US more prolific source of cyber-attacks than China, says new report

Despite its vocal advocacy of fair play in the cyber-sphere, the United States remains the number one source of cyber-attacks according to data security specialist Imperva.

The company’s annual Web Application Attack Report found that the United States was the primary source of most attack vectors in this Internet battleground, topping the charts for SQL injections, comment spam, directory traversals, and the exploitation of file inclusion vulnerabilities.

In a study spanning over six months, Imperva scrutinised Internet traffic heading to 70 different web applications to identify key trends in the current threat landscape. The report does not make good reading for the US, though Imperva was keen to point out the difficulty in country-attribution for cyber-attacks, and the tendency for data to be skewed depending on natural Internet activity.

“We have to remember that most of the Internet traffic comes from the US and there are a lot of servers and clients there. The Internet is still very much US-centric,” Imperva’s Web Security Research Team Leader, Tal Be’ery told ITProPortal.

“But certainly there is a lot of attacking activity coming out of the US. Everyone can take some conclusion from that,” he added.

According to recent estimates China now has over twice the amount of Internet users than America, which may soon weaken the argument that the US will remain the number one source of cyber-attacks by default. With Imperva’s report ranking the States above China in six of the 12 categories relating to locations where attack requests were initiated and hosted, more findings in this vain could damage America’s position in the ongoing feud with China over cyber-attacks.

The US has repeatedly accused China of playing host to hackers who steal intellectual property from domestic business and compromise critical national infrastructure. China has countered the stories with claims that the US has in fact been attacking its own organisations, and experts feared the dispute would worsen with apparent US hypocrisy over cyber-spying following the Prism scandal.

Unsurprisingly, IT security vendors continue to maintain a neutral stance, though Be’ery admitted political fallout to such reports was inevitable. “It is what it is,” he said. “This is the study, and we are publicising what we see.”

Among the report’s other revelations was heavy targeting of the retail sector, which suffered twice as many SQL injection attacks than other industries, as well as a rise in sustained cyber-assaults on web pages. One observed website was under attack for 176 days of the six month period; an incredible 98 per cent of the time.

With retailers’ online presence typically spanning across a large number of web pages in the form of catalogues, their susceptibility to long, intense SQL injection attacks increases, Imperva suggests. SQL injections involve hackers inserting code that exploits vulnerabilities within an application’s software, forming a rogue SQL command that deposits data into the hands of the attackers.

Be’ery said the retail sector is currently wrestling with the challenge of balancing strong security with usability for customers. Whereas industries like banking have security at the core of their web presence, other segments prioritise the user experience more heavily and leave applications vulnerable as a result.

Responding to the report in a statement, Imperva CTO Amichai Shulman said, “We believe that, with the current threat landscape, organizations can no longer afford to take an every-man-for-himself approach to security.”

“This report demonstrates that the automation and scale of attacks leave a large footprint that can be better addressed by looking at data gathered from a large set of potential victims. Thus it is important to rely on one’s peers to acquire intelligence on malicious sources and apply this intelligence in real time.”

Calls for better security collaboration between companies and the pooling of cyber-intelligence has been a common theme in the industry of late. The UK government sought to embrace the approach with its Cyber Security Information Sharing Partnership (CISP) launched earlier this year, but reports detailing the plan in action have remained relatively scarce.

While supporting the idea in principle, Corero Network Security CEO Ashley Stephenson recently told ITProPortal it would take several years for such 'sharing' to become common practice, as we discussed whether the government’s cyber-security schemes were paying off.