Web application attacks are highest external threat
Businesses are at increasing risk of compromise as the result of a web application attack, as volume of attacks continues against background of slow fixes and low awareness.
Web application attacks are increasingly the weapon of choice for criminals, but businesses are rarely aware of or responding to the threat in a timely manner. A new report makes this clear, with one of the most egregious examples being the healthcare industry.
According to Veracode research, approximately 97 per cent of healthcare industry Java applications contained at least one component with a known vulnerability, often an open source or third-party component, creating widespread, unmanaged risk. The healthcare industry now has the lowest vulnerability fix rate and second-lowest OWASP (Open Web Application Security Project) pass rate.
This makes particularly disturbing reading against a background of high-volume web application attacks. The Global Threat Intelligence Report (GTIR) from Dimension Data (NTT group) for 2015 found that web application attacks represented the second highest volume of attacks overall, and the highest external threat, accounting for 15 per cent of attacks in 2015, holding their percentage position from the year before.
Ilia Kolochenko, CEO and founder of High-Tech Bridge, said: “The easiest and fastest to hack, insecure web applications are becoming the major threat across the Internet. Aggravated by weak web server configuration and unreliable SSL/TLS encryption, vulnerable web applications are actively exploited by cybercriminals to conduct APTs against multinationals and governments, as well as to extort ransom from individuals or SMBs.”
The GTIR found that highest volume of attacks overall was ‘Anomalous activity’, a category including privileged access attempts, exploitation software, and other unusual activity, which represented the most common type of attack and jumped from 20 per cent of all attacks in 2014 to 36 per cent during 2015.
The figures gel with independent research undertaken by High Tech Bridge, which found that an astonishing 60 per cent of web services or APIs designed for mobile applications contain at least one high-risk vulnerability allowing database compromise.
The Dimension Data report analysed the volume and types of identified vulnerabilities, as well as their ages, and found that more than 79 per cent of identified vulnerabilities were disclosed within the past three years, making nearly 21 per cent of the vulnerabilities more than three years old. Continuing the trend from previous years in which old vulnerabilities are remaining in client environments, more than 12 per cent of vulnerabilities observed were more than five years old. In some cases, vulnerabilities were as much as 16 years old, and more than 5 per cent of vulnerabilities were more than 10 years old.
This trend has also been picked up by Gartner, which has predicted that out to 2020, an incredible 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least 1 year. The Dimension Data report found concrete evidence to support this, with the top top 10 internal vulnerabilities accounting for more than 78 per cent of all internal vulnerabilities during 2015 - and all of this top 10 internal vulnerabilities were directly related to outdated patch levels on the target systems.
Dimension Data also highlighted an increase in SQL injection attacks throughout 2015, with 24 per cent of web application attacks during 2015 being injection-based. This popularity is likely due to their simplicity and effectiveness, making them a cost-effective choice for criminals. High-Tech Bridge’s research in early 2016 took this a step further, finding that there is often a relationship between vulnerabilities, discovering that when a given website is vulnerable to XSS, in 35 per cent of cases, it is also vulnerable to more critical vulnerabilities, such as SQL injection, XXE or improper access control. The researchers also found that high risk vulnerabilities, such as SQL injections, are now being used for RansomWeb attacks five times more frequently than in 2015. Unfortunately, in the face of increasingly sophisticated ‘chained attacks’ many businesses are abandoning WAF integration with automated scanning tools due to a high rate of false-positives.
Ilia Kolochenko, CEO and founder of High-Tech Bridge, said: “In the near future, we can expect a significant and continuous growth of RansomWeb attacks against website owners, and Ransomware attacks against website visitors. Actually, ransomware is not a technical problem, but a business model problem: while it will remain the easiest way to extort money, it will continue skyrocketing. Web Application Firewalls don’t work in isolation from other security technologies anymore. Web application security requires a comprehensive approach, including Secure Software Development Lifecycle (S-SDLC), continuous monitoring, and regular manual or hybrid web security testing to complement automated vulnerability scanning.”