Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/22/2018
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Applications & Identities Initial Targets in 86% of Breaches: Report

The startling numbers of breached data are sobering: 11.8 billion records compromised in 337 of 433 incidents examined by F5 researchers. They include 10.3 billion usernames, passwords, and email accounts.

F5 Labs recently examined 433 data breach incidents to better understand attack paths from the initial attack to the root cause of the breach. Specifically, we looked at breaches where there was a known attack type, root cause, data type and count of records breached, or cost of the breach. Not all of the cases included every one of these elements, but there was enough compelling data in total to conclude that 86% of the breach cases started with an application or identity attack.

The report totaled breach records by type, and the results are sobering:

  • 11.8 billion records were compromised in just 337 cases;
  • 10.3 billion usernames, passwords, and email accounts were breached, which is equivalent to 1.36 records per person on the planet, or 32 records per US citizen;
  • 280 million social security numbers (SSNs) were breached, which is equal to 86.5% of the US population.

The startling counts of breached records in the "Lessons Learned from a Decade of Data Breaches" report start to make sense when you consider that over half of the world’s population today is online and applications are the new storefronts of businesses. In a lot of cases, applications are the business.

Applications are also the gateway to data which has immense value to attackers. The concern over the safety of applications and data is borne out in a separate report by F5 and Ponemon, "The Evolving Role of CISOs and their Importance to the Business," in which respondents were asked to rank their top threats. On a scale of 1 (minimal impact) to 10 (significant impact), respondents ranked both "insecure applications" and "data exfiltration" at 8.2.

Exploiting Applications Directly
Applications were the initial target of attack in the majority of breaches at 53%. Those attacks exploited the systems by targeting web application vulnerabilities with primarily injection attacks. These two commonly breached application vulnerabilities represent low hanging fruit for attackers.

  • Forum software is a favorite target for injection attacks because they consume user content that, if not sanitized properly, could be a crafty little malicious script that injects a PHP backdoor.
  • SQL injection, a critical vulnerability that enables an attacker to inject SQL queries and execute administrative operations on the backend database, shouldn’t require explanation because it’s been around for decades. These vulnerabilities are extremely easy for anyone (an attacker, or the company’s security team) to find—and for attackers to exploit.

User Identity Attacks
When the development and security teams have done a good job securing an application, it’s much easier for attackers to obtain data through users who have access to the application and the data within.

In the cases we researched, identities were the initial attack target in 33% of the breaches. Most of these attacks were attributed to phishing; it turns out tricking a user into giving up their credentials is remarkably easy, despite security awareness training efforts. Thanks to social media and consumers’ eagerness to share every aspect of their personal lives, phishing attacks will remain highly effective for the foreseeable future.

Unfortunately, phishing has no boundaries, ranging from executives, to receptionists and system administrators. Our breach trends report states that more data is collected by attackers through phishing attacks than any other attack type.

Identifying Common Attack Vectors
Security teams are constantly struggling to keep up. Leverage the research available and prioritize your security initiatives. If 86% of breaches start with identities and applications, then managing application vulnerabilities and limiting the impact of exploited identities should be your highest priority. It’s encouraging to see that many organizations are at least moving in the right direction by steadily increasing their investment in application protection. The CISOs we surveyed report spending 12% on app protection two years ago but that figure has increased to 17% today and is expected to rise to 29% two years from now.

Here are two tactics to stop your cyber attackers: 

Deploy a web application firewall (WAF). There are decent, free WAFs (in software form) that you can deploy in listen-only mode. Once you’ve logged and monitored enough of your web application traffic, you can begin defining a blocking policy that won’t take down your app. If your app is actively being exploited, the post data in your WAF logs will tell you exactly how.

WAFs require technical skillsets in both web application vulnerabilities and secure development, and someone who knows how the application works. Freeware solutions provide a good way to get your feet wet but can quickly become cumbersome. If you can afford it, buy an enterprise solution for more effective, centralized management. Another option is to outsource the service to a team of experts who do this 24x7x365.

Deploy multifactor authentication (MFA). Your users will fall victim to phishing attacks, so this is a critical defense, even though deploying MFA to all applications takes time, perhaps years. The trick is to prioritize applications that are externally accessible. Leveraging an MFA solution that integrates seamlessly with an identity federation solution can help streamline the deployment and also will be less frustrating for your users. Identity federation solutions also reduce password fatigue and the massive problem we have now with the one-to-many relationship passwords have with applications. When the Yahoo and Sony compromised databases were compared, 59% of the credentials were found to be the same.

For a more comprehensive list of recommendations, see the full F5 Labs’ "Lessons Learned from a Decade of Data Breaches" report.

 

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8818
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
CVE-2020-8819
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
CVE-2020-9385
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
CVE-2020-9382
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
CVE-2020-1938
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...