Driven by the hacktivism of the loose-knit Anonymous group, denial-of-service attacks surged to the top of the list of web incidents, outpacing SQL injection and cross-site scripting, according to a survey of publicly disclosed attacks.
The ongoing survey, known as the Web Hacking Incident Database, categorized 222 incidents in 2010 and found that attackers aimed to take down the websites in a third of the incidents, while defacement accounted for 15 percent of attacks and stealing information was the goal in 13 percent of incidents. Unsurprisingly, the popular goal of causing downtime meant that denial-of-service attacks accounted for about a third of attack types, followed by SQL injection (21 percent) and cross-site scripting (9 percent).
In many industry reports, denial-of-service is not even on the list, but companies should worry about such brute-force tactics, says Ryan Barnett, a senior security researchers with security firm Trustwave's SpiderLabs, who manages the WHID project.
"You need to re-prioritize because web servers are actively being targeted with denial-of-service attacks," says Barnett.
Yet, different industries should also worry about different types of attacks, he says. Attackers focus on stealing money from financial firms using stolen credentials, according to the WHID data. They also tend to focus on defacing government sites and stealing credit-card numbers from retailers, using SQL injection in both cases, according to the WHID. The latter two relationships are weaker, however: While those are the most popular goals for attackers, each only accounts for a bit more than a quarter of attacks against the particular vertical. Money is the goal in two-thirds of attacks against financials.
"The outcomes and attacks and weaknesses are different, so depending on what market you are in, we have a pool of attacks that worked," says Barnett. "So CSOs should pick out examples in their market because those are most applicable to them."
Attackers' focus on downtime means that corporate CSOs need to make sure that they can handle web-specific denial-of-service attacks. Many times such attack focus on flooding the web servers, but low-and-slow attacks are becoming more popular and require a different defence.
"Many of these organisations foolishly think that the network security gear that they have to handle the lower level DOSing floods will take care of this and it won't," Barnett says. "The overall amount of traffic that you have to send to take down the web server is a lot less, and it looks legitimate."