Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly

Applications & Identities Initial Targets in 86% of Breaches: Report

The startling numbers of breached data are sobering: 11.8 billion records compromised in 337 of 433 incidents examined by F5 researchers. They include 10.3 billion usernames, passwords, and email accounts.

F5 Labs recently examined 433 data breach incidents to better understand attack paths from the initial attack to the root cause of the breach. Specifically, we looked at breaches where there was a known attack type, root cause, data type and count of records breached, or cost of the breach. Not all of the cases included every one of these elements, but there was enough compelling data in total to conclude that 86% of the breach cases started with an application or identity attack.

The report totaled breach records by type, and the results are sobering:

  • 11.8 billion records were compromised in just 337 cases;
  • 10.3 billion usernames, passwords, and email accounts were breached, which is equivalent to 1.36 records per person on the planet, or 32 records per US citizen;
  • 280 million social security numbers (SSNs) were breached, which is equal to 86.5% of the US population.

The startling counts of breached records in the "Lessons Learned from a Decade of Data Breaches" report start to make sense when you consider that over half of the world’s population today is online and applications are the new storefronts of businesses. In a lot of cases, applications are the business.

Applications are also the gateway to data which has immense value to attackers. The concern over the safety of applications and data is borne out in a separate report by F5 and Ponemon, "The Evolving Role of CISOs and their Importance to the Business," in which respondents were asked to rank their top threats. On a scale of 1 (minimal impact) to 10 (significant impact), respondents ranked both "insecure applications" and "data exfiltration" at 8.2.

Exploiting Applications Directly
Applications were the initial target of attack in the majority of breaches at 53%. Those attacks exploited the systems by targeting web application vulnerabilities with primarily injection attacks. These two commonly breached application vulnerabilities represent low hanging fruit for attackers.

  • Forum software is a favorite target for injection attacks because they consume user content that, if not sanitized properly, could be a crafty little malicious script that injects a PHP backdoor.
  • SQL injection, a critical vulnerability that enables an attacker to inject SQL queries and execute administrative operations on the backend database, shouldn’t require explanation because it’s been around for decades. These vulnerabilities are extremely easy for anyone (an attacker, or the company’s security team) to find—and for attackers to exploit.

User Identity Attacks
When the development and security teams have done a good job securing an application, it’s much easier for attackers to obtain data through users who have access to the application and the data within.

In the cases we researched, identities were the initial attack target in 33% of the breaches. Most of these attacks were attributed to phishing; it turns out tricking a user into giving up their credentials is remarkably easy, despite security awareness training efforts. Thanks to social media and consumers’ eagerness to share every aspect of their personal lives, phishing attacks will remain highly effective for the foreseeable future.

Unfortunately, phishing has no boundaries, ranging from executives, to receptionists and system administrators. Our breach trends report states that more data is collected by attackers through phishing attacks than any other attack type.

Identifying Common Attack Vectors
Security teams are constantly struggling to keep up. Leverage the research available and prioritize your security initiatives. If 86% of breaches start with identities and applications, then managing application vulnerabilities and limiting the impact of exploited identities should be your highest priority. It’s encouraging to see that many organizations are at least moving in the right direction by steadily increasing their investment in application protection. The CISOs we surveyed report spending 12% on app protection two years ago but that figure has increased to 17% today and is expected to rise to 29% two years from now.

Here are two tactics to stop your cyber attackers: 

Deploy a web application firewall (WAF). There are decent, free WAFs (in software form) that you can deploy in listen-only mode. Once you’ve logged and monitored enough of your web application traffic, you can begin defining a blocking policy that won’t take down your app. If your app is actively being exploited, the post data in your WAF logs will tell you exactly how.

WAFs require technical skillsets in both web application vulnerabilities and secure development, and someone who knows how the application works. Freeware solutions provide a good way to get your feet wet but can quickly become cumbersome. If you can afford it, buy an enterprise solution for more effective, centralized management. Another option is to outsource the service to a team of experts who do this 24x7x365.

Deploy multifactor authentication (MFA). Your users will fall victim to phishing attacks, so this is a critical defense, even though deploying MFA to all applications takes time, perhaps years. The trick is to prioritize applications that are externally accessible. Leveraging an MFA solution that integrates seamlessly with an identity federation solution can help streamline the deployment and also will be less frustrating for your users. Identity federation solutions also reduce password fatigue and the massive problem we have now with the one-to-many relationship passwords have with applications. When the Yahoo and Sony compromised databases were compared, 59% of the credentials were found to be the same.

For a more comprehensive list of recommendations, see the full F5 Labs’ "Lessons Learned from a Decade of Data Breaches" report.


Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.