The average number of attacks against any company’s set of web applications is staggering: They range from 300 to 800 per day—and never fall below 140.
That’s according to Positive Technologies research, which also found that some companies fare worse than others: In the second quarter, one company was targeted more than 35,000 times in just one day.
The second quarter of 2017 saw a stable but persistent level of attack activity, the firm found. More than two-thirds (39.1%) of attacks involved cross-site scripting (XSS), while almost a quarter (24.9%) used SQL injections—suggesting the aim for a significant portion of attacks is to access or steal sensitive information.
In addition, the report shows that hackers are actively exploiting recently identified vulnerabilities. The minimum time lag between publication of a new vulnerability and the moment of a related attack can be as little as three days. As such, using out-of-date software has a significant impact on the ability of hackers to launch an attack as information about vulnerabilities is readily available, as are ready-to-use exploits.
"Once software vulnerabilities have been detected, it takes some time to install patches and updates, and it takes even longer to introduce changes to the application code, especially if it was developed by a third party. At this moment, applications remain vulnerable while attackers are prepared to strike shortly," says Ekaterina Kilyusheva, an analyst from Positive Technologies. "For this reason, to ensure efficient application security, it is essential not only to update software in time but also to use preventive mechanisms, such as a firewall, to detect and prevent attacks against web resources."
The report also reveals that hackers are most likely to target businesses during the work day. About a third (31%) of all web application attacks took place during the daylight hours, with 2 pm appearing as the most dangerous time. Just one-fifth took place in the middle of the night, suggesting hackers are targeting businesses while people tend to be online at work—or that they keep regular hours themselves.
The data was collected by Positive Technologies from installations of its PT Application Firewall during April, May and June 2017. The attacks were then manually verified to rule out false positives.
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visithttps://www.infosecurity-magazine.com/conferences/infosecurity-north-america/