Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

The state of Internet security

How do hackers choose their targets?

Article comments

While security vulnerability research can expose technical weaknesses that may be exploited, incident research provides in-depth information about the most common targets, motives and attack vectors of modern hackers.

And where better to turn for a sense of where we stand today than the Web Hacking Incidents Database (WHID). Analysis of WHID reveals that in 2009 social networks were at the greatest risk, malware and defacement remained the most common outcome of web attacks, and SQL injection was the most common attack vector. Here’s a deeper dive on the findings and what you can do about them.

Perhaps not surprisingly, analysis of web hacking incidents reveals that social network sites such as Twitter and Facebook are becoming premier targets for hackers. One in five incidents (19%) between January and June 2009 targeted social network sites, making them the most commonly attacked market.

Many attacks on social networks involve cross-site scripting (XSS) worms. Additionally, insufficient anti-automation controls permit hackers to brute force attack login credentials. In one incident, an attacker accessed a Twitter Admin account that had a password reset tool and compromised 33 high profile accounts, including President Obama’s.

Web attacks are driven by crime. Most occur because the hacker wants money, not glory. However, in some instances, the attacks are performed by professionals seeking to advance a cause.

In 2009, defacement of websites was still the number one driver for web hacking (28%). Defacement includes visible changes and covert changes, such as the planting of malicious code. Criminals exploit web application vulnerabilities to plant malware that subsequently infects clients who visit the website. The hacked sites become the hacker’s primary method of distributing viruses, Trojans and root kits.

On the other end of the spectrum, ideologists use the Internet to express themselves using web hacking to deface websites. The majority of defacement incidents are of a political nature, targeting political parties, candidates and government departments, typically with a specific message related to a campaign.

Web defacements are a serious problem and a critical barometer for estimating exploitable vulnerabilities in websites. Defacement statistics are valuable since they are one of the few incidents that are publicly facing and thus cannot be easily swept under the rug.

SQL injection tops attacks

SQL Injection remains the number one attack vector, accounting for nearly one-fifth of all security breaches (19%). These attacks alter the contents of the backend database and inject malicious JavaScript. Interestingly, the overall attack more closely resembles a XXS methodology, as the end goal of the attack is to have malicious JavaScript execute within victim’s browsers to steal login credentials to other web applications.

Attack vectors exploiting Web 2.0 features, such as user-contributed content from social media applications, are also commonly employed: authentication abuse is the second most active attack vector (11%), and cross site request forgery (CSRF) rose to number five (5%).

While not a new attack vector, attacks that take advantage of insufficient authentication are increasingly severe due to the proliferation of user-contributed and managed websites. This is closely related to CSRF, a vulnerability that was recognized several years ago as a potentially potent attack vector. While it took longer for CSRF to appear than expected, the rise in CSRF incidents is in line with authentication abuse since it provides an alternative mechanism for performing actions on behalf of a victim.

The trinity of trouble

Regardless of the target, motive or vector, web attacks seek to exploit the connectivity, complexity and extensibility of the Internet. A lack of input validation, poor database configuration and the priority of new features over security enables hackers to access sensitive information.

The connectivity of the Internet is a blessing and a curse. HTTP is allowed through virtually every network firewall, opening up the network to external attackers. HTTP is also a very open protocol, which often integrates XML and SOAP inside to help facilitate web service functions. The explosion of Web 2.0 architectures has shattered the traditional network boundaries, making it even more challenging to secure web input and output.

Underscoring these issues is the fact that many internal databases are now becoming “webified” and accessible to external users. Properly configured databases and SQL construction is critical. Developers that are not trained in secure coding put too much trust in user input. It is this lack of input validation that enables mass SQL injection bots to successfully attack databases.

Finally, the extensibility of web applications leads to greater vulnerabilities since the priority of features usually comes before security. All too often “scope creep” comes into play as new widgets, bells and whistles are added in the midst of the software development life cycle. These additions should require a security review, but this rarely happens. A common complaint heard by web application security professionals is that implementing security to an application under development is like trying to change a tire on a car that is still moving.

Weathering the storm

It is not enough to know about these incidents and risk factors, you must also understand how to protect the integrity of web applications. If you know a hurricane is approaching, it is irresponsible not to shutter your house. Likewise, if you know web security incidents are occurring, it is irresponsible not to protect the website.

An effective web security strategy should be able to correlate web activity to the responsible user, as well as detect abnormal actions. Additionally, poorly coded applications that are not functioning properly or are leaking sensitive information must be identified. Finally, operations, security and development teams should be able to quickly conduct proper incident response by utilising operation data to trouble shoot problems and remediate identified vulnerabilities.

Companies with these security strategies can be assured they are running a safe and secure site.


Share:

More from Techworld

More relevant IT news

Comments

J Star said: I could not agree more with this article People treat software security like black magic though the reason to the huge amount of security breaches is extremely simple increased software comlexity and unbelievably poor quality Multinational companies not just do not care about quality at all but instead of building quality applications they create statistics to prove that all software is unsafe as if this was the law of nature and so their software is not worst than any other software




Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *