2014 was a good year for cybercriminals. Several marquee hacks cost corporations billions of dollars — and, as Veracode's "2014: The Year of the Application Layer Breach" ebook points out, almost all of them originated in the application layer. As businesses of all types become increasingly dependent on software, the number of potential vulnerabilities in their systems skyrockets.
From point-of-sale systems to auxiliary event websites, enterprises weave tangled webs of interconnected e-commerce, and a single vulnerability can spell disaster. Here's a look at a few of the most infamous attacks of 2014, and what they all have in common.
Most of the attacks on major retailers in 2014 stole customer information from pieces of point-of-sale systems. In Target's case, a sophisticated kill chain exploited a vulnerability in a web app. Though the application was designed to be used by Target's vendors to process payments, it ultimately allowed hackers access to critical customer data. Michaels craft stores were also victim to a customer information hack, though in their case, the attack targeted the point-of-sale systems directly. That system vulnerability resulted in the loss of credit card numbers for 2.6 million Michaels customers. And after Home Depot fell victim to a major point-of-sale attack that utilized stolen credentials to work backwards into customer accounts, it lost $62 million just covering associated costs.
Once hackers find a way into a company's network, it's only a matter of time before they can enter its point-of-sale system and begin directly mining customer data — the cybercrime equivalent of gold — and ultimately cost retailers money and credibility.
JPMorgan Chase offers online banking services and ostensibly has all necessary cybersecurity best practices in place. So how did it end up on the list of notable hacking victims in 2014? A vendor developed a website for the bank's annual charity race and JPMorgan Chase assumed trust. Hackers found a vulnerability in the website and exploited it to enter critical Chase systems, affecting over 76 million households and 7 million businesses.
Neiman Marcus, like most major corporations, builds many applications in-house to ensure its needs are met while maintaining a competitive advantage. However, one of the company's in-house applications was hacked by a RAM scraper, which allowed the cybercriminals to steal data saved in another application and resulted in the theft of over 350,000 credit card numbers.
It only takes one or two lines to recognize the easily preventable nature of many of last year's most notorious hackings. Single security vulnerabilities, even in noncritical applications, can leave just enough of an opening for hackers to access an enterprise's most important information. Most of last year's large application layer attacks did not directly target business-critical apps, but instead found overlooked applications that promised less-tested, less-monitored ways in.
To understand more about what happened last year and how you can safeguard your company from becoming another cybercriminal victim, download Veracode's ebook on 2014's worst application layer attacks, what went wrong, and how comprehensive AppSec solutions can prevent such attacks from happening again.
Photo Source: Flickr