Security breaches largely come from web and apps attacks—F5 Labs Report

New research by F5 Labs found that web and applications attacks are the largest cause of security breaches (30 percent), with an average reported cost of close to US$8 million per breach. It also found that a typical organization runs 765 web applications, with 34 percent of them considered mission-critical.

The research titled “Protecting Applications 2018 Report” used data gathered from Loryka and WhiteHat Security. It provides analysis of the current threat landscape, detailed research stats and steps to secure applications to protect users and data.

According to the research, credential theft, DDoS attacks, and web fraud are the top three attacks that are the most devastating to organizations represented in the global study.

Sixty-nine percent of respondents in China and India are most concerned about DDoS attacks.
Asia Pacific region accounted for 17 percent of DDoS attacks in 2017, with a spike from Q4 2017 to Q1 2018.

The report also showed that 13 percent of all web app breaches in 2017 and 1Q 2018 were access-related.

Some of the top categories include credentials stolen via compromised email (34%), access control misconfiguration (23%), brute force attacks to crack passwords (5%), credential stuffing from stolen passwords (9%), and social engineering theft (3%).

The report also mentioned that injection vulnerabilities or weaknesses that have not yet been exploited are prevalent. These composed 17 percent of all discovered vulnerabilities in 2017.

Injection attacks allow an attacker to insert commands or new code directly into a running application with malicious intent.

The report also defined two types of “attackers”—opportunists and targeted attackers.

Opportunist attackers keep their ROI high by keeping costs low. They use a spray-and-pray approach to sweep the Internet looking for easy pickings. These attackers come at you with canned exploits and known methods. If rebuffed, they quickly move on to the next target.

Targeted attackers choose their targets carefully. Their goal could be espionage or a high payoff, but it’s likely that once you’re in their sights, they’re coming after you. Though less prevalent, such attackers are generally more motivated

For organizations to improve their security, the report recommended the following steps:

Understand your environment: Know what applications you have and what data repositories they access.

Reduce your attack surface: Attackers will probe any part of an application service that is visible on the internet for possible exploitation.

Prioritize defenses based on risk: Know which applications are important and minimize the attack surface by identifying applications that need additional resources.
Select flexible and integrated defense tools: Have a good but manageable selection of flexible, powerful solutions to cover controls for prevention, detection, and recovery from existing and emerging threats.

Building a solid application defense strategy requires understanding each app and its areas of vulnerability, assigning an appropriate level of risk to the app according to the value of the data it contains, and taking a holistic view to securing applications based on their vulnerabilities, threats, and level of risk.