Were there any significant findings in the 2012 Verizon Data Breach Investigations Report that indicate what is or isn't working in Web application security? Other than "Get a Web application firewall," what did you see as the important takeaways from the Verizon report?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
Many people saw 2011 as the year of the hacktivist, and hacktivists certainly gave many network administrators sleepless nights. There were several high-profile site defacements such as the attack on the CIA site, and denial-of-service attacks affected sites as large as the PayPal site. The number of advanced persistent threats and their sheer sophistication was another highlight of the Verizon DBIR 2012. For me, the main takeaway of the report is that security pros are still not doing the basics right.
Although many of the headline-grabbing attacks are incredibly sophisticated, cybercriminals looking to make a profit usually choose to target the weakest systems that display an absence of information security basics, such as those that remain unpatched against known vulnerabilities. Attackers know that a tried-and-tested attack code, often available on the Internet, has a high success rate against these insecure systems, and this greatly reduces their development times and costs. These types of attacks vastly outnumber those orchestrated by well-known groups such as Anonymous and LulzSec.
This is why Verizon's report picked up the growing number of attacks against the point-of-sale checkout systems used by restaurants and other small-business franchises, since attackers target these businesses to harvest customers' credit card numbers. A typical attack starts with a scan of IP addresses that look like they may belong to the servers that the restaurants and retailers use to transmit credit card and debit card data. Once a server is confirmed as a target, another attack program begins trying default and common passwords to log onto the server remotely. Many of the companies that install point-of-sale systems for small businesses neglect to set up a unique and strong password. When hackers find a password that works for a particular franchise, they often find it works at many other locations of the same franchise too.
The report also indicated that it isn't much harder for attackers to gain access to the resources of larger organizations. Simply changing the default password to a strong one would defeat this type of simple attack. Sadly, Verizon's report found that 96% of all data-breach hacks were "not highly difficult," with the initial compromise often requiring no special skills or resources. Translation: the average user could have executed the attack!
Until those responsible for data -- whether it's located on an enterprise server or a desktop PC at the back of a shop -- put basic application security practices in place, hackers will continue to steal data with relative ease. They aren't using sophisticated or expensive hacking tools; they are guessing easy or default passwords.
By all means, install data loss prevention tools if the budget is available, but disable default accounts and change default passwords on Internet-connected servers first. Most breaches are opportunistic, so hackers won't spend time on a hardened target if a softer one is available. Security should start by ensuring your organization is not the weakest system on the block.
This was first published in August 2012