Report: Businesses Failing to Protect Site Visitors From Malware Threats

Poorly secured corporate Web sites are becoming a top cybersecurity threat as companies are increasingly putting their own clients at risk, according to the latest IBM X-Force Trend and Risk Report, released on Monday.

This growing online threat to consumers is the result of two trends:

• one, the longstanding problem of commercial software and even custom-built applications that come riddled with bugs and vulnerabilities; and
• two, the increasing number of malware distributors who use legitimate business sites as launch pads for their activities — usually through large-scale, automated SQL injection attacks that typically redirect visitors of legitimate sites to Web browser exploit toolkits. Attackers are refining these techniques for maximum impact: IBM X-Force noted that they are incorporating new types of exploits that link to malware-infected movies and documents.

10 Years and Counting

Businesses can mount better responses to these types of attacks than they have so far, according to the report. IBM noted that SQL injection attacks are the oldest form of mass attack. They’ve been around for a decade — but companies are still doing a poor job of patching systems to thwart them. More than half of all vulnerabilities disclosed last year were related to Web applications, more than 74 percent of which had no patch, the report notes. Worse, 46 percent of vulnerabilities identified in 2006 and 44 percent found in 2007 still had no available patches by the end of 2008.

Companies have little time to waste, suggests the report, as the number of such attacks is clearly growing. In the fourth quarter of 2008, IBM X-Force found the number of malicious URLs hosting exploits had increased by more than 50 percent over the number for all of 2007.

Spammers are also targeting “trusted” Web sites by adding spam messages to the comments on blogs and news Web sites. Such activity more than doubled in the second half of this year, according to X-Force.

What’s Their Motivation?

Companies ought to make responses to vulnerability disclosures a higher priority, recommends X-Force. Currently, prioritizing is done through the industry-standard Common Vulnerability Scoring System, which focuses on the technical aspects of a vulnerability, such as severity and ease-of-exploitation.

This system, however, does not balance the economic opportunity of a vulnerability against the costs of exploitation. Such an analysis could allow a company to better determine which patches should be developed first.

It would be a difficult measurement to capture, though, X-Force Response Manager Holly Steward told the E-Commerce Times. “It is difficult to quantify, and the metric would change over time. But there is a big value in taking a qualitative approach to threat assessment along withthe quantitative approach.”

Testing, Prioritizing

There are other, more rudimentary, steps companies need to take first — steps members of the cybersecurity community are happy to outline. For starters, testing both commercial off-the-shelf applications and anything that has been custom-built is essential, Mandeep Khera, chief marketing officer of Cenzic, told the E-Commerce Times.

Companies also need to dedicate more resources to solving this problem, he added. “Right now, they don’t have the necessary expertise and budgets to win this fight.”

New thinking about online security is called for, Ryan Berg, cofounder and chief scientist for Ounce Labs, told theE-Commerce Times.

“Today’s application security needs to focus more on the [application itself] — rather than building a wall around it using perimeter techniques and then adding the many doors and windows necessary for the application to function,” said Berg.

Protect the Data

Too many companies assume their Web sites are safe because they have a firewall deployed, observed Phil Neray, database expert and VP of strategy at Guardium.

“Companies need to move beyond the perimeter network security model of relying on firewalls and move to newer security technology that allows them to monitor in real time who is accessing their Web site,” he told the E-Commerce Times.

Companies should also implement data-specific security policies, Mark Bower, director of information protection solutions at Voltage, told the E-Commerce Times.

“Instead of worrying about how to patch the holes that hackers will find a way around tomorrow, we should be focusing on protecting the data,” he said. “So if it’s stolen, hacked or otherwise abused, the bad guys cannot use it. If the data is encrypted at the point of capture and persistently protected every place that data travels, then even if a hacker gains access to an enterprise system, no actual data can be stolen.”

Employee Education

Finally, companies should drill their own employees on standard safety procedures, Rohyt Belani, CEO of the Intrepidus Group, told the E-Commerce Times.

“This is crucial to ensure that employees are not duped through targeted phishing scams in providing hackers a foothold in the corporate network, which can then be used to further expand influenceand gain unauthorized access to sensitive client data. This is common modus operandi for attackers these days.”

He pointed to Salesforce.com, which was compromised a year and a half ago in that manner.

“An employee of theirs fell prey to a targeted phishing e-mail that was not caught by their antiphishing filters, as is often the case,” Belani recalled. “As a result, the attacker was able to gain access to Salesforce’s internal resources — using the foothold gained by compromising the employee’s credentials — and obtain sensitive client data.”