Web App Attacks: 7 Takeaways from the New Verizon DBIR

Apr 23, 2014 By Sarah Vonnegut

Hackers going after Web applications are getting smarter and faster by automating their malicious tools, and organizations are struggling to keep up. This was among the biggest revelations in Verizons’ 2014 Data Breach Investigations Report. The report analyzed over 63,000 security incidents over the past year, 1,367 of which resulted in a breach.

It may come as a surprise to some that PoS intrusion attacks, the cause of the massive Target breach, and similar, subsequent incidents, was not the leading attack vector of the reports’ nine incident patterns. Alas, the award for the most exploited vulnerabilities went to Web applications, which hackers relentlessly went after this year – to the tune of 3,937 incidents and 490 confirmed breaches.

Here, we breakdown the top 8 revelations from the report’s section on last years pattern of Web app attacks and the key takeaways from each. 

1.       Web App Attacks are on the rise

The report found that 35% of all 2013 breaches were accomplished through Web app attacks – a number that’s been steadily rising in the past few years.  Web app security is an often under-budgeted area, and hackers are using that to their advantage.

“What stands out is that if you have a presence on the Internet, you are a target,” Verizon analyst Dave Ostertag told BankInfoSecurity. “Intrusion and data breaches cross all industries and all international boundaries.” The two main methods of breaching web apps – XSS and SQL injection – have only increased in prevalence, while web app security has struggled to stay afloat.

Takeaway: Hackers are moving away from exploiting enterprise infrastructures and moving towards more application-level exploits – dictating a higher standard for Web app security.

2.       66% of Web app breaches are ‘not-for-profit’

Just because your organization doesn’t have valuable financial data hackers would love to get their hands on, doesn’t mean you shouldn’t protect yourself against Web app attacks. The analysts working on the report found that two-thirds of Web app hackers aren’t going after money, instead using their skills to send a message, either by hijacking sites or by DDoS attack.

“Ideological actors [whether their motivation is social, political, or just for plain fun] are less concerned about getting at the crown jewels than they are about getting a platform to stand on,” the Verizon report states. These attacks are heavily geared towards CMS systems (discussed later), targeting customized sites that don’t have the power of the general CMS’ security team to discover and patch any necessary issues.

Takeaway: We’re all vulnerable to the lulz of Hacktivists and other ideologically motivated actors, and they’re using Web app attacks to spread their messages.

3.       The Finance sector was hit the hardest among all industries in Web app attacks.

Within the financial industry, hackers especially focus on getting into user interfaces, since that’s where the money is.  Attackers are using tactics to steal credentials or bypass authentication to get into user bank accounts, since those “grant logical access to the money.” And there’s a lot of money to be made in stolen credentials, as Brian Krebs reported on after the Target incident.

Takeaway: As long as there is money in the bank, the attacks on financial organizations and their customers will continue.

4.       Hackers used old, known vulnerabilities to access business-critical data

Attackers are employing “all the usual suspects” in their hack tactics, including phishing, using brute-force to crack passwords, as well as “rarer cases of targeting the application through application-level attacks,” the report says. None of this is news, and yet the same flaws tend to be exploited over and over again. While some organizations implement fixes immediately after they’re discovered, many more sites won’t update until they’re faced with an incident.

Takeaway: Sometimes the easiest fixes are the least attended to but hit organizations the hardest. We need to collectively learn to “nurture” our Web apps with updates (and a more secure SDLC from the get-go).

5.       SQL Injection was used in 80% of Web app attacks in the retail sector

SQL Injection remains the biggest disruptor to web applications today, and nowhere is the pain of SQL injections felt deeper than within the retail industry. Much like attacks on the financial sector, hackers going after the retail industry are also using Web app attacks to get to the money, just with a different focus: credit and debit card data. 

SQL injections easily fit into that equation for hackers. A separate report conducted last year found that retailers suffer twice the number of SQL injection attacks than any other industry. It’s one of the easiest attacks to leverage and can give great returns to those going after database information and the like. The report lists pervasive BYOD trends as well as failing to validate third-party applications as rising trends surrounding the increase in this type of attack.

Takeaway: SQL injections are not slowing down anytime soon, so it’s time organizations show their databases some tough security love.

6.       74% of Web app attacks were reported to the organization by a customer

The fact that three-quarters of financially motivated Web app attacks are being discovered by customers and a shocking 88% total from external parties should ring some major alarms. Customers should not have the burden of discovery, and security incidents can bear major consequences for customer’s trust in an organization.

Takeaway: Incident discovery begins with testing both in-house and third-party software on a recurring and regular basis.

7.       Hackers are continuing to go after flaws in popular CMS systems, especially by using vulnerabilities in popular plugins.

Hackers spent last year targeting Joomla, Drupal and WordPress, and especially sites on those platforms that have custom-written components that wouldn’t necessarily implement patches or perform specialized security scans. Once a hacker finds one vulnerability in a platform or plugin, they can target any other organization using the same platform or plugin for similar results. That kind of high ROI for hackers just adds fuel to their fire.

Takeaway: We can’t trust the plugins and CMS systems we’re using to automatically be and stay secure. Source code analysis is the best way to find the flaws in these instances.

The 2014 Verizon Data Breach Incident Report is available here.  

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.