls into the high opportunity and low cost square, such as SQL Injection, is a prime risk.

“If the security industry can learn to recognise vulnerabilities that fit into the top right quadrant of this graph, it can do a better job of determining when emergency patching is most needed in the face of immediate threats, when widespread exploitation of a vulnerability will take a long time to emerge, and when it is unlikely to ever emerge,” the report says.

According to Craig Lawson, senior security consultant, IBM Internet Security Systems, CIOs should ensure they have a vulnerability management program in place consisting of protection, discovery, patching and reporting.

“For example, not many users think to update or patch their Web browser and that's a prime avenue for exploitation at the moment,” he says. “So if every CIO did one thing, upgrade the Web browser and its add-on components to the latest and greatest version of IE/Firefox etc, they would have a significant increase in their security posture.”

Page Break

Lawson also says that CIOs should be mindful that the Web and client are the big attack vectors of the moment and that traditional perimeter and signature based security technology has not, and will not, ever keep up with the overwhelming trend to "Webification" and virtualisation.

“Cybercriminals are essentially looking to monetise -- they’re chasing money,” he says. “They are organised, operate globally and are well-funded and resourced and really don't care about where you are or who you work for or what you do. If there is a way to derive money from your company's assets (a PC/device) or a person (social engineering like phishing) then it will very likely happen if precautions aren’t taken.”

The report’s news for enterprises is mixed. On the one hand, the report finds that corporations with their advanced patching and protection mechanisms may also create more obstacles (higher monetisation costs and lower profitability) for attackers. On the other hand, custom-built software, such as Web applications, remain a highly-profitable and inexpensive target for criminal attackers.

“The sheer number of new vulnerabilities, the majority of which have no available patch, coupled with the hundreds of thousands of custom Web applications that are also vulnerable (but never subject to a vulnerability disclosure, much less a patch), have become the Achilles heel of corporate security,” the report says. “Attackers continue to target Web application vulnerabilities, especially SQL injection, to plant malware on unsuspecting users that visit vulnerable Web sites.”

In 2008, SQL injection jumped 134 percent and replaced cross-site scripting as the predominant type of Web application vulnerability, according to the report.

“Exploitation of Web sites vulnerable to SQL injection has increased from an average of a few thousand per day, when they first took hold early in 2008, to several hundred thousand per day at the end of 2008,” the report says.

Nearly 55 percent of all vulnerability disclosures in 2008 affect Web applications, while 74 percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of 2008.

“Of all the vulnerabilities disclosed in 2008, only 47 percent can be corrected through vendor patches,” the report says. “Vendors do not always go back to patch previous year’s vulnerabilities. 46 percent of vulnerabilities from 2006 and 44 percent from 2007 were still left with no available patch at the end of 2008.”