Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Automation ups the security ante

Can your organisation’s Web applications withstand 25,000 attacks a minute, or seven per second?

Web applications experience 27 attacks per hour on average — roughly one attack every two minutes — according to findings from a US-based data security provider.

Imperva’s latest Web Application Attack Report (WAAR), conducted December 2010 through May 2011, found cyber criminals are increasingly using automated attacks launched from captured ‘botnet’ computers. The study monitored and categorised more than 10 million individual attacks across the internet, as well as on 30 different enterprise and government Web applications. It established that attack traffic during the six-month period was characterised by high volume activity followed by longer periods of lighter activity — key indicators of automation.

When websites came under automated attack they received up to 25,000 attacks in one hour, or seven attacks every second. The findings could have far-reaching implications for CIOs and security personnel. “Most security research focuses on vulnerabilities and while this can be extremely valuable, it doesn’t always help businesses prioritise their security efforts,” said Imperva CTO and lead researcher, Amichai Shulman.

For example, the Open Web Application Security Project (OWASP), which lists the 10 most dangerous current Web application security flaws, does not identify remote file inclusion (RFI) and directory traversal as top vulnerabilities. However, WAAR shows that these are two of the most common attacks used by hackers to steal data.

“It is impossible to have effective risk management without understanding which vulnerabilities are most likely to be exploited,” Shulman said.

According to WAAR, the four most prevalent web application attacks are:

  • Directory traversal — 37 per cent
  • Cross site scripting — 36 per cent
  • SQL injection — 23 per cent
  • Remote file inclusion — 4 per cent.

Notably, these attacks are often used in combination to scan for vulnerabilities and subsequently exploit them.

“The level of automation in cyber attacks continues to shock us,” Shulman said. “The way hackers have leveraged automation is one of the most significant innovations in criminal history. You can’t automate car theft, or purse stealing, but you can automate data theft. Automation will be the driver that makes cyber crime exceed physical crime in terms of financial impact.

Alarmingly, advances in evasion are also significant.

“Our data shows that it is increasingly difficult to trace attacks to specific entities or organisations,” Shulman said. “This complicates any effort to retaliate, shut down cyber criminal gangs or identify potential acts of war.”

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: AAR, Imperva

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: hackers, security, Websites
Latest Blog Posts
Whitepapers
  • Prepare Your Enterprise for the Mobile Revolution: Boost the Bottom Line with Mobile UC
    This white paper will highlight the changes in the mobile workplace; outline the benefits of unified communications (UC) and Fixed-Mobile Convergence (FMC) for mobile workers; identify the key market trends and business challenges IT managers must pay attention to now and into the future; and offer best practices for choosing a solution that will deliver clear ROI.
    Learn more »
  • Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives
    Service-oriented architecture (SOA) has moved beyond hype to widespread acceptance as an IT strategy for delivering business value. SOA promotes the notion of modularity, providing overwhelming flexibility and superior economics for addressing business demands. However, undertaking the transformation to SOA is not without its challenges. If left unchecked, your inventory of SOA assets will become unmanageable; the reuse of services will diminish in favor of custom development; or even worse, modifications will be made to your existing services that break other business processes. The purpose of SOA governance is to help you ensure that this does not happen. This paper outlines the most compelling reasons for you to establish SOA governance within your organization.
    Learn more »
  • Optimizing Data Quality in the Enterprise - How to Tackle Your Bad Information
    Data quality – the measure of data accuracy, completeness, and consistency across a business – has become the core focus of information management efforts among many of today’s organizations. Problems with data quality continue to plague corporations of all types and sizes. In this paper, we will discuss some techniques companies can implement to enhance data quality across the entire enterprise. We will also highlight data quality management solutions, which provide businesses with the ability to effectively and economically enhance the correctness, completeness, and consistency of information in each and every system within their technology infrastructure.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments