We Got Hacked? How Did That Happen?
There’s an interesting article on Threatpost’s Tumblr showing a graphic of 2011 attacks, their impact, and the attack type.
The data was taken from the latest Verizon Data Breach report for 2011, which if you haven’t read you should. Great stuff. There are a few observations to take away from this graphic regarding Application Security:
- SQL Injection is still popular
- Where are the other AppSec attacks?
- In many of the breaches, the attack vector is “Unknown”
SQL Injection is Still Popular
SQL Injection has been the long running king of many top vulnerability lists and there doesn’t seem to be any threats to the thrown. SQL Injection is no doubt one of the nastiest appsec vulnerabilities, but it’s sad that SQL Injection is still such an issue. SQL Injection isn’t new, it’s been around for a long time. Why can’t we kill this one bad vulnerability? Focus. Critical vulnerabilities do get the main focus, but our software assurance programs focus on holistic approaches. I think we may need to change that. Don’t stop the holistic approach, but as the AppSec community we should make 2012 the year that SQL Injection got it’s face stomped in. All AppSec people put a special emphasis on identifying and fixing just SQL Injection. If you’re reading this and you have influence over AppSec, let’s focus just on SQL Injection.
Where are the other AppSec attacks?
SQL Injection is the only pure AppSec attack vector mentioned in this graph. URL Tampering and “3rd Party Software” might have some AppSec context, but it’s hard to tell. We all know that there are a significant amount of application attacks. I’m curious to know if XSS was used in any of the phishing attempts. Phishing gets interesting when you can include a link to their company web site. Are we just missing those parts of the attacks? That leads me into:
In many of the breaches, the attack vector is “Unknown”
The amount of “Unknown” attack vectors here is a little troublesome. Of course, we have to assume some of the unknowns are because the attack vector hasn’t been announced. Some of them though are because our ability to monitor our infrastructure and applications is pretty low. Organizations have spent tons of money and time implementing firewalls, IDS, IPS, SIEM, etc yet we still don’t always know how the attackers get in. From the application security standpoint, I can honestly say our understanding of what’s going on inside of applications is very limited. Most developers think that log files are places to stick stack traces when something breaks. Log files should be so much more. They should log sensitive user activities, access to data, errors, and security events. After an attack, looking through error logs might tell us a little about how the attacker got access to data. It usually doesn’t tell us what data was compromised. We need more visibility into our applications so we can tell normal traffic from abnormal traffic, attack activity, and what data is being accessed.