27. Zeus Crimeware Service Hosting for costs $50 for 3 months. This includes the following: # Fully set up ZeuS Trojan with configured FUD binary. # Log all information via internet explorer # Log all FTP connections # Steal banking data # Steal credit cards # Phish US, UK and RU banks # Host file override # All other ZeuS Trojan features # Fully set up MalKit with stats viewer inter graded. # 10 IE 4/5/6/7 exploits # 2 Firefox exploits # 1 Opera exploit“ We also host normal ZeuS clients for $10/month. This includes a fully set up zeus panel/configured binary
Speaker’s notes: We take data from a lot of various disciplines including the Web filtering database second only to Google that provides analysis for more than 9 billion Web sites and images, we also see what kind of intrusion attempts the managed services team sees across its customer base currently tracking at 150 million per day, we have more than 40 million documented spam attacks, and 40,000 documented vulnerabilities from both internal research and external disclosures. This report is unique in the fact that the sources listed above provide varying perspectives on the threat landscape to together provide a cohesive look at the industry based on factual data from the various research functions within the broader X-force team and databases.
Speaker’s notes: Let’s explore the key findings of the report – all mapped back to the IBM Security Framework. The full X-Force Trend & Threat Report is available for download at: http://www-935.ibm.com/services/us/iss/xforce/trendreports/
6,601 new vulnerabilities in 2009 11% decrease in comparison to 2008 Vulnerability disclosures appear to be reaching a permanently high plateau
Speaker’s notes: One of the things that we did this year was to take a slightly differently look at how the vulnerabilities are classified and how they are rated by criticality. We’ve noticed that the traditional way to categorize vulnerabilities is not the same criteria by which a hacker or crime organization might classify the vulnerability. What may appear to rate “high” on a traditional scale may never be exploited because it has too small a target audience or doesn’t provide the appropriate financial payout. The grid on the right hand side of the screen shows the Exploitability Probability Quadrant, on the Y axis is the total opportunity size whereas the X axis shows the cost to exploit the vulnerability. Ideally, the criminal community will look for an exploit that falls in the upper right hand “sweet spot” of a vulnerability that is cheap to exploit with lots of targets or opportunity that can result in a high payout.
Speaker’s notes: One of the things that we did this year was to take a slightly differently look at how the vulnerabilities are classified and how they are rated by criticality. We’ve noticed that the traditional way to categorize vulnerabilities is not the same criteria by which a hacker or crime organization might classify the vulnerability. What may appear to rate “high” on a traditional scale may never be exploited because it has too small a target audience or doesn’t provide the appropriate financial payout. The grid on the right hand side of the screen shows the Exploitability Probability Quadrant, on the Y axis is the total opportunity size whereas the X axis shows the cost to exploit the vulnerability. Ideally, the criminal community will look for an exploit that falls in the upper right hand “sweet spot” of a vulnerability that is cheap to exploit with lots of targets or opportunity that can result in a high payout.
In the past few reports, X-Force has included several Web application vendors in the top ten vendor list. These Web application platforms reached the top ten list because we included in our totals the vulnerabilities in the base platform as well as vulnerabilities in the plug-ins that operate on that platform. However, many of the plug-ins associated with those Web application platform vulnerabilities were not produced by the vendor themselves. The plug-ins are oftentimes simply hosted on the vendor’s Web sites. Part of the draw of these open-source projects is this diversity of plug-ins that broadens the utility of these platforms. However, these plug-ins fall victim to vulnerabilities like all software, and, without proper accountability, may not receive fixes or patches like software normally supported by commercial or open source vendors.
In the 2008 report, X-Force presented an analysis of operating systems with the most vulnerabilities. These vulnerabilities were counted according to how each vendor reports their platforms through the Common Platform Enumeration (or CPE). Instead of counting vulnerabilities according to the named “platforms” in CPE, here is a slightly different analysis that counts each unique vulnerability reported for a genre of operating systems. For example, this analysis compares all vulnerabilities reported for Microsoft operating systems and compares them to all of the vulnerabilities reported for Apple operating systems in any given year. If a certain vulnerability applies to multiple versions of operating systems in that genre, it is only counted one time. For example, if a certain CVE applies to both Apple Mac OS X and also Apple Mac OS X Server, it is only counted one time for the Apple genre.
In the 2008 report, X-Force presented an analysis of operating systems with the most vulnerabilities. These vulnerabilities were counted according to how each vendor reports their platforms through the Common Platform Enumeration (or CPE). Instead of counting vulnerabilities according to the named “platforms” in CPE, here is a slightly different analysis that counts each unique vulnerability reported for a genre of operating systems. For example, this analysis compares all vulnerabilities reported for Microsoft operating systems and compares them to all of the vulnerabilities reported for Apple operating systems in any given year. If a certain vulnerability applies to multiple versions of operating systems in that genre, it is only counted one time. For example, if a certain CVE applies to both Apple Mac OS X and also Apple Mac OS X Server, it is only counted one time for the Apple genre.
