The recent launch of the highly respected 2011 Data Breach Investigations Report (DBIR) highlights a shift in web hacking towards smaller targets, multipath attacks and social engineering in the view of Dave Shackleford, a highly respected ethical hacker, security expert and SANS Certified Instructor.
The DBIR, an annual study conducted by the Verizon RISK Team with cooperation from the US Secret Service and the Dutch High Tech Crime Unit, found that within its representative sample the number of records stolen had fallen from 361 million in 2008 to just 4 million in 2010. “The numbers are a reflection of fewer massive breaches that were notable in previous years,” explains Shackleford who is also a technical director at GIAC. Instead he points to a rise in “smaller and more vulnerable organisations seen as easier targets,” for hackers.
Malware was involved in 49% of breaches and 79% of record thefts with the most common infection pathway through installation or injection by a remote attacker. This covers scenarios where an attacker breaches a system and then deploys malware or injects code via SQL injection or other web application input functionality.
These web attacks accounted for almost four-fifths of the malware infections in the 2010 caseload, up from around half in last year’s study. “The blended nature of many of the attacks is also evident, “comments Shackleford, “If you look at the raw data, you see many more attacks that had a social engineering element and the problem is growing.”
Although Shackleford believes that security professionals are better informed about dangers of social engineering, there still seems to be a lack of communication to end users. “The data suggests that more needs to be done to educate the users who unwittingly open the door to attackers and that requires better education,” he comments.
As part of the forthcoming SANS SECURITY 542: Web App Penetration Testing and Ethical Hacking course that Shackleford will teach in London this June, he stresses the need to understand how to use multiple attack techniques in concert. “Competent IT security professionals need to know the methods used by attackers to become good defenders,” he explains, “Increasingly that means a much wider remit than just say cross site scripting and SQL injection – these are complimented by areas like reconnaissance and mapping, username harvesting and cookie exploitation amongst others.”
The 6-day course has proved popular in the past and this years' event has had strong pre-registration. “The brand consequences of a breach, for example the recent Playstation Network, have spooked organisations that have typically been reticent around ethical hacking and penetration testing,” explains Shackleford, “We are also seeing the rise of groups that are perpetrating attacks for ideological reasons that pick targets based on visibility and less on potential commercial gain. I personally think this 'hacktivism' will increase and that is a worrying trend.”
SANS SOS London runs from June 6 – 11. The event has two concurrent 6 day sessions: SECURITY 504: Hacker Techniques, Exploits & Incident Handling and Security 542: Web App Penetration Testing and Ethical Hacking.