In its just-released 2011 Top Cyber Security Risks Report, the world's largest IT vendor notes that the number of vulnerabilities identified in commercial software in 2011 fell by 20% from 2010, continuing a decline that began in 2006. Good news, right? Software is being designed better and is more secure?
Not quite, says Jennifer Lake, security product marketing manager for DVLabs, a unit within HP that does app vulnerability analysis. Fewer vulnerabilities are being discovered because they are harder to discover. "For a security researcher, finding severe vulnerabilities is not actually that easy," she says, explaining that one factor is that there isn’t enough institutional knowledge of the history of vulnerabilities in commercial software that has been patched.
"What you need is someone who has a specialized knowledge of that application, understands the inner workings and has to be able to go in and say that 'I know if I go in through this door and do this one thing, this is what’s going to happen,'" Lake says. "You have to have a specialized knowledge, which takes more time."
What DVLabs does know about the identified vulnerabilities is that they are getting more dangerous. Of the known vulnerabilities, 24% were rated as level 8-to-10 in severity, she notes.
The notion that seeming success in cyber security is actually contradicted by a greater threat is also evident in a Cisco Systems cyber security report from 2011. It found a steep decline in the number of mass spam or phishing attacks by cyber criminals. But it turns out that cyber thieves had not necessarily learned the error of their ways but had instead found a smarter way to steal.
Given that email filters blocked more spam and that users were getting wise to phishing attacks, the criminals switched to spearfishing--targeted attacks in which personal information is used to trick a person into clicking on a link.