IBM: Websites are 'Achilles' heel' of business security
By the end of 2008, more than half of all vulnerabilities disclosed during the year had no vendor-supplied patch.
Businesses are unwittingly becoming the biggest threat to their own customers, as criminals use legitimate websites as a launching pad against consumers.
This is according to IBM, which called websites the "Achilles' heel" for corporate IT security thanks to attackers focusing on web applications to infect end-user machines. Corporations were also making it worse by using "off-the-shelf" web applications which carried vulnerabilities.
In the Annual IBM X-Force Report, Big Blue said that more than half of all vulnerabilities were related to web applications, and of these, more than 74 per cent had no patch. By the end of 2008, 53 per cent of all vulnerabilities had no vendor-approved patch.
The vulnerabilities meant that the large scale SQL vulnerabilities which emerged in early 2008 were able to continue to grow in size throughout the year.
By the end of 2008 the volume of SQL attacks had jumped by 30 times the number of attacks seen in the summer.
"The purpose of these automated attacks is to deceive and redirect web surfers to web browser exploit toolkits," said Kris Lamb, of X-Force Research and Development, in a statement.
"This is one of the oldest forms of mass attack still in existence today. It is staggering that we still see SQL injection attacks in widespread use without adequate patching almost 10 years after they were first disclosed."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
He added: "Cybercriminals target businesses because they provide an easy target to launch attacks against anyone that visits the web."
IBM also said that the security industry needed to realise that cybercriminals were motivated by money, and fully consider how attackers balanced the economic opportunity of vulnerability against the costs of exploitation.
Lamb said: "If the security industry can better understand the motivations of computer criminals, it can do a better job of determining when emergency patching is most needed in the face of immediate threats."