Attacks are rising in all vectors and types

DDoS, web application, bot, and other attacks have surged exponentially compared to the first half of 2019, according to CDNetworks.

attacks are rising

In particular, attacks on web applications rose by 800%. These alarming statistics show that enterprises are experiencing challenging times in their attempts to defend against cyber attacks and protect their online assets.

Hackers extremely sensitive to industry transformation

The report goes on to say that hackers are extremely sensitive to industry transformation. For this reason, the challenges of the global pandemic are leading hackers to move attacks from less visited sites such as those related to hospitality, transportation, and other travel-related businesses and redirect their attention to sites that are profiting under COVID-19 such as media, public services, and education.

E-government and digital public service systems are also magnets to hackers due to the sensitive and valuable information these systems hold. Researchers contend that attacks against public sectors will continue with increasing virulence.

All types of attacks continued to increase. Consider that:

  • DDoS attack incidents saw a 147.63% year-on-year growth.
  • On average, 660 bot attack incidents were blocked every second, a number that is nearly doubled from last year.
  • Over 4.2 billion web application attacks were blocked in H1, a figure that is 8 times higher than the same period in 2019.

It is also worth noting that web application attacks in the public sector surpassed attacks in retail venues, making the public sector the single most attacked industry during this period. In fact, over 1 billion of the web attacks were targeted toward the public sector, which accounts for 26% of total attacks.

Equally disturbing is the fact that with AI becoming a vital part of cybersecurity, hackers are now using machine learning to detect and crack vulnerabilities in networks and systems.

Attacks rising in all vectors and types

The report makes it clear that attacks are rising in all vectors and types year over year. As new web application methodologies, from network security to cloud security, expose new attack surfaces, the boundary of security protection continues to expand with them. As a result, today’s APIs, micro-services, and serverless functions are all vulnerable to malformed requests, bot traffic, and DDoS attacks at both network and application layers.

Moreover, the evolution of 5G networks, edge computing, AI, and Internet of Things is rapidly forcing conventional security into the dustbin. In its place, software-defined security is emerging as a significant trend in the development of network security.

Enterprises that have an online presence and care about compliance, user privacy, security, and online availability can no longer enjoy the luxury of cherry-picking their security services because conventional security devices and strategies are becoming inadequate for handling today’s challenges. Rather, they must act immediately to adopt a comprehensive website security suite that includes a web application firewall, bot management solution, and DDoS protection.

Intelligent confrontation will be the new battlefield for cloud security in the near future. To minimize the exposure window, the time has come to fundamentally rethink strategy and embrace a layered defense to gain a tactical edge and achieve superiority on the battlefield in both conventional conflicts and asymmetric cyber warfare.

Theory and practice of web application security efforts in organizations worldwide

75% of executives believe their organization scans all web applications for security vulnerabilities, while nearly 50% of security staff say they don’t, a Netsparker survey reveals.

web application security efforts

Web application security efforts are insufficient

Even more concerning, over 60% of DevOps respondents indicate that new security vulnerabilities are being found faster than they can be fixed, indicating that web application security efforts are insufficient.

However, only just over 40% of executives are aware of this situation, and thus most companies are unlikely to be making the required investments to remedy the situation.

Despite this, respondents ranked web application security highest among areas they believe their company should focus. Over 66% of respondents named web application security as a priority – more than any other aspect of IT security, ahead of network security, endpoint security, and patch management.

Additional highlights

  • While just 20% of developers believe that development teams are resistant to incorporating security, close to half of security professionals say they encounter developer resistance.
  • Just under 40% of developers indicated that critical security issues get automatically escalated, showing that organizations still have a long way to go to fully integrate security into the software development process.
  • Just under 35% of developers report friction caused by security false positives, compared to over 54% of security staff. This suggests that security teams bear the bulk of extra work caused by false alarms.

Disconnect between theory and practice

The survey shows a worrying disconnect between the theory and practice of web application security. While most organizations appreciate the importance of web security, many still don’t scan all their applications and an even greater number struggle to deal with vulnerabilities in a timely manner.

web application security efforts

This research shows that perceptions and expectations of web application security vary widely depending on the role. This misalignment between perception and reality creates dangerous threats to the security of organizations and their customer’s data as well.

40% of security pros say half of cyberattacks bypass their WAF

There are growing concerns around the number of businesses vulnerable to cyberattacks due to hackers’ ability to bypass their Web Application Firewall (WAF), Neustar reveals.

cyberattacks bypass WAF

Cyberattacks bypass the WAF

49% of security professionals reported more than a quarter of attempts to sidestep their WAF protocols had been successful in the last 12 months. In addition, as many as four in ten respondents disclosed that 50% or more of attacks had managed to get around their application layer firewall.

These findings come at a pivotal time, as organizations continue to adapt their security strategies to cope with the increase in malicious web activity associated with COVID-19.

29% of respondents admitted they had found it difficult to alter their WAF policies to guard against new web application attacks, while just 15% said they had found the process very easy.

No fully integrated WAF

Despite many having already been on the receiving end of a successful web-application attack, 39% of respondents declared they do not have a WAF that is fully integrated into other security functions; a technique that is critical in developing a holistic defense against a variety of attack types. Three in ten also claimed that half of network requests have been labelled as false positives by their WAF in the last year.

