Many years ago it used to be that most web hacking attempts were launched by sophisticated cybercriminals, or at the very least highly talented amateurs using complex methods and tools. While this meant such attacks could be more difficult to prevent – they were usually limited in number, and aimed towards larger corporations with very large potential rewards such as corporate espionage.
Today the information security status quo has changed. This is because of the still growing pervasiveness of the Internet, increasing use of web-based applications, and most importantly, the proliferation of sophisticated and / or automated web hacking tools.
The Verizon Enterprise’s 2013 Data Breach Investigations Report (direct pdf link) contains detailed analyses of 47,000 reported security incidents, and 621 confirmed data security breaches from companies of all sizes.
78% of successful security intrusions were simple to pull off
According to the 2013 DBIR these form of security attacks required no special skills or resources to perform – in fact only 1 out of 621 confirmed breach cases used highly sophisticated hacking methods at all! Then you must consider that 75% of all attacks were opportunistic in nature i.e. there was never a specific target, just an easy one.
The reason why the majority of data breaches and website hacks are successful using simple methods – is because anyone can easily acquire an automated vulnerability scanning tool, and let it passively scan the entire internet for security weak points to exploit. Once an easily exploitable vulnerability is found, the hacker can use another sophisticated hacking tool to breach that company’s security in minutes or seconds e.g. weak passwords, open unsecured ports, Layer 2 protocol weaknesses, POS terminal vulnerabilities etc.
Security professionals use similar tools in fact, to help customers quickly find security weaknesses in their own networks and websites. While such tools in the wrong hands can certainly be used for malicious purposes, they are also extremely helpful for finding unknown security flaws and detecting vulnerabilities that could otherwise be exploited by a hacker.
Yes – a hacker is still interested in attacking your small business website
It is a common logical fallacy to assume that only big companies are at risk of having their website hacked. The truth is that businesses of any size can – and do – have their web security breached by cybercriminals every single day.
For example looking into Verizon’s research – 22% of reported attacks occurred in companies with fewer than 100 employees, while the largest corporations with 10,000 to 100,000+ employees account for only 19% of all attacks (when the number of employees are known). This means that medium-to-large enterprises still tend to be the juicer target, but hackers still routinely attack smaller business websites.
The reason for this is simple – smaller businesses have (understandably) fewer resources to purchase sophisticated security technology and / or tend to be more lax with their security standards. Which means of course that small businesses can be a very appealing target – simply because there are vastly more businesses to target in the first place, and the hacker has a greater chance of succeeding multiple times using automated hacking tools.
Other key information web security facts you should know:
- The majority of data breaches take minutes or hours to succeed (84% of cases)
- Most successful data breaches take months or years for victims to discover (66% of cases)
- 1 in 10 data / website hacks are discovered by a customer, 34% are discovered by a 3rd party, and only 13% of cases are discovered by the affected company.
While the sophistication of information security and website hacking attacks is growing, the majority of these security risks can be easily remedied. As long as you are aware of what vulnerabilities exist, and you take the time and effort to fix these issues – the majority of amateur hackers and “script kiddies” will look elsewhere for an easier target.
Since the main motivation of a hacker is usually financial (75% of cases) – it is simply not worth the time and effort to use more sophisticated methods to break into a website that has fixed their low-level security vulnerabilities. This, however, does still leave you vulnerable to determined and targeted attacks – even the bare minimum effort will go a long way to dramatically improving your website and web application security.
Businesses and organizations can also leverage professional tools (such as a commercial vulnerability scanner) to mitigate these risks. A sophisticated website application scanning tool can for example –not only find the common and easily fixable vulnerabilities, but can also help you quickly find the more complex issues that could be exploited in a more sophisticated attack.
Ultimate lesson to be learned today: find out where you’re vulnerable so you don’t become just another statistic.