SQL injection attacks and malware, not zero-day flaws or insiders, will be the main sources of data breaches and the biggest security risks for business in 2010.
“Today's threat landscape is focused on the Web, not networks as in years past,” says Jeremiah Grossman, founder and CTO of White Hat Security.
“Whether it's corporate users having the Web browser exploited or malicious attackers compromising commerce-based Web sites - those are the two areas most at risk to loss.”
He adds: “The most reported security vulnerabilities are located in Web applications and malware is predominately distributed by end-users when they visit legitimate Web sites that have been hacked and loaded with drive-by-download browser exploits.”
What has changed in the past year is how these vulnerabilities are being used, according to Saumil Shah, CEO and founder of NetSquare Solutions.
“A few years ago, SQL injection attacks were used to harvest massive amounts of data from Web sites' databases. While this still happens today, SQL injection is now largely used to inject malicious Javascript code into the contents of Web sites.”
In fact, according to Verizon's Data Breach Incident Report, SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of the cases investigated in 2009 that involved hacking.
This is confirmed by 7Safe's recently released Breach Report for 2010, which states that based on the analysis performed by their forensic investigations, 40% of all the attacks relied on SQL injections, with another 20% a combination of SQL injection attacks and malware.
Not only was the source of the attack external in 80% of the cases, but a weakness in a Web interface was exploited in 86% of the cases, with the majority of affected companies operating in a shared hosting environment.
Trustwave's Global Security Report for 2010 offers similar insights related to the use of SQL injections for obtaining unauthorised access to payment card information. The report also details the most common types of malware that contributed to the loss of customer data, stating that in 54% of the cases, the attackers harvested the data in transit.
According to Shah, the attack focus has definitely shifted. “Attacks targeted towards a particular organisation are fewer in number, or rather, they have been overshadowed by the sheer numbers game of attacking individual users. The focus now is on visitors coming to the Web site, and getting attacked and infected with malware, instead of compromising the Web site's back end.”
Grossman adds: “The main attack vectors used in the Aurora attacks, which affected Google, Adobe, Yahoo and many others, were targeted reconnaissance using social networks and Web browser exploits.
“In fact, just after president Obama's state of the union address, Web site defacement was used to target 49 US House of Representatives members. Also, SQL injection of a Web application was the main attack vector used in the largest credit card breach ever, affecting Heartland Payment Systems.”
Share