Facts about Web Application Hacking
Verizon Business conducted a 2009 study of 90 Web data breaches. The results of this study were presented in The Data Breach Investigative Report (DBIR) and included the following facts and figures:
- 285 million data records were exposed in the 90 data breaches, the equivalent of 9 exposures each second. This significantly exceeds the combined 230 million exposed records in the previous 5 years of this study.
- Organized crime was responsible for 90% of all compromised data records that were used in a crime.
- 74% of data breaches were initiated by external attacks.
- 64% of data breaches are enabled by a combination of events. Hacking, malware, SQL injection and other forms of attack may all come into play in a single data breach.
Matthijs van der Wel, Verizon Business Security Solutions forensics manager, described a typical data breach scenario. “The end user makes a mistake. The attacker takes advantage of some mistake committed by the victim company, hacks into the network, perhaps using an SQL injection attack, and installs malware on a system to collect data.”
Reported in PC World
April 18, 2009
The 2009 Web Hacking Incident Database (WHID) Annual Report includes these facts:
- Web 2.0 sites are the primary target for hackers. 19% of all attacks target these sites.
- Website defacement takes place in 28% of web attacks.
- Loss of sensitive data takes place in 26% of web attacks.
- Changes to website content takes place in 19% of web attacks.
The most common attack methods are:
- SQL injection. Query commands are typed into Web input fields or URLs in order to access internal data or plant malware that will infect site visitors.
- Cross-site scripting. Allows malicious code or data to be transferred from another site, exposing the risk of data breach.
The top motivations for Web application hackers:
- Website defacement which results in unauthorized changes to Web applications is the top motivation for hackers. This includes changes to the appearance of a website as well as the planting of malware (malicious code). Website malware is replacing malicious e-mail as the distribution vehicle for computer or website virus infections, and Trojans.
- Ideological defacement is the next top motivation for website attacks. Hackers change the appearance of websites to reflect their own beliefs, usually either political or religious in nature. This may or may not result in monetary loss, but is still dangerous because it reveals website vulnerabilities.
The most targeted categories of hacked Web applications:
- Social networking sites such as Twitter and Facebook were the most attacked category of websites in 2009. The motivation was malware injection and ideological defacement.
- Retail, Media, Technology and Internet-related organizations were the next most-attacked category of Web applications. This includes e-commerce websites, retail shops, ISPs (internet service providers) and search engines. The motivation of attacks in this category is often theft of secure data.
- Law enforcement, government, political and financial websites saw a drop in the incidence of attacks in 2009. This most likely reflects improved security measures which are being taken by these organizations.
The Data Breach Investigative Report summarizes its findings with this statement;
“While researchers are exploring ever more advanced attacks such as CSRF, hackers are still successfully exploiting the most basic application layer vulnerabilities such as SQL injection or information left accidentally in the open.”
The unfortunate reality is that some of the most frequently visited Web applications – those that perform retail and e-commerce functions – are still not protected against the most common and well-known attack methods.