Today we announced the IBM X-Force Trend & Risk report for the year end 2011.  While some positive trends and improvements have emerged, attacker’s methods continue to adapt. 

This is the first report under the new IBM Security division. As such, we are pooling together data and intelligence from many of the IBM Security organizations like Q1 Labs, IBM AppScan OnDemand services, GTS Emergency Response Services, Identity and Access Management solutions, Cloud Strategy, CIO’s office,   Infosphere Guardium, Managed Security Services and the X-Force Research and Development team.

2011 was a landmark year for IT security.  If you remember, at the mid-year reporting we began discussing the frequent reports of data leaks, DoS attacks, and social Hacktivism.  These daily headline incidents were so pervasive in both frequency and scope, that IBM X-Force declared 2011 the “year of the security breach”.  Things didn’t change much by year end. The frequency and scope of incidents persisted, and enterprises around the world continue to face tremendous challenges running their businesses and protecting their assets in an increasingly connected world.

But as this report’s data shows, a somewhat contradictory course is unfolding, just as attackers are coming on full force in 2011, so too have the improvements in computer security in 2011 as companies have begun embracing better practices.

Here are highlights on some of those improvements:

Thirty percent decline in the availability of exploit code

When security vulnerabilities are disclosed, exploit code is sometimes released that attackers can download and use to break into computers. Fortunately, 2011 saw approximately 30% fewer exploits released than were seen on average over the past 4 years.  This improvement is attributable to architectural and procedural changes made by software developers that make it more difficult for attackers to successfully exploit vulnerabilities.

Improvement in the patching of security vulnerabilities

When security vulnerabilities are publicly disclosed it is important that the responsible software vendor provide a patch or fix in a timely fashion. Some security vulnerabilities are never patched, but the percentage of unpatched vulnerabilities has been decreasing steadily over the past few years. In 2011 this number was down to 36 percent from 43 percent last year.


Decline in spam – IBM’s global spam email monitoring network has seen about half the volume of spam email in 2011 that was seen in 2010. Some of this decline can be attributed to the take-down of several large spam botnets, which hindered spammers’ ability to send emails. X-Force has been observing spam’s evolution through several generations over the past seven years as spam filtering technology has improved, and spammers have adapted their techniques in order to successfully reach targets.

 50% reduction in cross site scripting (XSS) vulnerabilities due to Improvements in software quality

IBM saw significant improvements in the quality of software produced by organizations who use IBM AppScan OnDemand service to analyze, find, and fix vulnerabilities in their code. IBM found Cross SiteScripting (XSS) vulnerabilities are half as likely to exist in customer's software as they were four years ago. However, XSS vulnerabilities continue to appear in about 40 percent of the applications IBM scans. (This is still high for something well understood and able to be addressed.)

So with all the good news this year for improvements with computer security, how has it been a landmark year?

Unfortunately, sophisticated attackers began adapting their techniques in response to these improvements.

We have observed that SQL injection continues to be a choice point of entry for attackers. Automated SQL injection attacks like LizaMoon are successfully scanning the Internet and exploiting vulnerable hosts. These SQL injection attacks have been common for a long time and still persist today.


X-Force witnessed several new attack trends towards the end of 2011 including 2 to 3 times more Shell Command Injection attack activity than was seen earlier in the year. Shell Command Injection vulnerabilities allow attackers to execute command-line instructions to gain control of a web server. With complete control over the content of the website, attackers then have the ability to modify the site so that visitors are redirected to exploits that install malware on their machines. Or, attackers can use the compromised web servers to act as a jump pad from which they can further target other systems and networks.

By the end of 2011 X-Force also noticed large spikes in SSH (Secure Shell) password cracking activity.

Around the mid-year point, we began to see the emergence of phishing-like emails that link to websites which do not necessarily perform a phishing attack. Rather, these emails use the good name of a well-known brand and attempt to get the readers to click on a link that may be Malware, or it may direct the reader to an otherwise innocuous site such as a retail website.  One possible explanation for this later type of email might be click-fraud, where the Spammer’s goal is to simply drive traffic in exchange for advertising fees. Regardless of purpose, this nuisance contributed to a large increase in phishing-like emails in the last months of the year.  Emerging Technologies Create New Avenues for Attacks

New technologies such as mobile and cloud computing continue to create challenges for enterprise security.


X-Force reported a 19 percent increase in the number of exploits publicly released that can be used to target mobile devices. There are many mobile devices in consumers hands that have unpatched vulnerabilities with publicly released exploits, creating an opportunity that attackers are increasingly taking advantage of.  IT managers must be prepared to address this growing risk.

A few other areas of the report that are worth checking out:

  • Social media is no longer a fringe pastime - With the widespread adoption of social media platforms and social technologies, this area has become a target of criminal activity. X-Force observed a surge in phishing emails impersonating social media sites. Most sophisticated attackers have also taken notice. The amount of information people are offering in social networks about their personal and professional lives has begun to play a role in pre-attack intelligence gathering for the infiltration of public and private sector computing networks.
  • Cloud computing presents new challenges - Cloud computing is moving rapidly from emerging to mainstream technology and rapid growth is anticipated through the end of 2013.  In 2011, there were many high profile cloud breaches, affecting well-known organizations and large populations of their customers.  IT security staff should carefully consider what workloads they should send to third party cloud providers and what should be kept in-house due to sensitivity of data.  Cloud security requires foresight on the part of the customer, as well as flexibility, skills, and willingness to negotiate on the part of the cloud provider.

 We encourage readers to not only check out the highlights listed here, but read the full report for contributions from our colleagues.

To view the full X-Force 2011 Trend and Risk Report and to watch the video please visit