Connected security report: Application breaches soaring, says Ponemon/F5 | Analysis

Connected security report: Application breaches soaring, says Ponemon/F5 | Analysis

The vulnerability of the connected world and its growing complexity has been revealed by a new application security report.

Businesses worldwide are struggling to understand, optimise, and protect their rapidly expanding application environments, according to new research from information security organisation Ponemon Institute – incorporated into a wider report by applications intelligence company, F5 Labs.

The Ponemon survey of over 3,135 senior IT and security practitioners from businesses across the US, UK, Germany, Canada, Brazil, China, and India, reveals that 38 percent of respondents have “no confidence” they have full oversight and supervision of all the applications they use.

UK businesses know the least about their application infrastructure (32 percent), found the research, whereas German organisations are the most confident in their knowledge, at 45 percent of respondents – still significantly less than half of those questioned.

The Ponemon Institute conducted the regional analysis – Web Application Security in the Changing Risk Landscape: Global Study – as a part of F5 Lab’s wider 2018 Application Protection Report, which has just been published.

A colony of problems

Web applications are “colony creatures”, like coral reefs, suggests the F5 report. A multitude of independent components, running in separate environments with different operational requirements and supporting infrastructures – both in the cloud and on premise – are glued together across networks.

Application services, application access, Transport Layer Security (TLS), domain name services (DNS), and the network are all part of this complex organism.

As a result, applications can easily fall prey to marauding intruders in the murky depths of the extended enterprise – especially when only 52 percent of applications, on average, are still hosted on premise, according to the report.

Despite the lack of confidence on display among respondents to the Ponemon survey for F5, IT leaders reported that 34 percent of their Web applications were mission critical.

According to Ponemon Institute, the global average for the number of Web app frameworks and environments in use is 9.77. The US has the most (12.09), with both the UK (9.72) and Germany (10.37) claiming to be above average.

In EMEA, 76 percent of German respondents are most concerned about credentials theft, second only to Canada at 81 percent. DDoS attacks (64 percent) and Web fraud (49 percent) are German businesses’ next biggest concerns.

UK IT leaders feel more threatened by Web fraud than anyone else (57 percent of respondents). Nevertheless, the UK’s biggest worries are credentials theft (69 percent) and DDoS attacks (59 percent).

Web app attacks are an operational blight in all countries, found the research. Ninety percent of respondents in the US and Germany said it would be “very painful” if an attack resulted in the denial of access to data or apps. The UK is the next most potentially vulnerable country, with 87 percent agreeing with the same statement.

Counting the cost

So how much is all this costing? The global average incident cost for app denial of service is very significant: $6.86 million. The US endures the costliest range of attacks, with total losses of $10.64 million on average, closely followed by Germany at $9.17 million. The UK is slightly below the global average, with an average of $6.57 million per incident.

Regional differences are also apparent when estimating the incident cost of confidential or sensitive information leaks, such as intellectual property or trade secrets. Globally, the average cost stands at $8.63 million.

The US pays out the most, having to foot an average bill of $16.91 million. Germany is second, with typical losses of $11.3 million. The UK fares better with average losses $8.1 million – almost half the US estimate.

Meanwhile, the global average estimated incident cost for leakage of personally identifiable information (customer, consumer, or employee) stands at $6.29 million. The US is once again hardest hit, at an average of $9.37 million, ahead of Germany ($8.48 million), India ($6.63 million), and the UK ($5.63 million).

US-specific problems

For its wider, 106-page application security report, F5 Labs looked at data from a variety of other sources, alongside the Ponemon survey of IT decision-makers. These included its own internal data sets, WhiteHat Security vulnerabilities, and Loryka attack data.

In addition, the researchers worked with faculty from the Whatcom Community College Cybersecurity Center to perform an extensive review of breach notification records in California, Washington, Idaho, and Oregon.

In these four states, researchers analysed 301 breaches in 2017 and Q1 2018 and found that Web application attacks were the top cause of all reported breaches, at 30 percent. Earlier research done by F5 Labs into 433 major breach cases spanning 12 years and 26 countries found that applications were the initial targets in 53 percent of cases.

In the US – via 2017 and Q1 2018 breach notification letters from the states’ attorneys general – F5 examined Web attacks in detail. Specific application breaches included payment card theft via Web injection (70 percent), website hacking (26 percent), and app database hacking (four percent).

The organisation then cross-referenced this data with the relevant WhiteHat Security vulnerabilities, Loryka attack surveillance, and known exploits published by Exploit-DB, a CVE-compliant archive of public exploits and vulnerable software, to identify significant new risks.

