Web developers are still not closing all the security holes in their applications, a new vendor study suggests.
In its 10th annual Global Security Report, (registration required) which looks back at 10 years of analyzing customer data and breaches, Trustwave said all of the of Web applications its researchers tested showed at least one vulnerability. The average had 11.
The overwhelming majority — 85.9 per cent — of Web application vulnerabilities involved session management allowing an attacker to eavesdrop on a user session to commandeer sensitive information.
The report was released today.
Among other findings:
- Web attacks becoming more targeted. Many breach incidents show signs of careful preplanning by cybercriminals probing for weak packages and tools to exploit. Cross-site scripting (XSS) was involved in 40 per cent of attack attempts, followed by SQL Injection at 24 per cent, Path Traversal at seven per cent, Local File Inclusion (LFI) at four per cent and Distributed Denial of Service (DDoS) at three per cent.
- Malware using persistence techniques.. Although 30 per cent of malware examined used obfuscation to avoid detection and bypass first-line defenses, 90 per cent used persistence techniques to reload after reboot.
- Service providers are now in the crosshairs. “Of great concern is a marked increase, at 9.5 per cent — in compromises targeting providers of IT services including Web-hosting providers, POS integrators and help-desk providers. A compromise of just one provider opens the gates to a multitude of new targets, the report notes. In 2016, service provider compromises did not register in the statistics.
- Compromise and environment type matters. Half of the incidents investigated involved corporate and internal networks (up from 43 per cent in 2016) followed by e-commerce environments at 30 per cent. Incidents impacting point-of-sale (POS) systems decreased by more than a third to 20 per cent of the total.
- Social engineering tops methods of compromise. In corporate network environments, phishing and social engineering at 55 per cent were the leading methods of compromise, followed by malicious insiders at 13 per cent and remote access at nine per cent. “This indicates the human factor remains the greatest hurdle for corporate cybersecurity teams,” says the report. CEO/ business executive fraud, a social engineering scam encouraging executives to authorize fraudulent money transactions, continues to increase.
- Malware using persistence techniques. Although 30 per cent of malware examined used obfuscation to avoid detection and bypass first line defenses, 90 per cent used persistence techniques to reload after reboot.
“As long as cybercrime remains profitable, we will continue to see threat actors quickly evolving and adapting methods to penetrate networks and steal data,” said Steve Kelley, the company’s chief marketing officer. “Security is as much a ‘people’ issue as it is a technology issue. To stay on par with determined adversaries, organizations must have access to security experts who can think and operate like an attacker while making best use of the technologies deployed.”
The report has a wide range of data on compromises and vulnerabilities across many industries.
It also reminds CISOs that the personal touch is still used in some attacks, particularly against hotels and restaurants, in what it calls telephone-initiated spear phishing. “The caller, who often was associated with the Carbanak-targeted attack group, would complain about being unable to make a reservation on the victim’s website and ask to email his details to the staff member. The attacker then emailed a message with a malicious file attached, waited until the victim confirmed they opened the attachment and then hung up the phone.”
Passwords and password management continue to be a weak spot in many enterprises. In one case last year, the report says, an attacker gained remote access to an organization
by exploiting a default administrator account for specialist software. Although the compromised account had minimal privileges, a weak password allowed the attacker
to gain control of a local administrator account. Worse, the same account and password was on every workstation within the environment, and event logs showed the attacker accessing multiple systems using the account. “Surprisingly, although the attacker had access to all data in the environment, including sensitive financial and customer
information, all they did was install ransomware.”