NTT Com Security recently released its 2015 Global Threat Intelligence Report (GTIR), which analysed over six billion attacks in 2014.
We recently had the chance to speak to Stuart Reed, Senior Director of Global Product Marketing at NTT Com Security, about the report's findings, the types of attacks hackers are favouring and what companies can do to protect themselves.
The full interview can be found below.
1. According to the report, 60 per cent of all web application attacks are SQL injection attacks. What exactly does that mean and why are they so popular with hackers?
Analysis of approximately six billion worldwide verified attacks over the course of 2014 tells us that 60 per cent of web attacks in the UK were SQL injection – a code injection technique designed to attack data-driven applications.
Although NTT’s Global Threat Intelligence attack data from the NTT Group companies does not tell us how many SQL injections attacks were successful, there is further evidence that show they are one of the most critical vulnerabilities. The recent OWASP Top Ten Project, for example, places injection attacks as the number one target.
Why so popular? SQL injection is on top of the list year after year because the consequences are serious if you expose a webserver with an SQL injection flaw. They will get access to customer personal data and credit card data. Other web flaws have less critical consequences - some will not give a hacker access to the database behind the webserver, so SQL injection is the easiest route to valuable information.
2. This type of attack has been around for a long time now, why are hackers still having so much success?
Although the Global Threat Intelligence data doesn’t indicate whether a hacker is successful or not, that fact that these vulnerabilities have been around for a number of years tells us that hackers will continue to take advantage of SQL injection attacks.
Worryingly, companies are still failing to put in place effective processes to patch legacy vulnerabilities. Organisations first of all need to ensure that they are building the right level of security into web applications to avoid this type of attack. And second, they need to have effective incident response plans in place to handle any potential or actual security breaches.
3. What should companies be focusing on when trying to protect themselves?
We found that 76 per cent of identified vulnerabilities were more than two years old with almost 9 per cent were more than 10 years old, so getting the basics right is essential.
However this does not mean “configure and forget”. Getting a firm foundation must be supported by ongoing process and operations for maximum impact. This should include proper patch management as this is one of the key processes that businesses need in order to get the basics right.
4. The type of attack used seems to vary a lot across countries, why do you think that is?
Attackers may find a vulnerability that works better in one industry or one region, although it is clear that no sector is immune.
Attacks are global and, crucially, organisations in every region and every sector should make sure they have preventative measures in place along with a clear plan to help minimise their exposure should they suffer a breach.
5. The Internet of Things and Bring Your Own Device are two trends making cyber security practices more challenging than ever. What steps should companies be taking to mitigate these new potential vulnerabilities?
New technologies and ways of working can bring significant advantages and efficiencies to organisations. To embrace these trends, a robust and scalable security architecture is required.
This must be combined with the correct processes and user education. Many of us use data on a daily basis and it is essential that awareness is raised on best practice and creating a sense of a collective responsibility for data security.
6. What can smaller companies without the budget and manpower of larger organisations do to keep themselves secure?
Budgetary constraints and skills shortages in key areas mean that working with a trusted third party to deliver security services – such as Managed Security Services (or MSSPs).
However, not all MSSPs are the same, just as no two organisations are the same. It’s therefore important to find a provider who is prepared to work within the organisation’s strategic aims, rather than to its own agenda.
7. The report also mentions that 74 per cent of companies didn't have an incident response plan in place in 2014. Why is having one so important and what tips would you offer to companies thinking of developing a plan?
Having a well-defined and communicated incident response plan can help organisations respond in a quicker and more efficient way should a breach occur, minimising the impact and cost of incidents.
When thinking about an appropriate policy, it is important to consider how this policy will interface with other parts of the business affected by a breach. This may be an organisation’s PR, business continuity, risk or customer services teams, as well as defining how to share the news internally.
Ensuring the policy is communicated and well understood is essential for it to be put into action if a breach occurs
8. What trends do you think we'll see in the cyber security space in the next few months?
Advanced persistent threats - attacks that target an organisation or an individual within an organisation - are still prevalent and becoming more sophisticated. However it is important to remember that attacks do not need to be sophisticated to succeed – still 76 per cent of vulnerabilities were known about, some since 2004.
If organisations don’t get the basics right and close the known vulnerabilities it is far easier for an attack to succeed.