IT Security Making Strides, But Don't Let Your Guard Down

The good news out of IBM’s annual “X-Force” report, which covers enterprise security, is that companies are really starting to tighten up their operations to lock down sensitive data and keep out online intruders. Of course, attackers, like cockroaches, are quickly adapting and figuring out new ways to crawl under the walls.

The report revealed a 50-percent decline in spam email in 2011 when compared to 2010 and more diligent patching of security vulnerabilities by software vendors, with only 36 percent of software vulnerabilities remaining unpatched in 2011 compared to 43 percent in 2010. There's also reportedly higher quality of software application code—as seen in web-application vulnerabilities called cross-site scripting—half as likely to exist in clients’ software as they were four years ago.

The IBM X-Force 2011 Trend and Risk Report is based on research regarding public vulnerability disclosure findings from more than 4,000 companies, as well as IBM's monitoring and analysis of an average of 13 billion events daily in 2011.

The report uncovers a rise in emerging attack trends including mobile exploits, automated password guessing and a surge in phishing attacks. An increase in automated shell command injection attacks against web servers may be a response to successful efforts to close off other kinds of web application vulnerabilities.

New technologies such as mobile and cloud computing continue to create challenges for enterprise security, as found by the IBM researchers:

“Bring your Own Device” in the enterprise: IBM X-Force reported a 19-percent increase over the prior year in the number of exploits publicly released that can be used to target mobile devices. “There are many mobile devices in consumers' hands that have unpatched vulnerabilities to publicly released exploits, creating an opportunity for attackers. IT managers should be prepared to address this growing risk.”

Social media in the enterprise: IBM X-Force observed a surge in phishing emails impersonating social media sites. More sophisticated attackers have also taken notice. “The amount of information people are offering in social networks about their personal and professional lives has begun to play a role in pre-attack intelligence gathering for the infiltration of public and private sector computing networks.”

Cloud computing in the enterprise: “IT security staff should carefully consider which workloads are sent to third-party cloud providers and what should be kept in-house due to the sensitivity of data. “Careful consideration should be given to ownership, access management, governance and termination when crafting service-level agreements. The IBM X-Force report encourages cloud customers to take a lifecycle view of the cloud deployment and fully consider the impact to their overall information security posture.”

Bear in mind that while the IBM report addresses these areas as opening up enterprises to outside threats, inside threats may be even more pervasive. Even private cloud, which appears safer in terms of data security, may open up access to sensitive data to unauthorized parties within the walls of enterprises.

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

For reprint and licensing requests for this article, click here.
Analytics Policy adminstration Data and information management
MORE FROM DIGITAL INSURANCE