Dark Reading published an list of 10 big breaches in 2011.
Dark Reading said, “No one was immune: not social networks, not financial institutions, and not even security firms.” I thought I would take a look at how many of these breaches were due to an application vulnerability. These are the breaches that most likely would have been prevented if the organizations had an application security program that built and tested applications with security in mind.
Information about some of the breaches was not available. Specifically I couldn’t find any details about how Epsilon, WordPress, Cyworld or Steam were penetrated. Most of the news reports on those incidents said something to the effect of, “XYZ is investigating the root cause of the breach.” As is often the case there is no followup news report after the root cause is determined. Thankfully there is information on how 6 of the breaches occurred. The following table details the cause of the breach and any application specifics if applicable.
Looking at the breaches that we know details about we can see that four out of the six, or 66% of the breaches, were due to an application vulnerability. This is an even higher percentage than I expected. It is clear that software security defects are being leveraged by attackers to breach major amounts of data at large and sophisticated organizations.
Diving down a level to the details about the specific category of the vulnerability we see that it turns out to be different in every case. Comodo was breached by a very common and easy to find flaw: SQL Injection (SQL Injection Attack Exposes Comodo Partner Customer Data). RSA was done in by a memory corruption bug in Adobe Flash plus a very convincing spearphishing email (Attack on RSA used zero-day Flash exploit in Excel). It isn’t entirely clear what was the exact cause of the Sony Playstation Network breach. Sony said it was a vulnerability in software running on an application server (Sony apologizes, details PlayStation Network attack). Citibank’s data breach was caused by missing authorization that allowed attackers to iterate through the data using many accounts numbers (Revealed: How Citigroup hackers broke in ‘through the front door’ using bank’s website).
If anyone knows of the details for the Epsilon, WordPress, Cyworld or Steam breaches please send them to me so I can update this post. The more we understand about the root cause of breaches the more accurately we can use a risk based approach for security. By understanding the attacks that are succeeding we can commit resources to preventing, mitigating and detecting those attacks. The knowledge that 66% of major breaches are due to application vulnerabilities should be a wake up call for organizations that are not performing application security prevention and mitigation as part of their SDLC and software acquisition processes.
Written by: Chris Wysopal