Lawson also says that CIOs should be mindful that the Web and client are the big attack vectors of the moment and that traditional perimeter and signature based security technology has not, and will not, ever keep up with the overwhelming trend to "Webification" and virtualisation.
“Cybercriminals are essentially looking to monetise -- they’re chasing money,” he says. “They are organised, operate globally and are well-funded and resourced and really don't care about where you are or who you work for or what you do. If there is a way to derive money from your company's assets (a PC/device) or a person (social engineering like phishing) then it will very likely happen if precautions aren’t taken.”
The report’s news for enterprises is mixed. On the one hand, the report finds that corporations with their advanced patching and protection mechanisms may also create more obstacles (higher monetisation costs and lower profitability) for attackers. On the other hand, custom-built software, such as Web applications, remain a highly-profitable and inexpensive target for criminal attackers.
“The sheer number of new vulnerabilities, the majority of which have no available patch, coupled with the hundreds of thousands of custom Web applications that are also vulnerable (but never subject to a vulnerability disclosure, much less a patch), have become the Achilles heel of corporate security,” the report says. “Attackers continue to target Web application vulnerabilities, especially SQL injection, to plant malware on unsuspecting users that visit vulnerable Web sites.”
In 2008, SQL injection jumped 134 percent and replaced cross-site scripting as the predominant type of Web application vulnerability, according to the report.
“Exploitation of Web sites vulnerable to SQL injection has increased from an average of a few thousand per day, when they first took hold early in 2008, to several hundred thousand per day at the end of 2008,” the report says.
Nearly 55 percent of all vulnerability disclosures in 2008 affect Web applications, while 74 percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of 2008.
“Of all the vulnerabilities disclosed in 2008, only 47 percent can be corrected through vendor patches,” the report says. “Vendors do not always go back to patch previous year’s vulnerabilities. 46 percent of vulnerabilities from 2006 and 44 percent from 2007 were still left with no available patch at the end of 2008.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.