The total number of security flaws in software applications that hackers can use to their advantage has dropped in recent years, but the number of vulnerabilities considered "high risk" has increased as both criminals and researchers race to find weaknesses, a new report says.
The HP 2012 Cyber Security Report defines these high-risk vulnerabilities as holes in software that allow hackers to take unfettered control of a computer or server over the internet. It adds that finding these security holes has become a lucrative business for hackers, as well as for security companies working to keep their customers' computers safe.
Patrick Hill, product line manager of DV Labs and HP enterprise security products, discussed the study on Tuesday at Toronto's SC Congress Canada, an exposition for security professionals. He said that of all known security vulnerabilities discovered in 2011, 24 per cent of them were considered high risk, up from seven per cent in 2006.
Hill said that 2011 was a banner year for cybercrime, with the emergence of "hacktivists" — namely Anonymous and LulzSec. There were also several high-profile hacking incidents, including the compromise of the personal accounts of 77 million members of Sony's PlayStation Network, and an attack on the Nasdaq stock market.
Some commercial applications are more susceptible than others, but among the most vulnerable is Adobe’s Shockwave application, which took the No. 1 spot in the HP report, followed by Apple’s QuickTime.
Growing market for law-abiding hackers
Hill said the information on security problems is so valuable that there’s a growing market for selling the data back to companies so the issues can be fixed. He said information about security vulnerabilities can help “inform security professionals about what's going on in the landscape" and show them ways to protect themselves against future attacks.
Google, for example, recently offered as much as $20,000 to researchers who find new ways to hack its web services.
After the holes are found by law-abiding researchers, a company is typically given six months to develop a patch before the problem is disclosed to the public.
The person who discovered the flaw is acknowledged. Researchers tend not to make the details of their discoveries public immediately because the information can be used by hackers.
There's also a black market where hackers can buy information about new security holes to use against targets.
Hacking is becoming easier, Hill said. This is due in part to the popularity of exploit tool kits, which “are basically the shrinkwrapped package that hackers use to get in the game.”
Hill said there are many facets to a modern day attack, and the kits make attacks easier to launch. The kits can fetch around $1,300 each, and can allow novice hackers to initiate sophisticated attacks.
Hill offered three solutions that can help people protect themselves or their business.
The first is updating to the latest versions of any software they use. Security holes are often fixed once they're known to developers, but people have to apply the updates.
“It’s not always easy [to keep software up to date] because you have dozens of applications, you’ve got hundreds of servers, along with plug-ins, add-ons, and pop-up ads,” Hill said.
The second suggestion is to apply an “umbrella patch” to your network. Hill said this provides an added layer of protection, especially for a company that runs its own applications.
The hardest solution, yet the most effective, is to, “block access to known bad actors," Hill said. That means if you can locate the source of an attempted attack, you can block the intruder from accessing your site in the future.
Canada has proposed legislation to deal with cybercrime in Bill C-30, but as of now there are no laws that specifically mention cyber criminals.
Avner Levin, the director of the Privacy and Cyber Crime Institute at Ryerson University, said it’s difficult for policy makers because the issue of cybercrime is hard to pin down. They would rather tackle something that’s easier to identify.
"There is more and more talk about cyberwar, and less and less talk of cybercrime, because cybercrime is a lot more amorphous," he said.
“Cyberwar is easy, you’ve got the good guys and you’ve got the bad guys, you’ve got the countries and you’ve got the terrorists,” Levin said, adding, “It’s very easy to sort of shape it, explain it to the public, and appear to come up with some kind of strategy.”
He said the security data collected by HP and other companies is inconsistent, and because it’s only collected from the private sector, “You can’t really tell them what to do."
“If the data was more consistent, I think policy makers would have a clear picture … but nobody has that kind of a clear picture. It's very confusing, so [policy makers] don’t do it."