Motivated by fun, greed actually ‘takes a back seat’ in app attacks.
Telecoms giant Verizon has released an extensive security report that reveals almost two out of three web app attacks are driven by lulz, rather than any other political or economic motives.
Verizon’s analysis covered more than 63,000 security incidents from 50 corporations in 95 different countries in 2013. Other than web app attacks, Verizon also researched point-of-sale intrusions, physical theft and loss, payment card scammers, and cyber-espionage.
Verizon defines a web app attack as any incident in which a web application is the vector of attack, which includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms.
The top industries susceptible to web app attacks in 2013 were information, utilities, manufacturing and retail.
"Greed takes a back seat to ideology when it comes to web app attacks in the 2013 dataset. Just under two out of every three web app attacks were attributable to activist groups driven by ideology and lulz; just under one out of three came by the hand of financially motivated actors; with the small remainder linked to espionage," reads the report.
"Ideological actors (whether their motivation is social, political, or just for plain fun) are less concerned about getting at the crown jewels than they are about getting a platform (in all senses of the word) to stand on. With that in mind, it’s not surprising that we see two types of results from ideological attackers going after a web server: defacements to send a message or hijacking the server to attack (including by DDoS) other victims."
There were 3.937 total incidents reported in 2013, with 490 of those resulting in a confirmed data disclosure.
However, Verizon said the number of actual attacks could be much larger because many incidents go unreported.
"Regrettably, our discussion of this complexity is hampered by the level of detail provided on these incidents. Unless a forensics investigation was performed (a small subset of the overall dataset), the specific techniques utilised went largely unreported or were recorded with broad categorisations.
"While we have enough material to discuss web application data breaches at a high level, our ability to draw conclusions drops as we dig further into the details (which often aren’t there)."
Verizon’s key findings include the fact that "web applications remain the proverbial punching bag of the Internet. They’re beaten in one of two ways: by exploiting a weakness in the application (typically inadequate input validation), or by using stolen credentials to impersonate a valid user.
"Many of the attacks in our 2013 dataset targeted off-the-shelf content management systems (e.g., Joomla!, WordPress, or Drupal) to gain control of servers for use in DDoS campaigns."
When it comes to preventing web app attacks, Verizon advised that the single most dangerous flaw to have is single-factor login.
"The writing’s on the wall for single-factor, password-based authentication on anything Internet-facing. Even though it may draw you out of a known comfort zone, if you’re defending a web application seek out alternatives to this method of identity verification. If you’re a vendor in the web application space, also consider mandating alternative authentication mechanism for your customers."