Web Hacking Facts and Figures

• 75% of breaches resulted from external threats, while just 20 per cent were caused by insiders.
• 81 % of affected organizations subject to the Payment Card Industry Data Security Standard were found to be non-compliant prior to being breached.
• 53% of stolen data records came from organizations using shared or default credentials
• 83 % of hacks were considered avoidable through simple or intermediate controls

Reproduced from an article published by SC Magazine

Figures from the latest Web Hacking Incidents Database Annual Report

• 30% of the 57 attacks were carried out by SQL injection.
  The most common style of attack was SQL injection, which involves inputting commands into Web-based forms or URLs (Uniform Resource Locators) in order to return data held in back-end databases or plant malware in order to infect computers visiting the site
• The second common attack was cross-site scripting.
  A cross-site scripting flaw can allow data or malicious code to be drawn from another a Web site, which can potentially cause a data breach.
• Government, law enforcement and political Web sites were the most targeted categories of Hacked Web sites.
  The second most popular motivation was stealing sensitive information, which occurred in 19 % of the hacked websites:
  - 16% - planting malware
  - 13 % - causing monetary loss
  
• The remaining attacks caused downtime for a Web site, planted worms and linked spam and information warfare.

Web2.0 security is not about XSS, or SQL Injection or even any kind of injection attack. These are simply vulnerabilities. Web 2.0 security is all about the loose inter-communication between components which you can trust and components that you cannot, including use of 3rd party scripts such as those at 1000websitetools.com.

80% of IT practitioners report that their organization experienced 1 or more data breach

The causes of data breaches:

• Negligent insiders - 75%
• Outsourced data to vendors and other third parties - 42%
• Malicious insiders - 26%
• Social engineering - 2%
• Hackers - 1%

40% of Web hacking incidents are aimed at stealing personal information, with 67% of all attacks are profit motivated, according to the Web Hacking incidents Database project report for 2007.

Gartner has stated that 75% of all attacks on web sites and web applications target the application level and not the infrastructure.

NTA Monitor's 2008 Annual Security Report has revealed that the average number of vulnerabilities found per test have increased to 21 compared with 19 in 2007.

All of the top 10 high risk flaws are associated with services that are being made available to Internet users, demonstrating that with increased functionality comes the threat of reduced security.

Related Articles:

The Price of Ignoring SQL Injection Vulnerabilities
Vendor Lock In or Ignorant Design?
WikiLeaks, the Mega-D botnet and online privacy led the way in cyber-security news this past week.