Monday, Akamai released the Q4 2015 State of the Internet Security (SOTI Security) Report (download here). I've been writing posts throughout the week focusing on specific parts of the report. For this installment, let's take a look at Web application attacks by industry.
- Q4 2015 SOTI Security presentations at RSA Conference 2016
- Q4 2015 SOTI Security Infographic
- Video: SOTI Security in 60 Seconds with Akamai CSO Andy Ellis
- Five Mega DDoS Attacks
This quarter, the retail sector suffered the vast majority of web application attacks: 59%. Media and entertainment suffered 10% of attacks, as did the hotel and travel industry. Financial services suffered 7% of attacks, followed by high technology (4%), consumer goods (3%), manufacturing (2%), the public sector (1%), and gaming (1%).
Retail / Retailers are targeted for DDoS attacks, but they are also targeted for web application layer attacks for significant reasons. Retailers have large amounts of valuable information in their databases, and if an adversary is able to find a SQLi vulnerability, the attacker can access the retailer's information. Retailers also have a large number of visitors to their websites. As a result, attackers will find and exploit cross-site scripting vulnerabilities to deface retailers' websites, causing a loss of trust among customers. Alternately, the attacker may use a compromised site for a watering hole attack, loading malware on site visitors' computers. Retailers may also be a target for unvalidated requests. For example, if an attacker could control the price of the item being purchased, items may be sold for an amount much different than the retailer intended. Merchants need to be cognizant of all possible ways their web applications may be compromised.
Media and entertainment / The media and entertainment industry saw about the same level of attacks in q4 as in q3: 10%. Organizations such as movie studios and news agencies are attractive targets because they are highly visible and any successful attack on these targets is going to generate a certain amount of publicity.
Hotel and travel / The hotel and travel industry saw about the same level of attacks in q4 as in q3: 10%. This vertical includes hotels, booking agencies, travel sites and rental agencies. Because many of these organizations are heavily reliant on their online presence to conduct business, any downtime has a major effect. As with retail organizations, travel sites change frequently and have significant amounts of sensitive information. The rate of change means that more opportunities to discover vulnerabilities exist than on more stable sites.
Financial services / The financial services industry includes major financial institutions such as banks, insurance companies, payment providers and trading platforms. The financial industry experienced a slight drop in q4 (7%), down about a percentage point from q3. Banks and other financial organizations make tempting targets. Even if attackers aren't able to steal money directly, they know they can make a profit through extorting these services with the threat of downtime.
High technology / The software and technology industry includes companies that provide solutions such as Software-as-a-Service (SaaS) and cloud- based technologies. In q4 2015, this sector suffered 4% of web application attacks. This is a broad category that can encompass anything from online personnel services to fledgling internet startups.
Consumer goods / This industry saw 3% of web application attacks in q4 2015.
Manufacturing / The manufacturing sector experienced 2% of web application attacks in q4 2015. Manufacturing covers anything from organizations that make screws to automotive companies and pharmaceuticals. While not as reliant on their sites as retail organizations, manufacturers still perform many advertising and marketing functions through their web sites, making them repositories of information as well as being sensitive to down time.
Public sector / The public sector experienced 1% of web application attacks in q4 2015. Including municipal, state, federal and international sites, the public sector covers all sites owned and operated by governments. These sites are often the target of varying forms of digital protest and are attacked to make political statements.