Virtually every web-based attack (98%) is opportunistic in nature, and aimed at easy targets, according to the 2015 Verizon Data Breach Investigations Report (DBIR).
Unlike a targeted attack, where an attack is perpetuated against a specific target, an opportunistic attack aims to exploit any one vulnerable. This could be propagated through a variety of methods, such as a phishing campaign, malware or an SQL injection, such as in the recent case with celebrity chef Jamie Oliver’s website.
Image source: Malwarebytes.org
The report also found that more than 70% of attacks exploited known vulnerabilities that had patches available, with some exploiting vulnerabilities dating back to 1999.
The Verizon report shows how vulnerable web applications and software are to technical glitches. Once discovered and shared publicly, vulnerabilities can be rapidly exploited by cyber criminals, allowing criminal hackers to take advantage of them.
Vulnerabilities should be assessed frequently to identify whether they apply to your websites and web applications.
Basic cyber hygiene can help prevent up to 80% of cyber attacks. A Cyber Essentials certification can make the difference between being a victim or not. Cyber Essentials requires that companies regularly patch software, scan their applications for vulnerabilities and apply other important security controls, such as malware protection, secure configuration, firewall protection, access control and privilege management.
Track suspicious activity
“If you have a web presence (e-commerce or otherwise) you should be tracking user behaviour and using some form of fraud detection to get an early warning on suspicious behaviour”, the Verizon team has warned.
Verizon offers the following tips for tracking suspicious behaviour:
- “Load balancer logs, web application logs, and database transaction logs.”
- “Get a complete inventory of every component of your web presence and ensure they are all in a regular patch cycle. Three-quarters of web app compromises are opportunistic, so this falls squarely under “the cost of doing business.”
- “To combat Web App Attacks head-on, we recommend strengthening authentication. The use of two-factor authentication for web applications—even by customers—will go a long way toward keeping your organisation from being used and abused.”
Phishing attacks succeed because staff inadvertently click on malicious links in spam emails. Reduce the likelihood of this happening by educating your staff with an anti-phishing e-learning course, combined with a simulated phishing campaign, enabling you to assess your employees’ awareness of phishing attacks before and after the e-learning course, and to take remedial action to address any security gaps.
You might want to consider a more advanced level of vulnerability scanning, which comes in the form of a penetration test led by an experienced ethical hacker, and combines a number of advanced manual tests with automated vulnerability scans to ensure every corner of your web applications are tested.