14 DAY TRIAL // There's some good news and some bad news, according to the annual X-Force report released by Internet Security Systems, a part of IBM Corp. The good news is that there have been lesser recorded security flaws in 2007, only 6,437, compared to the previous year, a decrease of 5.4 percent. The bad news is that web security overall hasn't been improved. That just means that the same attacks have been going through lesser holes, at a higher rate.
Of course, the emergence of a black market that will pay up to $100,000 to hackers, in order to find such security flaws just so they get the first chance to exploit it, as The Associated Press reports, is not a very soothing thought. It did lead to lesser minor vulnerabilities being discovered (everybody must have gone for the big bone that brought home the big money) and that might be the reason for the missing percentages.
Chris Rouland, ISS's chief technology officer, thought that "it is profitable not to (publicly) report a vulnerability," according to the cited source. The train of thought is that security companies are buying information on the flaws of their own products, so that they can patch them without anyone ever taking notice. Moral aspect aside, that's a pretty good technique to keep a spotless reputation.
That's not all the bad news there is. ISS' report also found that the critical security holes jumped 28 percent in 2007, or at least the discovered ones. This must also be an effect of the black market I mentioned earlier, as these would be the proverbial bone in the example.
The best example of such a security flaw is the recent Societe Generale French bank that lost some $7 billion because of a rogue employee made some unauthorized trades after exploiting only a couple of vulnerabilities. Ouch!