Common Website Vulnerabilities
2018 witnesses some of the largest cyberattacks ever seen: hacks on the Marriott Group, Equifax, Yahoo, and Facebook all resulted in major data breaches. Add to this the increased level interference in election processes around the world, and it is clear that we are facing a crisis.
This has been clear for some time, but you wouldn’t know that from the stats.
Instead, in 2020 websites seem t o be getting less secure.
Ptsecurity found that, at the end of 2018, the vulnerability of web applications was on the rise again, after many years of decrease: they found that 67% percent of web apps had high-security vulnerabilities at the end of 2018, which the most common being Insufficient Authorization, Arbitrary File Upload, Path Traversal, and SQL Injection.
In 2020, that trend seems to be continuing. Make sure to use a VPN when surfing online (see my guide to best VPN Canada).
Let’s look at the numbers.
The Cybercrime Economy
First, let’s take a look at the size of the cybercrime and cybersecurity economy.
- The total monetary value of cybercrime is hard to assess, especially given that many companies keep successful hacks secret. But research by Accenture has found that direct and indirect attacks put $5.2 trillion at risk over the next five years.
- Looking at the other side of the coin, research carried out Global Market Insights puts the size of the cybersecurity market at $300 billion a year by 2024.
- In the US, cybersecurity is a major sink for government funds. According to the 2020 budget released by the White House, the government plans to spend $15 billion on protecting consumers, businesses, and critical infrastructure in 2020. This is a 4.1% increase on 2018.
- These are huge numbers, and small businesses are having a hard time keeping up. Juniper Research found that in 2018, the averag small business spent less that $500 per year on cybersecurity.
- The low level of investment of SMEs in cybercrime is also worrying, because SCORE have found that SMEs are the target of 43% of all cyberattacks.
- When it comes to detecting and reporting hacks, we are making some progress, but not much. The average time to report data breaches in 2020 was 49.6 days, according to Risk Based Security. This is a little better than 50+ days in 2018, is still concerning.
- At the broadest scale, cybercrime is still on the rise. The Ninth Annual Cost of Cybercrime survey by Accenture found that security breaches increased by 11% in 2018, and that this is likely to continue into 2020.
- The same survey also took a longer-term look at the increase in cyberattacks, and found that they had increased by 67% over the past five years.
The Costs of Hacks
The sheer scale of cybercrime, and the huge numbers involved, can sometimes mean that the victims of hacks – individuals, companies, and even governments – can be forgotten. So let’s look at the real-life affects of cybercrime.
- The Cybersecurity Ventures Annual Crime Report for 2020 puts some numbers on the consequences of hacks for businesses. They have found that cybercrime damages are expected to cost businesses $6 trillion annually by 2021, a number which they point out “represents the biggest transfer of wealth in human history”.
- Of this $6 trillion, ransomware damages are the fastest growing. Cybersecurity Ventures say that the cost of ransomware will reach $20 billion by 2021.
- According to Accenture’s global study, the average cost of cybercrime for organizations is estimated to be $13 million a year.
Cybercrime is a huge problem when it comes to the profitability and sustainability of companies. But successful hacks can also have severe consequences for huge numbers of consumers.
- Let’s get one thing out of the way: the USA is the number one target of cyberattacks, according to research by Norton. That might be one statistic where US citizens are less than proud of being #1.
- In the US, more than 60% of citizens have been exposed to online fraud, according to a report by the American Institute of CPAs.
- Gallup’s annual crime survey looks a little deeper, and has found that the scale of cybercrime in the USA is startling. 23% of Americans report that they, or someone they know, have been the direct victim of cybercrime.
- The majority of these people fell victim to just a small number of huge data breaches. In 2018, according to a report by RBS, just 12 data breaches exposed more than three quarters of all the records compromised that year. The number of records? More than 100 million.
- Looking to the future, Juniper Research claim that 33 billion records a year will be stolen by 2021.
Cybercrime By Industry
Some industries are more likely to be the target of cybercrime than others. In particular, companies that work with critical infrastructure, or sensitive personal information, are the most at risk.
- At the moment, manufacturers and mining companies are favored targets. A report by Make UK and AIG found that 48% of manufacturers in the UK have been targeted by cybercriminals, and according to Symantec’s Internet Security Risk Report, 38.4% of companies in the mining industry have seen similar attacks.
- In the future, healthcare companies are going to be increasingly targeted. Cybersecurity Ventures have said that they expect attacks against healthcare companies to increase five times (yes, five times) by 2021.
- According to Symantec’s Internet Security Risk Report, the public sector is also being increasingly targeted. One in every 302 emails received by public employees in 2020 has been a scam.
- Malware is also on the increase, particularly in the banking and finance industries. Kaspersky Labs have recently updated their list of malware families to include more than 20 types of malicious ATM software.
The Top Hacks
Now for the rogue’s gallery: the biggest hacks of 2018 (and early 2020), and the number of victims of each.
- Actually the biggest hack of 2018 was outside the US. An incredible 1.5 billion Indian citizens had their personal information leaked during a hack on the country’s national ID database. That’s almost everyone in the country.
- In the US, the largest hack of 2020 was also the largest data breach in history. In March, an It security researcher found a database called “Collection 1”, which contained email addresses and passwords of 1.16 billion people.
- Facebook seems to have a major data breach every year, and 2020 has been no exception. 540 million records were publicly exposed, according to a report by Upguard.
