Web apps are now one of the top favorites—if not the absolute favorite—means of attack by cyberthieves, based on the latest Verizon Data Breach Investigations Report, which examined 41,686 security incidents, including 2,013 confirmed data breaches. The data came from 73 sources of data accessed by the carrier, only seven of which were internal to Verizon, according to the report. It is a widely respected and quoted resource.
How popular were Web apps? It depends on the nature of the attack and the vertical of the target. When reviewing incidents, Web apps were third in incidents for accommodation businesses, but that needs more context. Those 14 web application incidents were outmatched only by 17 incidents of “crimeware” (a catch-all category that Verizon defines as “all instances involving malware that did not fit into a more specific pattern”) and 40 Point-of-Sale incidents. But POS is limited to a small handful of verticals (retail being the most obvious), meaning that it doesn’t even apply to most CISOs’ businesses.
Web apps outpaced cyber-espionage (one incident), privilege misuse (also one instance), miscellaneous errors (five), lost and stolen assets (4), payment card skimmers (zero) and another catch-all category that is literally called “everything else,” which only racked up seven instances. In healthcare, which noted the largest number of incidents, web apps (71) were also among the top attack means, losing out only to privilege misuse (110) and misc. errors (104).
When we move from looking at incidents to actual breaches, web apps were the number one source of access for accommodations, finance, manufacturing, professionals, and retail. For education breaches, it was the second favorite means of attack (24) being bested only by misc. errors (35). For healthcare breaches, the 65 web app attacks came in third, championed by misc. errors (97) and privilege misuse (85).
But looking at all incidents and breaches across all verticals, no single means of attack crunched in more dangerous than web apps.
Web apps take in a wide range of areas, from internal apps (sometimes homegrown, sometimes not) to enterprise apps (often cloud-based) to networking issues. What is a likely cause? Situations labeled insider attacks can be malicious, accidental or attacks of opportunity. An attack of opportunity often starts accidental, but once the insider realizes he/she is in the middle of Payroll and can raise the pay of herself/himself along with a variety of friends, the insider turns malicious.
“The presence of insiders is most often in the form of errors. These are either by misconfiguring servers to allow for unwanted access or publishing data to a server that should not have been accessible by all site viewers,” the Verizon report noted.
Denial of Service was also a frequently-seen attack method, but DOS is rarely about accessing data as much as forcing the enterprise’s systems to shut down, as a means of punishing the company as part of a cyber attack. That’s a different criminal, with different goals and objectives. Tactics that might prove effective against an identity thief, a cyberthief seeking data or a ransomware attack may do little good when used against someone pushing a D-DOS.
The Verizon report offered another worrying web app thought, which is that one type of app attack can lead to other types of attack. “Sixty percent of the time, the compromised web application vector was the front-end to cloud-based email servers,” the report said. That’s important because the report noted that email is the preferred means of social-engineering attacks, typically a method the attacker uses to steal data directly or network/system credentials to engage in a more direct attack later. “It is possible for malware to be introduced via email and, once the foothold is gained, additional malware is downloaded, encoded to bypass detection and installed directly,” the report said.
The report also briefly explored how protected an enterprise during the time spent actively patching, something Verizon referenced as AUC, standing for under-the-curve. The report said:
“Quick remediation will result in a higher AUC. The percentage completed-on-time (COT) is the amount of vulnerabilities patched at a pre-determined cut off time. We used 90 days. Your COT metric could be different and it would make sense to have different COTs for Internet-facing devices or browser vulnerabilities and certainly for vulnerabilities with active exploitation in the wild.”
In considering the impact of a ransomware attack, it is important to understand the way the report defines an “incident.” After acknowledging the major impact that ransomware is still having for enterprises, it defined an incident as “a security event that compromises this integrity, confidentiality or availability of an information asset.” So far so good. It then defined a breach as “an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.”
But a ransomware attack is absolutely a full-fledged breach, but it may not disclose data to a third-party or even necessarily exfiltrate that data. Ransomware software can simply encrypt a file without necessarily reviewing its content. Indeed, given the massive volume of files ransomware attacks typically disable, it wouldn’t make much sense for ransomware attackers to read the contents of those files. Their goal is disabling the company and getting money to restore data access. They’re more extortionists than data thieves.
Another email attack trend that Verizon observed was what some attackers do once they have penetrated email servers.
“There were also numerous cases where an organization’s email accounts were compromised and the adversary inserted themselves into conversations that centered around payments. At this point, the actors are appropriately positioned to add forwarding rules in order to shut out the real account owner from the conversation,” the report said. “Then they simply inform the other recipients that they need to wire money to a different account on this occasion.”
A fascinating tidbit that the report explored is whether email risk materially changes depending on the type of device used. Not only does it change but, yes, it’s just CISOs fear most: the device that is taking on such a high percentage of traffic—mobile—is potentially the least secure.
Users are “significantly more susceptible to social attacks they receive on mobile devices. This is the case for email-based spear phishing, spoofing attacks that attempt to mimic legitimate webpages, as well as attacks via social media. The reasons for this stem from the design of mobile and how users interact with these devices. In hardware terms, mobile devices have relatively limited screen sizes that restrict what can be accessed and viewed clearly. Most smartphones also limit the ability to view multiple pages side-by-side, and navigating pages and apps necessitates toggling between them—all of which make it tedious for users to check the veracity of emails and requests while on mobile.
Mobile OS and apps also restrict the availability of information often necessary for verifying whether an email or webpage is fraudulent. For instance,many mobile browsers limit users’ ability to assess the quality of a website’s SSL certificate. Likewise, many mobile email apps also limit what aspects of the email header are visible and whether the email-source information is even accessible,” the report said. “Mobile software also enhances the prominence of GUI elements that foster action—accept, reply, send, like, and such—which make it easier for users to respond to a request.”
The report continues with its argument that mobile brings with it a wide range of security complexities.
“On the one hand, the hardware and software on mobile devices restrict the quality of information that is available, while on the other they make it easier for users to make snap decisions. The final nail is driven in by how people use mobile devices. Users often interact with their mobile devices while walking, talking, driving, and doing all manner of other activities that interfere with their ability to pay careful attention to incoming information,” the report said. Although “already cognitively constrained, on-screen notifications that allow users to respond to incoming requests often without even having to navigate back to the application from which the request emanates further enhance the likelihood of reactively responding to requests.”
Attacks and attackers are forever things. The specific tactics and targets shift from time to time, though, and it’s critical to match attacker approach changes with appropriately modified defense approaches.
For today, that means restructuring defenses to focus on Web apps and especially on mobile. Given that email still seems to be a top favorite cyberthief and ransomware attack means of getting malware into your network, it’s important to note the mobile differences. Email anti-fraud tactics that work reasonably well on laptops can fail miserably on smartphones. As users shift more work efforts to mobile, Security must match that move.