In the report, an incident is defined as a “security event that compromises the integrity, confidentiality or availability of an information asset,” while a breach is considered an “incident that results in the confirmed disclosure (not just potential exposure) of data to an unauthorized party.”
The DBIR discusses the race between the number of vulnerabilities created and the number addressed. This research clearly suggests that patching vulnerabilities is not working. As shown in the graph below, vulnerability creation is occurring at a faster rate than vulnerability closing. The report recommends that organizations establish a process for vulnerability remediation as a first step.
For organizations with systems that are unable to be patched, or upgraded to the latest software, the DBIR recommends using a Plan B which would involve applying other risk mitigations such as configuration changes or isolation. This Plan B should also include planning how vulnerable devices could be replaced without subjecting the business to a significant disruption. Plan B, however, should only be performed until the vulnerability is properly addressed and should not be the first choice.
When we take a look at the distribution of attacks graph below, it’s evident that industries that have adopted, and increased, web applications usage for their businesses in the past year (such as financials) are seeing the impact on the attack patterns. This is under the assumption that mobile applications are bundled with web applications and it is clear that both the financial and transportation verticals are the top targets when it comes to web application attack vectors. Both of these industries have ramped up their web and mobile application services in the past years, creating a very fertile attack surface.
Additional confirmation discusses the fact that websites have become a business critical platform. Business websites have transformed from eye-catching pages with a marketing pitch about the organization to platforms connected to the backend servers which communicate directly with organization’s databases in order to provide functionality, store and collect data.
This report also confirms that the motivation for attacks continues to be for financial gain since, “95% of confirmed web app breaches were financially motivated.
Seeing that SQLi is still an enabler for web application attacks, the DBIR report stresses again the need for input validation. Additionally, plugins–very often open source–are also a concern raised in the report. The report recommends establishing a patch process, however it’s also critical to ensure that any open source components in your web applications aren’t exposing vulnerabilities in the first place.
Cyber espionage is on the rise as anonymous group, and state, attacks have begun taking a major piece of the pie. While these attacks are usually on the more sophisticated side of things they are all still using the techniques we are very familiar with.
Droppers, Phishing and targeted malware remain as some of the popular foot-in-the-door techniques. When these techniques are not in play to implement the persistent malware installation, the exploitation of existing vulnerabilities always will work for the attackers. While the DBIR indicates that browser plugins are the main target to exploit vulnerabilities, they forget to mention the very popular Adobe and Java vulnerabilities.
The team behind the DBIR worked hard to try and dispel some common assumptions that some may have about the realities of cyber security. One myth that they shed light on is the belief that hackers are always precise when finding a target to hit with a zero-day attack. The contrary, however, is true with a majority of attacks being opportunistic, indiscriminate and exploiting known vulnerabilities. In fact, they note that the top 10 vulnerabilities account for 85% of successful exploit traffic.
Another myth worth dispelling is that today no one falls for phishing attacks anymore. This would seem to make sense as classic phishing schemes like the “Nigerian Prince email,” and other advanced-fee scams are publicly mocked and turned into laughable memes, but the opposite, unfortunately, rings true. A surprising 30% of phishing emails are opened and 12% of the target go on to click the link or the attachment, often within minutes of opening the email!
To read more about the dangers posed by phishing attacks, read: Everyone Talks About Phishing, But No One Blames XSS
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.