Cross-site request forgery Cross-site scripting Man-in-the-browser Session hijacking Malware Man-in-the-middle DNS cache poisoning DNS spoofing DNS hijacking Dictionary attacks DDoS DDoS Eavesdropping Protocol abuse Man-in-the-middle API attacks Cross-site scripting Injection Cross-site request forgery Malware Man-in-the-middle DDoS Abuse of functionality Credential theft Credential stuffing Session hijacking Brute force DDoS Phishing Key disclosure Protocol abuse Session hijacking Certificate spoofing
Malware Man-in-the-browser Session hijacking Cross-site request forgery SYN, UDP, and HTTP floods SSL renegotiation DNS amplification Heavy URL Cross-site scripting API attacks Man-in-the-middle Key disclosure Eavesdropping DNS cache poisoning DNS spoofing DNS hijacking Protocol abuse Dictionary attacks Cross-site scripting Injection Cross-site request forgery Malware Abuse of functionality Man-in-the-middle Credential theft Credential stuffing Phishing Certificate spoofing Protocol abuse
Injection DNS Hijacking DDoS Cross-site scripting
Injection DNS Hijacking DDoS Cross-site scripting
Lessons learned from a decade of breaches prove the App Sec story.
Research Scope 433 Cases Analyzed 338 Cases w/ Breached Records Qty 26 Countries 37 Industries Breach cases with any of the following true Confirmed breached data count and type Confirmed attack vector and/or breach root cause Confirmed breach cost to victim organization Confirmed threat actor profits or cost to impacted business
Breached Records Scope 10.3B Credentials 3.4B Security Q&A s 1B CC s 550M PHI 280M SSN s 167M Credit Score 36M Minor Data 36M Passports 22M Biometric email messages IM identities private messages chat logs web activity political views drinking habits drug habits sexual fetishes age income geographic location payment histories payment methods FAFSA student loan apps beauty ratings fitness level car ownership status account balances net worth financial investments SF-86 form personal data physical attributes sexual orientation buying preferences employers job titles employment histories of current and former customers work habits career levels professional skills
Impact of Breaches Assumed BREACH WORLD ATTACKERS HAVE ENOUGH DATA to answer your secret questions Democracy is for CYBER-SALE Password cracking accuracy <6 hrs 92 % Compromised 3 username & passwords per person online 86 % US population equivalent of compromised SSN s
Identities are the Keys to Apps 86% APPS OR IDENTITIES Were the initial targets in 86% of breaches
Apps are the first target in the majority of breaches Breaches starting at the app have the highest breach costs #1 Target: Apps 29 % Other 24 % ID s 53 % 47 % 22 % INITIAL TARGETS BREACH COSTS RECORDS BREACHED BIGGEST BUSINESS RISK
Web application vulnerabilities are the root cause of 38% of breaches #1 Root Cause: Web Application Vulnerabilities 23% SQL INJECTION 52% 38% FORUM VULNERABILITES (Injection) BREACH ROOT CAUSE
Identities are the first target in 33% of breaches Breaches starting with identity attacks collect the most data #2 Target: Identities 33 % 24 % 75 % INITIAL TARGETS BREACH COSTS RECORDS BREACHED BIGGEST ATTACKER OPPORTUNITY
Identity Crisis 20 % of employees would sell their work password 10 % for less than $1,000
14% Unauthorized Access & Cred Stuffing ATTACKERS ARE GOING PHISHING IN OVER STOCKED PONDS. 19% Phishing BREACH ROOT CAUSE
Troubling Tidbits Businesses often don t know they are compromised for year or more
Troubling Tidbits Passwords are public. We did not find a single case in which passwords were properly hashed. Leaked US spy agency materials wreaked havoc, and this could be our new norm There are so many stolen credit cards for sale that they are only selling for $0.0003 a record. Automated verification systems are easily bypassed with stolen data, and Synthetic IDs a.k.a. virtual people are on the rise. Yahoo + Sony databases 59% the same. Re-used online credentials make the attacker reward one to many. Spy agencies target system administrators with phishing attacks powered by social media data.
Stay Up to Date by Following Us Twitter LinkedIn Email Updates RSS Learn, download, follow, share. F5Labs.com