Speaker’s notes: This slide breaks down the motivation of an attacker. You can see that “gain access” and “data manipulation” still rank extremely high as far as motivation for criminal organizations. Gaining access to a system provides an attacker complete control over the affected system, which would allow them to steal data, manipulate the system, or launch other attacks from that system. The category of data manipulation took a plunge but still higher in comparison to 2006 and 2007
This chart shows how X-Force enabled superior security effectiveness in our IPS products. Of the top 61 vulnerabilities in 2009, 35 or 57% were caught ahead of the threat by X-Force. Essentially it means X-Force identified the vulnerability and provided protection technologies in our products well before the vulnerability was exploited in the wild. The vulnerabilities listed in blue were discovered by X-Force team members.
Although the number of vulnerabilities affecting Web applications has grown at a staggering rate, the growth demonstrated in the first half of 2009 and continuing through the second half may indicate the start of a plateau, at least in standard (off-the-shelf) software applications for the Web. These figures do not include custom-developed Web applications or customized versions of these standard packages, which also introduce vulnerabilities.
Web application platforms represent a special case when it comes to counting vulnerabilities. The utility of these platforms is extended by plug-ins to the base application. These plug-ins may or may not be produced by the Web application vendor themselves, which makes counting vulnerabilities affecting these platforms a bit tricky. In the past few years, several of these platforms have shown up in our top 10 vendor list because we were reporting platform and plug-in vulnerabilities. This year, we will report them separately. Web applications and Web development language platforms that had 20 or more vulnerability reports in 2009 are included in this analysis. The vulnerabilities reported for these platforms make up 8.3 percent of all the disclosures in 2009. 81 percent of these disclosures affect plug-ins and not the base platform. When it comes to providing patches to fix these vulnerabilities, the base platforms for all of these vendors beat the 2009 average for all vendors (52 percent), and exceedingly surpass the average for Web application vulnerabilities (67 percent, a better average in comparison to 2008 when about three-fourths of Web application vulnerabilities were left without a patch.) When it comes to plug-ins however, the sweet song sours, and plug-ins for some applications fare worse than others. Eighty percent or more of the vulnerabilities affecting plug-ins for Apache and Joomla!, for example, had no patch.
IBM has collated real-world vulnerability data from 168 security tests conducted over the past three years from the IBM Rational AppScan onDemand Premium service . This service combines application security assessment results obtained from IBM Rational AppScan with manual security testing and verification. In all cases, false positives were removed from the results and the remaining vulnerabilities were categorized into one of the following: • Cross-Site Request Forgery • Cross-Site Scripting • Error Message Information Leak • Improper Access Control • Improper Application Deployment • Improper Use of SSL • Inadequate / Poor Input Control • Information Disclosure • Insufficient Web Server Configuration • Non Standard Encryption • SQL Injection
IBM has collated real-world vulnerability data from 168 security tests conducted over the past three years from the IBM Rational AppScan onDemand Premium service . This service combines application security assessment results obtained from IBM Rational AppScan with manual security testing and verification. In all cases, false positives were removed from the results and the remaining vulnerabilities were categorized into one of the following: • Cross-Site Request Forgery • Cross-Site Scripting • Error Message Information Leak • Improper Access Control • Improper Application Deployment • Improper Use of SSL • Inadequate / Poor Input Control • Information Disclosure • Insufficient Web Server Configuration • Non Standard Encryption • SQL Injection
Proventia Network Intrusion Prevention System: http://www.ibm.com/software/tivoli/products/security-network-intrusion-prevention/ Proventia Virtualized Network Security Platform: http://www.ibm.com/software/tivoli/products/virtualized-network-security/ Proventia Network Security Controller: http://www.ibm.com/software/tivoli/products/network-security-controller/ Network Intrusion Prevention for Crossbeam: http://www.ibm.com/software/tivoli/products/network-intrusion-prevention-crossbeam/index.html Proventia® Network Active Bypass: http://www.ibm.com/software/tivoli/products/network-active-bypass/ Security Server Protection http://www.ibm.com/software/tivoli/products/security-server-protection/index.html Proventia Desktop Endpoint Security http:/www.ibm.com/software/tivoli/products/desktop-endpoint-security/ Proventia Network Multi-Function Security http://www.ibm.com/software/tivoli/products/network-multifunction-security/ Virtual Server Protection for VMware http://www.ibm.com/software/tivoli/products/virtual-server-protection/ Proventia Network Enterprise Scanner http://www.ibm.com/software/tivoli/products/network-enterprise-scanner/ IBM Security Content Analysis Software Development Kit (SDK) http://www.ibm.com/software/tivoli/products/security-content-analysis-sdk/ IBM Managed Protection Services for IPS: http://www-935.ibm.com/services/us/index.wss/offering/iss/a1026962 IBM Rational Appscan: http://www-01.ibm.com/software/awdtools/appscan/ IBM Rational Appscan Enterprise: http://www-01.ibm.com/software/awdtools/appscan/ IBM Proventia Network Mail: http://www-935.ibm.com/services/us/index.wss/offering/iss/a1027071 Lotus Protector: http://www-01.ibm.com/software/lotus/products/protector/mailsecurity/index.html Tivoli Security Information and Event Manager: http://www-01.ibm.com/software/tivoli/products/security-info-event-mgr/ Tivoli Security Policy Manager: http://www-01.ibm.com/software/tivoli/products/security-policy-mgr/ IBM Secure Web Gateway Service: http://www-935.ibm.com/services/us/index.wss/offering/iss/a1031933 Proventia SiteProtector: http://www.ibm.com/software/tivoli/products/siteprotector-system/