The consequences of not having up-to-date security are laid out in the latest IBM X-Force security report. According to the report's findings, hackers have become even more expert at compromising corporate websites, web application vulnerabilities are at an all-time high and there are twice as many malicious URLs than were found in 2007.
IBM New Zealand security expert John Martin says he is beginning to see statistics that indicate these problems are happening locally. “The reason I say that is because we're seeing more of a profile from the spread of worms across the world that we monitor.”
Web application vulnerabilities are affecting all countries because of the move to Web 2.0 applications, says Martin. “At the end of 2008 we reported on the move away from traditional operating systems to making the browser the new OS. That's where the richness of the communications is happening in social networking sites such as Facebook. You can see that cyber-crime motivators are following the mood and they notice where there is money to be made from exploits.”
He says a classic mistake is no one checking the input validation. “These are classic programming errors and some of the issues are 20 years old. The problem is a question of good practice and, of course, this costs money.”
Martin says another problem is that web applications are using what are called generators. “This software development automatically creates the code but what these generators need is a good security model built into them. Security is sometimes seen as an afterthought, but we’ve been advocating for 30 years that security and good design should be going hand in hand.”
User indifference is also causing problems, according to Martin. “The classic issues we keep seeing is people turning automatic updates off or they're not patching the system on a timely basis, even though Microsoft has warned them months ago. Patching cycles at large corporations can traditionally be very slow and if they're not patching consistently in a risk-based type approach then it bites the organisation quicker than they expected.”
And companies that use Mac computers are no longer safe, says Martin. The report found Mac OS X had one of the highest levels of known vulnerabilities with a score of 14.3 percent. Windows XP only scored 5.5 percent. “We’ve seen that over the last 12 months. Traditionally OS X was a safe bet because it sat on a Unix platform. But this platform can now be compromised because it has such a big user base.”
He warns that although people are trying to reduce costs, security should not be cut back. “Companies think they don’t need to patch this or apply these expensive solutions, but ... security is related to the health of the business these days.”
Martin’s advice is to protect intellectual property by leading with pre-emptive security. “Reactive [security] is quite expensive these days because the costs of recovery may mean an organisation goes into liquidation. It’s really down to taking more proactive steps by ensuring all systems are up-to-date and taking the right precautions.”
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.