Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly

Applications & Identities Initial Targets in 86% of Breaches: Report

The startling numbers of breached data are sobering: 11.8 billion records compromised in 337 of 433 incidents examined by F5 researchers. They include 10.3 billion usernames, passwords, and email accounts.

F5 Labs recently examined 433 data breach incidents to better understand attack paths from the initial attack to the root cause of the breach. Specifically, we looked at breaches where there was a known attack type, root cause, data type and count of records breached, or cost of the breach. Not all of the cases included every one of these elements, but there was enough compelling data in total to conclude that 86% of the breach cases started with an application or identity attack.

The report totaled breach records by type, and the results are sobering:

  • 11.8 billion records were compromised in just 337 cases;
  • 10.3 billion usernames, passwords, and email accounts were breached, which is equivalent to 1.36 records per person on the planet, or 32 records per US citizen;
  • 280 million social security numbers (SSNs) were breached, which is equal to 86.5% of the US population.

The startling counts of breached records in the "Lessons Learned from a Decade of Data Breaches" report start to make sense when you consider that over half of the world’s population today is online and applications are the new storefronts of businesses. In a lot of cases, applications are the business.

Applications are also the gateway to data which has immense value to attackers. The concern over the safety of applications and data is borne out in a separate report by F5 and Ponemon, "The Evolving Role of CISOs and their Importance to the Business," in which respondents were asked to rank their top threats. On a scale of 1 (minimal impact) to 10 (significant impact), respondents ranked both "insecure applications" and "data exfiltration" at 8.2.

Exploiting Applications Directly
Applications were the initial target of attack in the majority of breaches at 53%. Those attacks exploited the systems by targeting web application vulnerabilities with primarily injection attacks. These two commonly breached application vulnerabilities represent low hanging fruit for attackers.

  • Forum software is a favorite target for injection attacks because they consume user content that, if not sanitized properly, could be a crafty little malicious script that injects a PHP backdoor.
  • SQL injection, a critical vulnerability that enables an attacker to inject SQL queries and execute administrative operations on the backend database, shouldn’t require explanation because it’s been around for decades. These vulnerabilities are extremely easy for anyone (an attacker, or the company’s security team) to find—and for attackers to exploit.

User Identity Attacks
When the development and security teams have done a good job securing an application, it’s much easier for attackers to obtain data through users who have access to the application and the data within.

In the cases we researched, identities were the initial attack target in 33% of the breaches. Most of these attacks were attributed to phishing; it turns out tricking a user into giving up their credentials is remarkably easy, despite security awareness training efforts. Thanks to social media and consumers’ eagerness to share every aspect of their personal lives, phishing attacks will remain highly effective for the foreseeable future.

Unfortunately, phishing has no boundaries, ranging from executives, to receptionists and system administrators. Our breach trends report states that more data is collected by attackers through phishing attacks than any other attack type.

Identifying Common Attack Vectors
Security teams are constantly struggling to keep up. Leverage the research available and prioritize your security initiatives. If 86% of breaches start with identities and applications, then managing application vulnerabilities and limiting the impact of exploited identities should be your highest priority. It’s encouraging to see that many organizations are at least moving in the right direction by steadily increasing their investment in application protection. The CISOs we surveyed report spending 12% on app protection two years ago but that figure has increased to 17% today and is expected to rise to 29% two years from now.

Here are two tactics to stop your cyber attackers: 

Deploy a web application firewall (WAF). There are decent, free WAFs (in software form) that you can deploy in listen-only mode. Once you’ve logged and monitored enough of your web application traffic, you can begin defining a blocking policy that won’t take down your app. If your app is actively being exploited, the post data in your WAF logs will tell you exactly how.

WAFs require technical skillsets in both web application vulnerabilities and secure development, and someone who knows how the application works. Freeware solutions provide a good way to get your feet wet but can quickly become cumbersome. If you can afford it, buy an enterprise solution for more effective, centralized management. Another option is to outsource the service to a team of experts who do this 24x7x365.

Deploy multifactor authentication (MFA). Your users will fall victim to phishing attacks, so this is a critical defense, even though deploying MFA to all applications takes time, perhaps years. The trick is to prioritize applications that are externally accessible. Leveraging an MFA solution that integrates seamlessly with an identity federation solution can help streamline the deployment and also will be less frustrating for your users. Identity federation solutions also reduce password fatigue and the massive problem we have now with the one-to-many relationship passwords have with applications. When the Yahoo and Sony compromised databases were compared, 59% of the credentials were found to be the same.

For a more comprehensive list of recommendations, see the full F5 Labs’ "Lessons Learned from a Decade of Data Breaches" report.


Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...