- The list goes on. The Marriott Group revealed the personal information of 500 million users in late 2018, and 340 million customer records were released in a breach from Exactis, according to CNET.
The Most Common Types of Website Vulnerability
Now we have some idea of scale of cybercrime, let’s look at the most common source of vulnerabilities for businesses and other organizations: their websites.
Looking at the most common website vulnerabilities in 2020 is a slightly depressing task. That’s because the most common (and the most dangerous) vulnerabilities are those that were on the same list in 2018, in 2008, and in 1988.
These are: DDoS attacks, malware infection, Man in the Middle Attacks, and poorly secured Web Apps.
Let’s look at each separately.
Distributed Denial of Service (DDoS) attacks are more common than ever before, and are still the most popular form of website attack.
- Given this, it’s not surprising that 2018 saw the largest ever DDoS attack. A “US-based provider”, according to NETSCOUT, was the target of a reflection / amplification attack that hit their website with 1.7 terabytes of malicious requests per second. For some perspective, that’s the equivalent bandwidth of streaming 200,000 HD TV shows simultaneously.
- DDoS also accounts for a large portion of the cost of cybercrime. Bulletproof’s Annual Cyber Security Report from 2020 found that a DDoS attack typically costs large companies $2 million, and smaller companies $120,000.
- That’s not surprising, given that DDoS ‘attack kits’, available to buy on the Dark Web, cost about $20, according to an article by Ars Technica.
- The average length of time it takes for a device, newly connected to the internet, to get attacked by a DDoS request is 5 minutes, according to NETSCOUT.
- All of these stats are familiar, but DDoS attacks also show some new features. According to Kaspersky, for instance, China accounted for more than 50% of DDoS attacks at the end of 2018.
- Another concern is that, with more IoT devices than ever connected to the web, the power of DDoS attacks is only likely to increase. Gartner have estimated that the number of IoT devices will reach 20.4 billion by 2020, and that this will make DDoS attacks more dangerous than ever.
Malware is still a huge problem. In fact, malware is more common than ever.
- Email is still the most common way for malware to spread. CSO Online have reported that email is responsible for spreading up to 92% of malware instances. But that doesn’t mean that websites aren’t vulnerable to malware.
- Most malware is now distributed as malicious scripts. PowerShell scripts have long been a huge source of vulnerability, but Symantec have found that the use of malicious Powershell scripts jumped 1000% in 2018. The same report found that scripts form 47.5% of malicious email attachments.
- Malware affects all types of devices, and can be a threat to websites from laptops, tablets, and smartphones. In fact, smartphones might well become the biggest source of malware in the next decade: mobile ransomware increased by 33% lat year, according to Symantec.
- Malware is also now a huge threat for businesses. Malware specifically targeted at enterprises increased by 12% in 2020, as found by Symantec.
Man In The Middle Attacks
A major source of website vulnerability is man in the middle attacks. For poorly secured websites, it is relatively easy for hackers to insert themselves between customers and websites owners, and intercept all the information being sent between them.
MITM attacks, as they are known, are also on the increase.
- For instance, MITM techniques were involved in 35% of website exploitation in 2018, according to IBM’s X-Force Threat Intelligence Index 2020.
- This is not surprising, given how unprepared many businesses are for MITM attacks. Netcraft have found, for instance, that 95% of HTTPs servers were vulnerable to MiTM in 2016, and that little has been done since then to fix these vulnerabilities.
- More worrying still is the fact that only 10% of companies have implemented HSTS for their websites, which leaves them open to attack. W3Techs carried out this research, and also recommended that all websites implement the protocol as soon as possible.
Web Application Attacks
Web apps are now an integral part of almost every website, and the rise in their use has been accompanied by a similar rise in their exploitation. According to research by Imperva, for instance, more than half of web apps have a public exploit that is available for hackers, and more than a third of these exploits do not have a solution.
- The most common forms of web application attacks, according to a report by TrustWave, are those that exploit cross-site scripting (XSS), which constituted about 40% of such attacks, and SQL injections, which accounted for 24%.
- Web application vulnerabilities are also extremely common. Acunetix have found that 46% of websites have this sort of vulnerability.
- This type of website vulnerability is also on the rise. SQL injection and cross-site scripting attacks increased by 38% in 2018, according to research by Akamai. WordPress, the most popular CMS by far, is a common target of SQL injections because most popular WordPress hosts use SQL by default.
- Formjacking also saw a huge increase in 2018. The average number of websites compromised by form-jacking exploits per month in 2018 was 4818, according to Symantec.
- According to Acunetix, 2% of web applications were also susceptible to remote code execution, which allows a malicious user to execute their own (malicious) code within your website’s scripts. And while 2% might not sound that high, given the sheer number of websites out there, this represents a huge number of vulnerable websites.
- In fact, the vast majority of Local Area Network (LAN) penetration in 2020 has been due to web application weaknesses, according to research by Positive Technologies.
The Bottom Line
And there we have it: the scale of website vulnerability in 2020, and the most common forms of exploits.
These numbers might be shocking, but they confirm a truth that we’ve all known for quite a few years. The scale of cybercrime is a huge problem, and one that we are nowhere near solving.
Taking some basic steps to secure your website can help to limit your susceptibility to these cyber attacks, and potentially save your business from them. And you should also remember that you are not alone – if you use one of the best web hosting companies in Canada, they will help by providing security tools that can keep your website safe.