Transcription

1

2

3

4

5

6

7

8

9 Cross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping Protocol abuse Man-in-the-middle API attacks Cross-site scripting Injection Cross-site request forgery Malware Man-in-the-middle DDoS Abuse of functionality Credential theft Credential stuffing Session hijacking Brute force DDoS Phishing Key disclosure Protocol abuse Session hijacking Certificate spoofing

10 Malware Man-in-the-browser Session hijacking Cross-site request forgery SYN, UDP, and HTTP floods SSL renegotiation DNS amplification Heavy URL Cross-site scripting API attacks Man-in-the-middle Key disclosure Eavesdropping DNS cache poisoning DNS spoofing DNS hijacking Protocol abuse Dictionary attacks Cross-site scripting Injection Cross-site request forgery Malware Abuse of functionality Man-in-the-middle Credential theft Credential stuffing Phishing Certificate spoofing Protocol abuse

11 Injection DNS Hijacking DDoS Cross-site scripting

12 Injection DNS Hijacking DDoS Cross-site scripting

13

14

15 Lessons learned from a decade of breaches prove the App Sec story.

16 Research Scope 433 Cases Analyzed 338 Cases w/ Breached Records Qty 26 Countries 37 Industries Breach cases with any of the following true Confirmed breached data count and type Confirmed attack vector and/or breach root cause Confirmed breach cost to victim organization Confirmed threat actor profits or cost to impacted business

17 Breached Records Scope 10.3B Credentials 3.4B Security Q&A s 1B CC s 550M PHI 280M SSN s 167M Credit Score 36M Minor Data 36M Passports 22M Biometric messages IM identities private messages chat logs web activity political views drinking habits drug habits sexual fetishes age income geographic location payment histories payment methods FAFSA student loan apps beauty ratings fitness level car ownership status account balances net worth financial investments SF-86 form personal data physical attributes sexual orientation buying preferences employers job titles employment histories of current and former customers work habits career levels professional skills

18 Impact of Breaches Assumed BREACH WORLD ATTACKERS HAVE ENOUGH DATA to answer your secret questions Democracy is for CYBER-SALE Password cracking accuracy <6 hrs 92 % Compromised 3 username & passwords per person online 86 % US population equivalent of compromised SSN s

19 Identities are the Keys to Apps 86% APPS OR IDENTITIES Were the initial targets in 86% of breaches

20 Apps are the first target in the majority of breaches Breaches starting at the app have the highest breach costs #1 Target: Apps 29 % Other 24 % ID s 53 % 47 % 22 % INITIAL TARGETS BREACH COSTS RECORDS BREACHED BIGGEST BUSINESS RISK

21 Web application vulnerabilities are the root cause of 38% of breaches #1 Root Cause: Web Application Vulnerabilities 23% SQL INJECTION 52% 38% FORUM VULNERABILITES (Injection) BREACH ROOT CAUSE

22 Identities are the first target in 33% of breaches Breaches starting with identity attacks collect the most data #2 Target: Identities 33 % 24 % 75 % INITIAL TARGETS BREACH COSTS RECORDS BREACHED BIGGEST ATTACKER OPPORTUNITY

23 Identity Crisis 20 % of employees would sell their work password 10 % for less than $1,000

24 14% Unauthorized Access & Cred Stuffing ATTACKERS ARE GOING PHISHING IN OVER STOCKED PONDS. 19% Phishing BREACH ROOT CAUSE

25 Troubling Tidbits Businesses often don t know they are compromised for year or more

26 Troubling Tidbits Passwords are public. We did not find a single case in which passwords were properly hashed. Leaked US spy agency materials wreaked havoc, and this could be our new norm There are so many stolen credit cards for sale that they are only selling for $ a record. Automated verification systems are easily bypassed with stolen data, and Synthetic IDs a.k.a. virtual people are on the rise. Yahoo + Sony databases 59% the same. Re-used online credentials make the attacker reward one to many. Spy agencies target system administrators with phishing attacks powered by social media data.

27

28 Stay Up to Date by Following Us Twitter LinkedIn Updates RSS Learn, download, follow, share. F5Labs.com

29