Posts Tagged ‘X-Force’

The bi-annual IBM X-Force Trend and Risk Report was recently released and, as always, there are some interesting insights …

First of all, in case you aren’t familiar, the IBM X-Force team is a group of security researchers who “study and monitor the latest threat trends including vulnerabilities, exploits and active attacks, viruses and other malware, spam, phishing, and malicious web content.”

They have at their disposal an enormous base of empirical data based upon the information gleaned from the more than 3,700 client networks managed  which generate roughly 13 billion (with a “b”) events per day across 133 countries. In addition, this group also maintains a data base of 17 billion web pages and images, 40 million spam and phishing attacks and 80 thousand documented vulnerabilities. In other words, way more than enough data to identify meaningful trends which can be generalized to apply across industries and international borders.

So, what did they find? Lots of things, of course, but some that I found interesting were:

  • Publicly disclosed vulnerabilities increased by 14% over to 8,168 over the previous year
  • Cross-site scripting accounted for over half of the total web app vulnerabilities disclosed in 2012 — the highest rate seen in X-Force’s history
  • Java has become a favorite hacker target in part due to its cross-platform nature, which means that a single exploit can be developed that would compromise Windows (all versions), Mac OS and Linux, for instance, essentially leveling the playing field for the bad guys and removing the (false) sense of security that some have enjoyed due to their choice of operating system
  • Botnet command and control server users have become more resilient over the past several years as the impact of taking down these infrastructures has had progressively less and less effect going forward

Then there’s this provocative prediction that mobile computing will actually become increasingly more secure eventually surpassing that of traditional desktop/laptop devices. That’s a statement you may want to noodle on a bit to see whether you agree or disagree but before you decide either way, take a look at the report to see the rationale behind this unconventional assertion.

The report is available at or In addition, you might want to listen in on a podcast hosted by IBM’s Caleb Barlow discussing some of the findings, which can be found at his blog at


IBM’s X-Force researchers have released their 2011 year end Trend and Risk Report and there’s good news and bad news for those of us trying to defend the castle, so to speak. First the good …

  • spam is down compared to last year (although you wouldn’t know if from my inbox),
  • software vendors are doing a better job of patching their products in a more timely manner,
  • and one of the long-standing threats to web server security, cross site scripting vulnerabilities are down (but not out, I might add).

But don’t pop the corks just yet …

  • attacks focused on mobile devices (i.e. smart phones, tablets, etc.) are on the up tick,
  • and so are automated password guessing and phishing attacks.

Also, bear in mind that some of these statistics are cyclical in nature with a down year typically proceeding an increase in the following year.

All in all, though, some great info to have at your disposal and to factor into the way your organization views IT risk.

For more info including access to the free report and an overview video go to