Major point-of-sale intrusions and cyber espionage tend to grab a majority of the news headlines nowadays, but according to the 2014 Verizon Data Breach Investigations Report (DBIR), Web application attacks are the most common threat that organizations currently face.
Web applications remain the proverbial punching bag of the Internet.
Verizon Data Breach Investigations Report 2014
The 2014 Verizon DBIR analyzed breach data from 50 organizations around the world, including details on 1,367 confirmed data breaches and 63,437 security incidents -- events that compromise the "confidentiality, integrity, or availability of an information asset" -- and broke that data down into one of nine attack patterns. Those patterns are then mapped out to industries and corresponding security controls, giving readers a sense of which attacks are most likely to affect them and ways in which they can be combatted.
Out of the 1,367 confirmed data breaches, the cyber espionage pattern accounted for 22% of the attackers recorded by Verizon and its partners, while point-of-sale (POS) intrusions made up 14% of the breaches in this year's report.
Still, Web app attacks were far and away the most common threat type, with 35% of all confirmed breaches linked to Web application security issues. That number also represents a significant increase over the three-year average of 21% of data breaches falling under the Web app attack pattern. Though the inclusion of data from new contributors like Web application security vendor WhiteHat Security may skew those numbers, the Verizon data breach report makes it clear that Web apps are an increasingly convenient target for attackers.
"Web applications remain the proverbial punching bag of the Internet," said the Verizon report. "There's no question about it -- the variety and combination of techniques available to attackers make defending Web applications a complex task."
Web app attacks: Motives, techniques vary
The report indicated that nearly two out of three attackers targeting Web apps are motivated by "ideology and lulz," while financial incentives drive another third. Those financially-motivated attackers are most likely to target organizations from two industries -- financial and retail. They are particularly focused on gaining access to user interfaces like those at online banking sites, either by exploiting some underlying weakness in the application itself or by simply stealing legitimate user credentials.
The Web app attack techniques used by malicious actors remain largely the same, according to the Verizon report. Attackers use phishing to glean credentials, or simply brute force the passwords, both of which show up in the top 20 overall threat actions. Otherwise, they fall back to SQL injection and other application-level attacks.
SQL injection is by far the most common Web application vulnerability, according to Trustwave's SpiderLabs Director Charles Henderson, who said that many application-level flaws are the result of enterprises using customized websites.
"Very few reasonably sized e-commerce companies are going to buy an off-the-shelf website. A good portion of that application is going to be entirely custom written, whether that be checkout processes or search functionality," he said. "That means it is prone to security weaknesses," said Henderson. "It requires additional testing and controls like validate scanning and application scanning. Web application firewalls are also a very important layer of the onion, so to speak."
To mitigate the use of stolen credentials, Verizon senior risk analyst, Marc Spitler advised enterprises to consider implementing some form of two-factor authentication, a recommendation that is made to combat several attack types in the 2014 DBIR.
Not surprisingly, attackers that target Web apps for non-financial reasons tend to aim at different verticals and deploy different techniques, with the Verizon report indicating that content management systems (CMS) like WordPress and Drupal are among the most popular targets.
"Ideological actors [whether their motivation is social, political, or just for plain fun] are less concerned about getting at the crown jewels than they are about getting a platform [in all sense of the word] to stand on," said the Verizon report. "With that in mind, it's not surprising that we see two types of results from ideological attackers going after a Web server: defacements to send a message or hijacking the server to attack [including by DDoS] other victims."
CMS is an attractive target for several reasons, according to Henderson. First, there's simply a good return on investment for an attack on a CMS, because finding a single vulnerability in one platform means that an attacker can simultaneously target multiple sites using the same CMS. Such systems also give attackers an advantage when it comes to preparation.
"You can download a CMS and test it offline," said Henderson, "whereas with other Web applications, an alerting system like a SIEM or a Web application firewall may notice me poking around in there."
To fend off attacks against CMS platforms, Verizon advised enterprises to either implement a regular patching process, preferably automated, or possibly move to a static CMS framework, meaning that the webpages will be pre-generated instead of having code executed on a the server for every request.
To reduce the number of successful Web app attacks, Henderson said many organizations simply need to pay closer attention to incidents that may affect Web security.
"You have a lot of people that are very lax about what is going on with their Web application. They may or may not be logging the right things. They may have a Web application firewall, but someone might not be watching it," said Henderson. "I feel like we as an industry aggregate a lot of security information that we just throw away, and frankly, that's because the average e-commerce website isn't in the business of fighting off Web app attacks."