Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/22/2018
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Applications & Identities Initial Targets in 86% of Breaches: Report

The startling numbers of breached data are sobering: 11.8 billion records compromised in 337 of 433 incidents examined by F5 researchers. They include 10.3 billion usernames, passwords, and email accounts.

F5 Labs recently examined 433 data breach incidents to better understand attack paths from the initial attack to the root cause of the breach. Specifically, we looked at breaches where there was a known attack type, root cause, data type and count of records breached, or cost of the breach. Not all of the cases included every one of these elements, but there was enough compelling data in total to conclude that 86% of the breach cases started with an application or identity attack.

The report totaled breach records by type, and the results are sobering:

  • 11.8 billion records were compromised in just 337 cases;
  • 10.3 billion usernames, passwords, and email accounts were breached, which is equivalent to 1.36 records per person on the planet, or 32 records per US citizen;
  • 280 million social security numbers (SSNs) were breached, which is equal to 86.5% of the US population.

The startling counts of breached records in the "Lessons Learned from a Decade of Data Breaches" report start to make sense when you consider that over half of the world’s population today is online and applications are the new storefronts of businesses. In a lot of cases, applications are the business.

Applications are also the gateway to data which has immense value to attackers. The concern over the safety of applications and data is borne out in a separate report by F5 and Ponemon, "The Evolving Role of CISOs and their Importance to the Business," in which respondents were asked to rank their top threats. On a scale of 1 (minimal impact) to 10 (significant impact), respondents ranked both "insecure applications" and "data exfiltration" at 8.2.

Exploiting Applications Directly
Applications were the initial target of attack in the majority of breaches at 53%. Those attacks exploited the systems by targeting web application vulnerabilities with primarily injection attacks. These two commonly breached application vulnerabilities represent low hanging fruit for attackers.

  • Forum software is a favorite target for injection attacks because they consume user content that, if not sanitized properly, could be a crafty little malicious script that injects a PHP backdoor.
  • SQL injection, a critical vulnerability that enables an attacker to inject SQL queries and execute administrative operations on the backend database, shouldn’t require explanation because it’s been around for decades. These vulnerabilities are extremely easy for anyone (an attacker, or the company’s security team) to find—and for attackers to exploit.

User Identity Attacks
When the development and security teams have done a good job securing an application, it’s much easier for attackers to obtain data through users who have access to the application and the data within.

In the cases we researched, identities were the initial attack target in 33% of the breaches. Most of these attacks were attributed to phishing; it turns out tricking a user into giving up their credentials is remarkably easy, despite security awareness training efforts. Thanks to social media and consumers’ eagerness to share every aspect of their personal lives, phishing attacks will remain highly effective for the foreseeable future.

Unfortunately, phishing has no boundaries, ranging from executives, to receptionists and system administrators. Our breach trends report states that more data is collected by attackers through phishing attacks than any other attack type.

Identifying Common Attack Vectors
Security teams are constantly struggling to keep up. Leverage the research available and prioritize your security initiatives. If 86% of breaches start with identities and applications, then managing application vulnerabilities and limiting the impact of exploited identities should be your highest priority. It’s encouraging to see that many organizations are at least moving in the right direction by steadily increasing their investment in application protection. The CISOs we surveyed report spending 12% on app protection two years ago but that figure has increased to 17% today and is expected to rise to 29% two years from now.

Here are two tactics to stop your cyber attackers: 

Deploy a web application firewall (WAF). There are decent, free WAFs (in software form) that you can deploy in listen-only mode. Once you’ve logged and monitored enough of your web application traffic, you can begin defining a blocking policy that won’t take down your app. If your app is actively being exploited, the post data in your WAF logs will tell you exactly how.

WAFs require technical skillsets in both web application vulnerabilities and secure development, and someone who knows how the application works. Freeware solutions provide a good way to get your feet wet but can quickly become cumbersome. If you can afford it, buy an enterprise solution for more effective, centralized management. Another option is to outsource the service to a team of experts who do this 24x7x365.

Deploy multifactor authentication (MFA). Your users will fall victim to phishing attacks, so this is a critical defense, even though deploying MFA to all applications takes time, perhaps years. The trick is to prioritize applications that are externally accessible. Leveraging an MFA solution that integrates seamlessly with an identity federation solution can help streamline the deployment and also will be less frustrating for your users. Identity federation solutions also reduce password fatigue and the massive problem we have now with the one-to-many relationship passwords have with applications. When the Yahoo and Sony compromised databases were compared, 59% of the credentials were found to be the same.

For a more comprehensive list of recommendations, see the full F5 Labs’ "Lessons Learned from a Decade of Data Breaches" report.

 

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9405
PUBLISHED: 2019-09-20
The wp-piwik plugin before 1.0.5 for WordPress has XSS.
CVE-2015-9407
PUBLISHED: 2019-09-20
The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php XSS.
CVE-2015-9408
PUBLISHED: 2019-09-20
The xpinner-lite plugin through 2.2 for WordPress has wp-admin/options-general.php CSRF with resultant XSS.
CVE-2019-16533
PUBLISHED: 2019-09-20
On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access Control exists in loginset.htm, and can be used to trigger XSS. NOTE: this is an end-of-life product.
CVE-2019-16534
PUBLISHED: 2019-09-20
On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a crafted WAN name on the General Setup screen. NOTE: this is an end-of-life product.