[Owasp-ireland] The Verizon 2012 Data Breach Investigations Report is out!

Brian Honan Brian.Honan at bhconsulting.ie
Fri Mar 23 10:22:15 UTC 2012


Folks

Don't forget the report reflects the cases reported by those involved. It may not reflect trends not reported to the bodies involved.

In the case of IRISSCERT the majority of issues were related to misuse/abuse of login credentials. We had some cases involving SQL injection but appsec issues were in the minority when it came to our contribution to the report.

Brian
Sent from my BlackBerry® wireless handheld
________________________________
From: David Rook <david.rook at realexpayments.com>
Sender: "owasp-ireland-bounces at lists.owasp.org" <owasp-ireland-bounces at lists.owasp.org>
Date: Fri, 23 Mar 2012 01:58:26 -0700
To: Eoin<eoin.keary at owasp.org>
Cc: owasp-ireland at lists.owasp.org<owasp-ireland at lists.owasp.org>
Subject: Re: [Owasp-ireland] The Verizon 2012 Data Breach Investigations Report is out!

Hi Eoin,

Yep it can do but how malware was installed was included in the report as well and XSS is going to account for very few of those infections I think. According to the report 95% of all malware used in those data breaches was installed after the attacker got access to the system, at best I think only around 3% of the malware used in data breaches came from web app vulns being exploited (2% "injected by attacker" and 1% "drive by web attacks").

It could be that the malware installed via an XSS exploit is part of the 95% but if it was a significant chunk of that I'd have expected it to be called out in the report.

I could be reading that part of the report wrong though :)

Dave


On 22/03/2012 17:13, Eoin wrote:
But xss leads to malware upload? It's a payload delivery system.
Agree??

Eoin Keary
BCC Risk Advisory
Owasp Global Board
+353 87 977 2988


On 22 Mar 2012, at 16:48, David Rook <david.rook at realexpayments.com<mailto:david.rook at realexpayments.com>> wrote:

Hi Alexis,

I'd say your final question is correct. I'm not doubting they are big issues (in that they can be exploited and are in many web apps) but they aren't in the same league as the vectors mentioned in the report. I can't remember a big CSRF news story for example yet alone one that lead to a lot of data being stolen.

Dave

On 22/03/2012 16:40, Alexis FitzGerald wrote:

I could not find any mention of XSS (or CSRF). At least they were mentioned in last year's edition. Does this mean that the OWASP Top 10 puts too much of an emphasis on these issues? While they might be prevalent in online applications, they are not actually exploited much in actual data breaches?

Opinions welcome.

Alexis

On 22/03/2012 16:47, David Rook wrote:
Hi Fabio,

What I found interesting is that of the vectors included in the hacking category 90% of the breaches were because of non app sec issues! I was a bit surprised by that and it is very different when the report focuses on "large" organisations (54%) but it does provide a strong argument for app sec v non app sec spend not being equal.

Sure app sec spend needs to increase but using the evidence presented in this report (and I acknowledge it's not the complete picture of course) it's a tough sell to convince people that app sec spend should be equal to or more than non app sec spend.

Veracode published a blog which pulled out the app sec "highlights":

http://www.veracode.com/blog/2012/03/verizon-data-breach-investigative-report-2012-application-security-specific-highlights/

Dave

On 22/03/2012 15:02, Fabio Cerullo wrote:

Hi there,

Interesting read... not surprisingly SQL injection is on top of the
list along with credentials misuse and malware.

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Fabio
_______________________________________________
Owasp-ireland mailing list
Owasp-ireland at lists.owasp.org<mailto:Owasp-ireland at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-ireland




--
David Rook
Application Security Lead
Product Management
Realex Payments
Enabling thousands of businesses to sell online.

Connect with us:
http://www.twitter.com/securityninja
http://www.twitter.com/realexpayments
http://www.facebook.com/realexpayments
http://www.linkedin.com/company/realex-payments
http://www.youtube.com/realexpayments

Realex Payments Dublin:
t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com

Realex Payments London:
t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  | http://www.realexpayments.co.uk

Realex Payments Paris:
t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 | http://www.realexpayments.fr

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929.
This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).



_______________________________________________
Owasp-ireland mailing list
Owasp-ireland at lists.owasp.org<mailto:Owasp-ireland at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-ireland




_______________________________________________
Owasp-ireland mailing list
Owasp-ireland at lists.owasp.org<mailto:Owasp-ireland at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-ireland



--
David Rook
Application Security Lead
Product Management
Realex Payments
Enabling thousands of businesses to sell online.

Connect with us:
http://www.twitter.com/securityninja
http://www.twitter.com/realexpayments
http://www.facebook.com/realexpayments
http://www.linkedin.com/company/realex-payments
http://www.youtube.com/realexpayments

Realex Payments Dublin:
t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com

Realex Payments London:
t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  | http://www.realexpayments.co.uk

Realex Payments Paris:
t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 | http://www.realexpayments.fr

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929.
This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).

_______________________________________________
Owasp-ireland mailing list
Owasp-ireland at lists.owasp.org<mailto:Owasp-ireland at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-ireland


--
David Rook
Application Security Lead
Product Management
Realex Payments
Enabling thousands of businesses to sell online.

Connect with us:
http://www.twitter.com/securityninja
http://www.twitter.com/realexpayments
http://www.facebook.com/realexpayments
http://www.linkedin.com/company/realex-payments
http://www.youtube.com/realexpayments

Realex Payments Dublin:
t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com

Realex Payments London:
t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  | http://www.realexpayments.co.uk

Realex Payments Paris:
t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 | http://www.realexpayments.fr

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929.
This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20120323/44b8464b/attachment-0001.html>


More information about the Owasp-ireland mailing list