Cyberattacks regularly did the news in 2017. It keeps going in 2018, from the Olympic Games to the record-breaking DdoS attacks (for those who missed the news: memcached reflection attack). This gives the impression that there are more and more cyberattacks, and that they are bigger and bigger. But actually, what is the situation?
We have put together some 2017 interesting statistics related to cybersecurity, focusing on data related to our speciality: penetration test on web platform, mobile applications and IoT.
At a Glance
Two main points are to notice:
- 77% of organisations in the world were victims at least once of a successful cyberattack in 2017. (1)
- On average, attacks are discovered after more than 6 months (191 days!) and corrected after more than 2 months (66 days). (2)
Surfing on Internet is not a Long Quiet River
- 1 in 13 URLs were found to be malicious (3)
- 8% of the malicious URL addresses are related to phishing activities (3)
- Web application attacks increased of 10% between the fourth quarter 2016 and the fourth quarter 2017 (4)
- 50% of web application attack were SQL injection in the fourth quarter 2017 (4).
- Malware and web-based attacks are the two most costly attack types (5).
- For IT security decision makers and practitioners, their main concerns are malwares and spear phishing (phishing targeting precisely specific persons by using information related to them). (1)
Let us Focus on Applications
The State of Software Security 2017 (6) teaches us that:
- 77% of apps had at least one vulnerability on initial scan
- 27.6% of applications were affected by SQL injection
- 83% of organizations have released code before testing or resolving security issues
Publishing web application offers a privilege attack surface for an attacker. It can indeed expose sensitive data to malicious people. Multiple factors can make an application vulnerable: obsolete services, using weak passwords, low users right management, low checks of data input by users…
This can be seen in the three main attack types, which are:
- Use of stolen credentials
- SQL injection
- Brute force (6)
Against those threats, the Cyberthreat Defense Report (1) tells us that the three most commonly used technologies for protecting applications and data are:
- Web Application Firewall: 66.1%
- Database firewall: 27.6%
- Data encryption / tokenization: 56.9%
83.4% of organisations are experiencing patching challenges. The main reasons mentioned by the IT security decision makers and practitioners are the infrequent windows to take production systems offline (34.5%), and the lack of qualified personnel (33.8%). They perceived secure application development and attack surface reduction as the two elements for which organisations have the less adequate resources to secure them. (1)
Attacks Leading to Data Breaches
Applications were the initial targets in 53% of data breaches (8). Looking closely to data breaches, we notice that:
- 75% of them were perpetrated by outsiders from the organisation (7)
- 73% were perpetrated for financial reasons (7)
- 43% were social attacks (6) (you see the importance to raise awareness among teams)
- 27% of breaches were discovered by third parties (7)
The 2017 Cost of Data Breach Study (2) precise us the origin of data breaches:
- 47% were caused by malicious or criminal attacks,
- 28% were due to system glitches,
- 25% were due to human errors.
Note that 62% of consumer respondents said they would blame the company that lost their data, even before blaming hackers. (9).
This statistic shows that the brand image is impacted by data breaches. The new regulation GDPR coming soon into effect is only enforcing this responsibility. (If the four letters GDPR are not ringing a bell, take a look here).
What about Mobile Devices?
Only 20% of Android mobile devices are up-to-date, whereas 77.3% of iOS devices are using the latest version. (3) Keeping up-to-date mobile devices and applications allows to ensure a certain level of security and to correct know flaws. This should be a priority to everyone thinking of the sensitive data hold in our phones (banking app, emails, contacts, SMS, Facebook, LinkedIN, chat…). The low percent of up-to-date devices highlights an unawareness of risks or a material obsolescence.
Application containers and mobile devices (smartphones, tablets) are the elements for which the IT security practitioners are the less confident in their defenses. (1)
Concerning the Internet of Things or IoT devices, the attacks targeted them increased of 600% in 2017, reaching 50,000. (3)
The Internet Security Threat Report (3) informs us about the most targeted IoT services:
- Telnet: 50.5%
- HTTP: 32.4%
- HTTPS: 7.7% (3)
The two main types of devices involved in the IoT attacks are:
- Router: 33.6%
- DVR (Digital Video Recorder) 23.2%
Last but not least, IT security practitioners report as security’s biggest obstacles the lack of skilled personnel and low security awareness among employees. (1)
To conclude, these statistics allow us to better understand the current threats. It is necessary to know what potential risks are for its activity in order to prevent them and to promote the good practices towards the users.
These figures are only an insight on the statistics related to cybersecurity. Don’t hesitate to have a deeper look into the reports.
PS: sources are ranked according to the order of their appearance.
(1) 2018 Cyberthreat Defense Report. Cyberedge Group. https://cyber-edge.com/wp-content/uploads/2018/03/CyberEdge-2018-CDR.pdf
(2) 2017 Cost of Data Breach Study. Ponemon Institute. https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN
(3) Internet Security Threat Report – Volume 23/ March 2018. Symantec. https://www.symantec.com/security-center/threat-report
(4) State of the Internet / Security – Q4 2017 Report. Akamai. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2017-state-of-the-internet-security-report.pdf
(5) 2017 Cost of Cyber Crime Study. Ponemon Institute. https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
(6) State of Software Security 2017. Veracode. https://info.veracode.com/report-state-of-software-security.html
(7) 2017 Data Breach Investigations Report. Verizon. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
(8) Threat Intelligence Report – Lessons Learned from a Decade of Data Breaches. F5 Labs. https://f5.com/Portals/1/PDF/labs/F5_Labs_Lessons_Learned_from_a_Decade_of_Data_Breaches_rev.pdf?ver=2017-12-11-093704-320
(9) RSA Data – Privacy & Security Report. RSA. https://www.rsa.com/content/dam/en/e-book/rsa-data-privacy-report.pdf