Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/22/2018
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Applications & Identities Initial Targets in 86% of Breaches: Report

The startling numbers of breached data are sobering: 11.8 billion records compromised in 337 of 433 incidents examined by F5 researchers. They include 10.3 billion usernames, passwords, and email accounts.

F5 Labs recently examined 433 data breach incidents to better understand attack paths from the initial attack to the root cause of the breach. Specifically, we looked at breaches where there was a known attack type, root cause, data type and count of records breached, or cost of the breach. Not all of the cases included every one of these elements, but there was enough compelling data in total to conclude that 86% of the breach cases started with an application or identity attack.

The report totaled breach records by type, and the results are sobering:

  • 11.8 billion records were compromised in just 337 cases;
  • 10.3 billion usernames, passwords, and email accounts were breached, which is equivalent to 1.36 records per person on the planet, or 32 records per US citizen;
  • 280 million social security numbers (SSNs) were breached, which is equal to 86.5% of the US population.

The startling counts of breached records in the "Lessons Learned from a Decade of Data Breaches" report start to make sense when you consider that over half of the world’s population today is online and applications are the new storefronts of businesses. In a lot of cases, applications are the business.

Applications are also the gateway to data which has immense value to attackers. The concern over the safety of applications and data is borne out in a separate report by F5 and Ponemon, "The Evolving Role of CISOs and their Importance to the Business," in which respondents were asked to rank their top threats. On a scale of 1 (minimal impact) to 10 (significant impact), respondents ranked both "insecure applications" and "data exfiltration" at 8.2.

Exploiting Applications Directly
Applications were the initial target of attack in the majority of breaches at 53%. Those attacks exploited the systems by targeting web application vulnerabilities with primarily injection attacks. These two commonly breached application vulnerabilities represent low hanging fruit for attackers.

  • Forum software is a favorite target for injection attacks because they consume user content that, if not sanitized properly, could be a crafty little malicious script that injects a PHP backdoor.
  • SQL injection, a critical vulnerability that enables an attacker to inject SQL queries and execute administrative operations on the backend database, shouldn’t require explanation because it’s been around for decades. These vulnerabilities are extremely easy for anyone (an attacker, or the company’s security team) to find—and for attackers to exploit.

User Identity Attacks
When the development and security teams have done a good job securing an application, it’s much easier for attackers to obtain data through users who have access to the application and the data within.

In the cases we researched, identities were the initial attack target in 33% of the breaches. Most of these attacks were attributed to phishing; it turns out tricking a user into giving up their credentials is remarkably easy, despite security awareness training efforts. Thanks to social media and consumers’ eagerness to share every aspect of their personal lives, phishing attacks will remain highly effective for the foreseeable future.

Unfortunately, phishing has no boundaries, ranging from executives, to receptionists and system administrators. Our breach trends report states that more data is collected by attackers through phishing attacks than any other attack type.

Identifying Common Attack Vectors
Security teams are constantly struggling to keep up. Leverage the research available and prioritize your security initiatives. If 86% of breaches start with identities and applications, then managing application vulnerabilities and limiting the impact of exploited identities should be your highest priority. It’s encouraging to see that many organizations are at least moving in the right direction by steadily increasing their investment in application protection. The CISOs we surveyed report spending 12% on app protection two years ago but that figure has increased to 17% today and is expected to rise to 29% two years from now.

Here are two tactics to stop your cyber attackers: 

Deploy a web application firewall (WAF). There are decent, free WAFs (in software form) that you can deploy in listen-only mode. Once you’ve logged and monitored enough of your web application traffic, you can begin defining a blocking policy that won’t take down your app. If your app is actively being exploited, the post data in your WAF logs will tell you exactly how.

WAFs require technical skillsets in both web application vulnerabilities and secure development, and someone who knows how the application works. Freeware solutions provide a good way to get your feet wet but can quickly become cumbersome. If you can afford it, buy an enterprise solution for more effective, centralized management. Another option is to outsource the service to a team of experts who do this 24x7x365.

Deploy multifactor authentication (MFA). Your users will fall victim to phishing attacks, so this is a critical defense, even though deploying MFA to all applications takes time, perhaps years. The trick is to prioritize applications that are externally accessible. Leveraging an MFA solution that integrates seamlessly with an identity federation solution can help streamline the deployment and also will be less frustrating for your users. Identity federation solutions also reduce password fatigue and the massive problem we have now with the one-to-many relationship passwords have with applications. When the Yahoo and Sony compromised databases were compared, 59% of the credentials were found to be the same.

For a more comprehensive list of recommendations, see the full F5 Labs’ "Lessons Learned from a Decade of Data Breaches" report.

 

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.