F5 Labs recently published a report called Lessons Learned from a Decade of Data Breaches. The purpose of our research was to figure out how attackers are breaching businesses and determine the attack paths—from the initial attack through to the root cause of the breach. The 433 cases we looked at were limited to breaches where there was a known attack type, root cause, data type and count of records breached, or cost of the breach. Not all of the cases included every one of these elements, but there was enough compelling data in total to conclude that 86% of the breach cases started with an application or identity attack.
The report totaled breach records by type, the results of which were sobering:
- 11.8 billion records were compromised in just 337 cases
- 10.3 billion usernames, passwords, and email accounts were breached, which is equivalent to 1.36 records per person on the planet, or 32 records per US citizen
- 280 million social security numbers (SSNs) were breached, which is equal to 86.5% of the US population
The startling counts of breached records in the report start to make sense when you consider that over half of the world’s population today is online. Society functions in an online world now where applications are the new storefronts of businesses and in a lot of cases, applications are the business.
Applications are also the gateway to data—both corporate and customer data—which has immense value to attackers, whether their motive is cybercrime, hacktivism, espionage, or warfare. The concern over the safety of applications and data is borne out in a separate report by F5 and Ponemon, The Evolving Role of CISOs and their Importance to the Business in which respondents were asked to rank the top threats to their security ecosystem. On a scale of 1 (minimal impact) to 10 (significant impact), respondents ranked both “insecure applications” and “data exfiltration” at 8.2.
Attacking Applications Directly
One-way attackers can get to data is by exploiting applications directly. In fact, applications were the initial target of attack in the majority of breaches at 53%. Those attacks exploited the systems by targeting web application vulnerabilities with primarily injection attacks against various types of forum software at the application services layer and SQL injection attacks.
The obvious takeaway here is that these two most commonly breached application vulnerabilities represent low hanging fruit for attackers.
Forum software is a favorite target for attackers because they consume user content that if not sanitized properly could be a crafty little malicious script that injects a PHP backdoor. Forum makers (as well as CMS providers that have similar issues with their software) consistently publish critical remote code execution vulnerabilities. In turn, attackers automate their recon scans to look for the specific forum software for which they have written an exploit. If you are running a forum software with an unpatched critical remote code execution vulnerability, the chances are high that you have already been exploited.
SQL injection, a critical vulnerability that enables an attacker to inject SQL queries and execute administrative operations on the backend database, shouldn’t require explanation because it’s been around for decades. It’s a complete and utter InfoSec fail for this to be a top attack root cause. These vulnerabilities are extremely easy for anyone (an attacker, or the company’s security team) to find—and for attackers to exploit.
Security professionals should expect these types of vulnerabilities to be targets of attack and plan their vulnerability management accordingly.
Getting to Your Data through User Identity Attacks
When the development and security teams have done a good job securing an application, it’s much easier for attackers to get to the data through users who have access to the application and the data within it.
In the cases we researched, identities were the initial attack target in 33% of the breaches. Most of these attacks were attributed to phishing; it turns out tricking a user into giving up their credentials is remarkably easy, despite the industry’s security awareness training efforts. Thanks to social media and consumers’ eagerness to share every aspect of their personal lives (see data collected from various public forms), phishing attacks will remain highly effective for the foreseeable future.