As attackers increasingly target e-commerce websites that store valuable payment card data, a new report shows that vulnerable applications and third-party plug-ins remain easy and pervasive avenues for exploiting such sites.
For its 2014 Global Security Report, Trustwave collected information from 691 data breach investigations the company conducted across 24 different countries -- an increase of more than 50% over the number of breaches analyzed for the same report last year. Unsurprisingly, the report found that attackers continue to target the most financially lucrative assets available to them.
One-third of all attacks investigated by Trustwave were aimed at point-of-sale systems and 19% of all data stolen was from payment cards used in point-of-sale (POS) transactions. While POS attacks are still widespread, Karl Sigler, manager of threat intelligence for Trustwave, said that the increased adoption of pin-and-chip payment technology in many countries -- the Smart Card Alliance estimates that up to 95% of terminals in parts of Europe are chip-enabled -- has meant that stealing payment card data from such environments is no longer an easy endeavor.
Security is generally the last thing put into an application and tends to be glossed over.
Manager of Threat Intelligence, Trustwave
As a result, attackers are now looking to take advantage of other low-hanging fruit, according to Sigler, which explains why 54% of the attacks in the Trustwave report targeted e-commerce websites, and just over a third of the data stolen was payment card info from such sites.
Sigler said attacking Web properties like e-commerce sites is attractive not only for the valuable data stored on their servers, but also because they tend to be riddled with easily exploitable vulnerabilities. In fact, 96% of all the applications that were scanned by Trustwave last year contained at least one serious vulnerability, which Sigler defined as being susceptible to data leakage, remote code execution, privilege escalation attacks or even giving the ability to bypass security controls.
That tends to be the case, Sigler claimed, because many organizations simply don't make security a priority and app developers in particular care more about including features that make a product more competitive than implementing basic security practices that could eliminate such issues. Consequently, SQL injection attacks -- a long-known problem for which there are many mitigations -- still account for 8% of all system intrusions recorded by Trustwave.
Sigler said that more companies, particularly those smaller and mid-sized organizations that don't have any in-house security expertise, can turn to third-parties for code auditing services, or can even use free, open-source security tools to scan for the most common app vulnerabilities. Still, until organizations adopt more secure development practices, shoddy software security will likely remain an issue.
"Security is generally the last thing put into an application and tends to be glossed over," said Sigler, "and because of that, almost all applications go out with at least one serious vulnerability."
Plug-in security a problem too
Vulnerable applications are hardly the only way to compromise enterprise systems and Web properties though, according to the report. Using data collected from its secure Web gateway technology, Trustwave indicated that 85% of all exploits detected by the company involved at least one third-party plug-in.
In particular, Oracle Java applets continue to be at the heart of many Web-based client-side threats, with various Java vulnerabilities accounting for 78% of such attacks. In comparison, three zero-day Adobe Flash vulnerabilities were discovered in 2013, but Flash vulnerabilities were only used in 5% of the exploits witnessed by Trustwave.
The continued move away from Flash to HTML5 -- prompted by the lack of Flash support in major mobile platforms -- will further reduce the number of exploits that depend on Adobe's media player, according to Sigler, but organizations should still consider disabling Flash altogether. To mitigate Adobe Reader vulnerabilities, which accounted for 2% of exploits in the Trustwave report, Sigler said that switching to an alternative PDF reader may also be an option to reduce an enterprise's risk exposure, though those alternatives aren't necessarily more secure.
"A lot of the third-party plug-ins have vulnerabilities. I've seen vulnerabilities in third-party PDF readers as well," said Sigler. "The fact that Flash, Reader and Java are so heavily targeted means that disabling Flash and moving to an alternative PDF reader would definitely be helpful, but not necessarily a sure shot."
While such measures may be helpful, Sigler warned that many organizations and users still fail to follow even basic security practices. For example, weak passwords were behind nearly one-third of the initial system intrusions detected by Trustwave, and the fundamentally insecure "123456" was the most commonly used password.
More than seven out of 10 breaches are also detected by third-parties, not the companies that have been victimized -- a statistic that Sigler said was the result of many companies not performing basic security functions like turning on an intrusion detection system or regularly reading logs.
Sigler said that implementing just those rudimentary measures can deliver big security benefits, a fact laid bare by Trustwave's statistics. While companies took 14 days to contain incidents that were detected by third-parties, for example, they took just one day to do so when an incident was self-detected.
"We've seen a lot of different attack vectors in 2013, but we're also seeing that very common security controls aren't being implemented correctly," said Sigler. "All organizations could do a better job with simple detection mechanisms and just using stronger passwords."