The highest percentage (70 percent) of the breach reports for Q1 2018 were Web injections that stole customer payment card information. (Injection attacks allow an attacker to insert commands or new code directly into a running application.)

Over the past decade, 23 percent of breach records involved SQL injection attacks. Injection vulnerabilities (weaknesses that have not yet been exploited) were prevalent as well.

WhiteHat Security reported that 17 percent of all discovered vulnerabilities in 2017 were injection vulnerabilities. For this reason, high priority should be given to finding, patching, and blocking them.

Meanwhile, breach records analysis showed that 13 percent of all Web app breaches in 2017 and Q1 2018 were access related.

“Many businesses fail to keep pace with technological developments and make unwitting and dangerous security compromises as they have a worrying lack of insight into their applications,” said David Warburton, senior threat research evangelist EMEA, at F5 Networks.

“This is a big problem. The pressure has never been higher to deliver applications with unprecedented speed, adaptive functionality, and robust security – and against the backdrop of increasing European information security legislation.”

Battling the attackers

So what can organisations do about these problems?

The F5 Ponemon security survey showed that 75 percent of respondents were only using usernames and passwords for application authentication in critical Web apps. For any important application, stronger authentication solutions, such as federated identity or multi-factor should be considered, say the researchers.

According to the survey, the three main tools for keeping apps safe are Web application firewalls (WAF), application scanning, and penetration testing.

WAF takes the top spot in the US (30 percent), Brazil (30 percent), UK (29 percent), Germany (29 percent), Canada (26 percent), and India (26 percent). Penetration testing is most prominent in India (24 percent), followed China (20 percent), Brazil (19 percent), Germany (20 percent), Canada (20 percent), the UK (18 percent), and the US (18 percent).

India is again in the lead for app scanning (24 percent), trailed by China (22 percent), Brazil (21 percent), Canada (19 percent), the US (18 percent), Germany (16 percent), and the UK (13 percent).

However, all of these deployment figures are in a clear minority.

The Ponemon Institute also reports that DDoS mitigation and backup technologies are the most widely used technologies to achieve high Web application availability. German and Brazilian respondents were the strongest DDoS mitigation advocates (both on 64 percent), edging out the US (62 percent), the UK (60 percent), and China (60 percent).

Backup technologies are most popular in Canada (76 percent), the UK (74 percent), and Germany (73 percent). However, it must be asked why as many as one-quarter of organisations are not employing backup solutions.

Transports of delight

Another of the report’s emerging trends is the growing importance of transport layer encryption. Here, the percentage of Web applications using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) technology is highest in the UK, India, and Canada (all on 66 percent). The US and Germany are hot on their heels with 65 percent, followed by Brazil (64 percent) and China (46 percent).

Storage encryption is also seen as a critical defensive tool. Germany leads the way in this respect, with 50 percent of businesses claiming to use the technology “most of the time”, ahead of Canada (44 percent), the US (40 percent) and the UK (39 percent).

But again, why so many organisations are failing to encrypt data is a mystery.

The F5/Ponemon survey also offers some insight into how organisations are wrangling application security. Twenty-eight percent of respondents said the CIO or CTO owns responsibility for the application security risk management process. Only 10 percent of CISOs own it, and yet they will be in the hot seat in the event of a breach.

Internet of Business says

While all of these findings might seem to paint a bleak picture, four steps will have a high impact on improving application security and, for the most part, are not difficult to take – according to F5 Labs.

These are: Understand your environment; reduce your attack surface; prioritise defences based on risk; and select flexible and integrated defence tools.

Chris Middleton
Chris Middleton is former editor of Internet of Business, and now a key contributor to the title. He specialises in robotics, AI, the IoT, blockchain, and technology strategy. He is also former editor of Computing, Computer Business Review, and Professional Outsourcing, among others, and is a contributing editor to Diginomica, Computing, and Hack & Craft News. Over the years, he has also written for Computer Weekly, The Guardian, The Times, PC World, I-CIO, V3, The Inquirer, and Blockchain News, among many others. He is an acknowledged robotics expert who has appeared on BBC TV and radio, ITN, and Talk Radio, and is probably the only tech journalist in the UK to own a number of humanoid robots, which he hires out to events, exhibitions, universities, and schools. Chris has also chaired conferences on robotics, AI, IoT investment, digital marketing, blockchain, and space technologies, and has spoken at numerous other events.