What a year it has been so far. With millions of records stolen and thousands of dollars spent in covering from breaches and downtime, what do we get to learn website security lapses this year? Indusface brings you the most influential security numbers from this year, so far.
1. More than 27 million records were stolen in 622 breach incidents until now.
2. Over 43% of all data breaches targeted the business sector.
3. ADP, one of the largest provider of human resources management software and services, faced the biggest breach that affected 640,000 companies. Hackers were able to access users’ personal data through the vulnerable customer portal.
4. The average consolidated total cost of a data breach is $4 million; this includes the cost of lost business, brand reputation damage, and so forth.
5. This year’s average cost incurred for each lost or stolen record has jumped to $158 as opposed to $154 last year.
Observations: In just eight months, global companies have lost more than 27 million personal records. Businesses are definitely at higher risks due to financial and rivalry incentives in the sector. They need powerful mechanisms to secure their data. Every publically-declared breach leads to loss of business and reputation damage.
6. Today, browser-based bot DDoS attacks can bring down an average server down with less than 1000 requests in a second.
8. The cost of application DDoS attack is going down significantly in the last few years.
9. It can take up to 15 employees to mitigate DDoS attacks.
10. Application-layer DDoS can also last for days.
Observations: Traditionally, companies were wary of only Layer 4 (Network) Distributed denial-of-service attacks. However, Layer 7 (Application) DDoS has emerged as a prominent automated attack threat that abuses limitations in server-application memory and performance. In fact, it does not require the same level of skill or resources like the network layer.
11. SQL Injection is the most common ‘Critical’ vulnerability found by Indusface Web Application Scanning.
12. Amongst ‘High’ severity vulnerabilities, 91% were Cross-Site Scripting.
13. SANS Institute’s State of Application Security 2016 reports Java and .Net as the riskiest languages for the number of vulnerabilities found in them.
14. It also claims that 25% of businesses take 8 to 30 days to patch a vulnerability.
15. And only 13% use virtual patching while 51% wait until finding the root cause and then patching it there.
16. Mere 11% of companies are satisfied with the speed of their vulnerability repair.
17. 38% of respondents chose a lack of app sec skills, tools and methods the biggest challenge.
18. Also, 37% chose lack of funding or management buy-in as the biggest challenge.
19. More than half of the companies find 1-25 vulnerabilities in their application.
20. Surprisingly, 6.5% of companies report more than 1000 vulnerabilities monthly in the same report.
Observations: Application layer is one of the most cited reasons behind sensitive information exposure and website downtime. Companies simply cannot invest massive amounts in website penetration testing and scanning to find vulnerabilities and then wait for the root cause to be fixed.
Additionally, businesses need to differentiate server vulnerabilities within their applications and business logic flaws that are exclusive to every application. Attackers now use automated techniques to exploit logical issues for credential stuffing, carding, and more. Ironically, these severe business logic flaws aren’t listed in OWASP Top 10 or in any other top issue list or dictionary.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.