Verizon just issued their annual Breach Incident Report for 2020 (usually referred to as the VBIR). It’s one of the most comprehensive reviews of cyber attacks in the industry, and due to the telemetry and history available to Verizon, one of the most interesting to examine for trends and changes in the behavior of cyber criminals. It included a reference to attacks doubling in the last year on cloud stored data and web applications.
The VBIR for 2020 also contains a great deal of other useful information, and reminds us that only checking for malware on systems isn’t enough, as attacks via malware have decreased to only 6.5% of all attacks and incidents (down from the peak near 50% in 2016). It’s also a good reminder that organizations need to have security in place for phishing, preventing credential theft, and to protect web applications that continue to have vulnerabilities that can be exploited.
The other big takeaway for organizations is that misconfiguration errors was a big gainer this year (called the best supporting action in the report), and at K2, we often see this at customer sites, where the customer has patched a known vulnerability incorrectly or left it unpatched, leaving the organization vulnerable to an attack, where standard tools like WAF and EDR fail to detect attacks on that vulnerability.
The VBIR also shows that web applications are the assets most involved in incidents (around 40% or more in the report), and the web applications are the most commonly involved when looking at patterns in breaches (around 35%), specifically patterns in breaches showed most notably SQL injection, PHP injection and Cross Site Scripting (XSS) were the most commonly exploited vulnerabilities. What’s troubling here is, SQL injection (and other injection flaws) and XSS are have been listed on the OWASP Top 10 of security risks for web applications for some time now, and organizations still don’t have a handle on protection of these vulnerabilities.
The report also breaks down data by verticals. For example, the report also indicates the two biggest problems for financials are attacks on web applications and errors. We’ve already noted that organizations need to do better protecting their web applications. Financials in particular need to note that errors by end-users and misconfiguration errors by administrators are the other top cause of breaches.
The VBIR is another good reminder that when moving applications to the internet, organizations need to keep security at the top of the checklist. It isn’t enough to rely on the security provided by your service provider or hosting platform. While service providers and hosting companies provide security for their components they aren’t responsible for security for your organization’s assets or applications in the cloud. Couple the lack of security provided by hosting companies and service providers with the increase in attacks, the continued increase in discovered vulnerabilities and the corresponding increase in zero-day attacks on these vulnerabilities, and you’ve got a sure recipe for increased data breaches in our near future. It’s more important than ever to make sure you’ve got security for your web applications and application workloads.
It’s also important to remember that zero-day attacks are becoming more and more sophisticated. With the ingenuity found in each new zero day attack, it’s more than likely the next big zero day attack will have no foundation in a past attack. To detect the next new zero day attack we need to change the way we approach security. We need to look at technologies that don’t rely on past attacks, for example, using deterministic security based on the application itself, rather than past attacks.
K2’s runtime deterministic application security platform monitors the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you protect your applications.