“As members of the public, we have witnessed the steady and significant growth of volumetric DDoS attacks, fake domains, malicious malware and harmful misinformation. However, while these may be the security concerns capturing headlines, those within the community have also seen the unsettling rise in application-layer attacks,” said Rodney Joffe, Senior VP and Fellow at Neustar.

“Often unleashing destruction before they are even recognized, these attacks are equally as damaging, targeting specific vulnerabilities to cause a multitude of complications for those on the receiving end.”

“Due to their ‘under-the-radar’ nature, application-layer attacks are difficult to detect and therefore require a security posture that is always-on in order to be identified and mitigated. Only by providing protection across the entire network can organizations respond to the type of threats we are seeing today.

“For full-protection that doesn’t hinder business performance or add unnecessary complexities, organizations should opt for a cloud-based WAF, underpinned by curated, actionable threat data.

“Not only is this approach guaranteed to safeguard against the most common web threats, it also delivers visibility into application traffic, no matter where the applications themselves are hosted,” added Joffe.

DDoS attacks and system compromise ranked as the greatest concerns

There has also been a steep 12-point increase on the International Cyber Benchmarks Index year-on-year. Calculated based on the changing level of threat and impact of cyberattacks, the Index has maintained an upward trend since May 2017.

During March – April 2020, DDoS attacks and system compromise were ranked as the greatest concerns for security professionals (both 21%), followed by ransomware (17%) and intellectual property (16%). To date, 68% of enterprises surveyed indicated that they had been on the receiving end of a DDoS attack at any given time, up 3% on previous reports.

Google unveils secure remote access service to unburden enterprise VPNs

Google has made available BeyondCorp Remote Access, a cloud-based, zero trust service that allows employees, contractors and partners to securely access specific corporate resources from untrusted networks without having to use the company’s VPN.

remote access service

The goal is to help companies with a suddenly massive remote workforce from overburdening the company’s VPN infrastructure.

About BeyondCorp Remote Access

BeyondCorp Remote Access is a subscription-based service that is available through Google Cloud.

“This cloud solution — based on the zero trust approach we’ve used internally for almost a decade — lets your employees and extended workforce access internal web apps from virtually any device, anywhere, without a traditional remote-access VPN,” Google Cloud honchos Sunil Potti and Sampath Srinivas explained.

“Over time, we plan to offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”

Access to web apps and services is granted (or not) based on user identity, device identity, device security, location, and other metadata and signals collected through the browser or an endpoint agent that is installed on the user’s device (if the customer mandates it).

The web apps that can be accessed through the service can be hosted on Google Cloud, on other clouds, or on the customer’s premises. Enterprise admins can configure access policies for each app.

remote access service

“For example, you can enforce a policy that says: ‘My contract HR recruiters working from home on their own laptops can access our web-based document management system (and nothing else), but only if they are using the latest version of the OS, and are using phishing-resistant authentication like security keys.’ Or: ‘My timecard application should be safely available to all hourly employees on any device, anywhere,’” the duo explained.

The company’s long term plan is to “offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”

WordPress and Apache Struts weaponized vulnerabilities on the rise

Vulnerabilities in leading web and application frameworks, if exploited, can have devastating effects like the Equifax breach which affected 147 million people, according to RiskSense.

weaponized vulnerabilities

Among the report’s key findings, total framework vulnerabilities in 2019 went down but the weaponization rate went up, WordPress and Apache Struts had the most weaponized vulnerabilities, and input validation surpassed cross-site scripting (XSS) as the most weaponized weakness in the frameworks examined.

“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications,” said Srinivas Mukkamala, CEO of RiskSense.

“As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”

Most weaponized vulnerabilities

These two frameworks alone accounted for 57% of the weaponized vulnerabilities, those for which exploit code exists to take advantage of the weakness, in the past 10 years.

WordPress faced a wide variety of issues, but XSS was the most common problem, while input validation was the biggest risk for the Apache Struts framework. Their respective underlying languages, PHP for WordPress and Java for Struts, were also the most weaponized languages in the study.

2019 vulnerabilities are down, but weaponization is up

While the overall number of framework vulnerabilities was down in 2019 compared to previous years, the weaponization rate jumped to 8.6% which is more than double the National Vulnerability Database (NVD) average of 3.9% for the same period. This uptick was primarily due to increased weaponization in Ruby on Rails, WordPress and Java.

Input validation replaces XSS as top weakness

While XSS issues were the most common vulnerability over the 10-year study period, it dropped to 5th when analyzed over the last 5 years. This is a sign that frameworks are making progress in this important area.

Meanwhile, input validation has emerged as the top security risk for frameworks, accounting for 24% of all weaponized vulnerabilities over the past 5 years mostly affecting Apache Struts, WordPress, and Drupal.

Injection weaknesses are highly weaponized

Vulnerabilities tied to SQL injection, code injections, and various command injections remained fairly rare, but had some of the highest weaponization rates, often over 50%. In fact, the top 3 weaknesses by weaponization rate were command injection (60% weaponized), OS command injection (50% weaponized), and code injection (39% weaponized). This often makes them some of the most sought after weaknesses by attackers.

Shedding light on hidden threats

An organization’s web-facing applications represent fundamental digital assets that are essential to serving internal and external users. Their exposure to the outside world also means they are susceptible to constant attack.