Attacks and Clouds

IBM Corp. released its update to its yearly security trend and risk report, accounting that while security attacks are becoming more sophisticated, the vulnerabilities targeted remain largely the same. Elsewhere, a newly released survey by a data center management association finds that cloud computing adoption is on most data centers' hot lists for 2011 and beyond. Lastly, a recent security attack has exposed customers' names and e-mail addresses for some of the top institutions.

Focal Points:

• IBM released its annual X-Force 2010 Trend and Risk Report this week, detailing the computing-related security risks faced by public and private organizations worldwide last year. IBM gathered the data using intelligence sources, a global Web crawler, real-time monitoring for nearly 4,000 clients in 130 countries, and its large vulnerability database to monitor more than 150,000 events per second. Rising 27 percent from 2009, the company identified more than 8,000 new vulnerabilities but noted that spam had growth flattened by the end of the year. Fewer phishing attacks were reported, though more targeted "spear phishing" became more prominent in usage as targeted e-mails with malicious attachments and/or links grew. Not surprisingly, Web applications vulnerabilities, led by cross site scripting and SQL injection issues, numbered nearly half of all vulnerabilities during the year. Additionally, almost half of all vulnerabilities remain unpatched. Stuxnet ranked as one of the most notable of the year's attacks, demonstrating that specialized exploits for complex, proprietary control systems was possible.
• A new survey by AFCOM, an association for data center management professionals, found that 70 percent of the 358 data center managers surveyed have or are seriously considering adopting cloud computing technologies. Their 2010 survey found that only 14.9 percent of surveyed managers had clouds implemented, while the responses to the 2011 survey indicated that more-than-double growth rate to 36.6 percent. Additionally, 35.1 percent of respondents were seriously considering moving to the cloud. Other notable findings included that data center expansion is on the rise as 44.2 percent of participants have more floor space than three years ago and another 49.4 percent are planning to build or acquire more room. Data backup and recovery plans were not in place at more than 15 percent of respondents' data centers and a whopping 50 percent lack strategies to replace equipment damaged by a disaster.
• Epsilon Data Management, LLC., a permission-based e-mail marketer and unit of Alliance Data Systems Corp., announced a breach of its customer files used to send e-mail marketing campaigns to customers banking institutions and retailers. Customer names and e-mails were exposed when an attack allowed entry into Epsilon's e-mail system, which is used to send more than 40 billion e-mails annually. The company handles online marketing and outreach for customers including Citigroup, Inc., L.L. Bean., JPMorgan Chase Bank, NA, Marriott International Corp., and other big brands. The attack was detected on March 30, and is claimed to only affect "a subset' of clients' databases and that financial information was not leaked.

Experton Group believes security vulnerabilities and exploits should remain atop IT executives' list of concerns as attacks become more automated and pervasive. IBM's X-Force 2010 Trend and Risk Report demonstrates that the majority of attacks are Web and e-mail related, and that a majority of the holes found remain unpatched. This suggests that security policies and procedures at enterprises are secondary to ongoing operations and that many administrators are failing to maintain what should be the minimum in security upkeep. While attacks are getting more sophisticated, the majority of the vulnerabilities referenced could be easily plugged with patching and regular maintenance. These problems will exacerbate as cloud computing continues to flourish exponentially. Companies that flock to outsourcers in droves to solve problems – security or otherwise – will be sorely disappointed despite whatever best practices, service level agreements (SLAs), and other promises for improvement are bandied about without first getting their own homes in order. Cloud computing strategies aim to optimize computing efficiencies and leverage applications irrespective of their geo-location; however, complex systems and architectures are breeding grounds for complex security and integration problems. As with all large problems, sound planning and holistic views of processes and problems are required to minimize risk and maximize return. The Epsilon data breach, one of the largest recorded, should serve as a reminder and call-to-action for IT executives to revisit security policies and enforcement across the enterprise. No panacea exists to replace rigorous and repeated revisiting, updating, enforcement, and additions to a centralized set of security rules governed using strong applications and repeated testing.