What a year it has been so far. With millions of records stolen and thousands of dollars spent in covering from breaches and downtime, what do we get to learn security lapses this year? Indusface brings you the most influential security numbers from this year, so far.

Data Breaches

1. More than 27 million records were stolen in 622 breach incidents until now.

2. Over 43% of all data breaches targeted the business sector.

3. ADP, one of the largest provider of human resources management software and services, faced the biggest breach that affected 640,000 companies. Hackers were able to access users’ personal data through the vulnerable customer portal.

4. The average consolidated total cost of a data breach is $4 million; this includes the cost of lost business, brand reputation damage, and so forth.

5. This year’s average cost incurred for each lost or stolen record has jumped to $158 as opposed to $154 last year.

Observations: In just eight months, global companies have lost more than 27 million personal records. Businesses are definitely at higher risks due to financial and rivalry incentives in the sector. They need powerful mechanisms to secure their data. Every publically-declared breach leads to loss of business and reputation damage.

Layer 7 DDoS Attacks

6. Today, browser-based bot DDoS attacks can bring down an average server down with less than 1000 requests in a second.

7. In most of the recent attacks, security experts have found that the bots are capable of accepting cookies and even execute JavaScript to mimic human behavior.

8. The cost of application DDoS attack is going down significantly in the last few years.

9. It can take up to 15 employees to mitigate DDoS attacks.

10. Application-layer DDoS can also last for days.

Observations: Traditionally, companies were wary of only the Layer 4 (Network) Distributed denial-of-service attacks. However, Layer 7 (Application) DDoS has emerged as a prominent automated attack threat that abuses limitations in server-application memory and performance. In fact, it does not require the same level of skill or resources like the network layer.

Website Security Scan, WAF, and Layer 7 DDoS Protection in Trial

Application Layer Vulnerabilities

11. SQL Injection is the most common ‘Critical’ vulnerability found by Indusface Web Application Scanning.

12. Amongst ‘High’ severity vulnerabilities, 91% were Cross-Site Scripting.

13. SANS Institute’s State of Application Security 2016 reports Java and .Net as the riskiest languages for the number of vulnerabilities found in them.

14. It also claims that 25% businesses take 8 to 30 days to patch a vulnerability.

15. And only 13% use virtual patching while 51% wait until finding the root cause and then patching it there.

16. Mere 11% companies are satisfied with speed of their vulnerability repair.

17. 38% respondents chose lack of appsec skills, tools and methods biggest challenged.

18. Also 37% chose lack of funding or management buy-in as the biggest challenge.

19. More than half of the companies find 1-25 vulnerabilities in their application.

20. Surprisingly, 6.5% companies report more than 1000 vulnerabilities monthly in the same report.

Observations: Application layer is one of the most cited reasons behind sensitive information exposure and website downtime. Companies simply cannot invest massive amounts in website penetration testing and scanning to find vulnerabilities and then wait for the root cause to be fixed.

Additionally, businesses need to differentiate server vulnerabilities within their applications and business logic flaws that are exclusive to every application. Attackers now use automated techniques to exploit logical issues for credential stuffing, carding, and more. Ironically, these severe business logic flaws aren’t listed in OWASP Top Ten or in any other top issue list or dictionary.

Free-Trial

Data Sources:

  • -Indusface Total Application Security Data
  • -Indusface Blog
  • -SANS Institute State of Application Security 2016
  • -Identity Theft Resource Center Stats
  • -Kaspersky DDoS Intelligence Report