Web application exploits play the villain for cybersecurity incidents, according to a new study from The Cyentia Institute. The conclusion forms part of a new F5 Labs-sponsored report entitled The State of the State of Application Exploits in Security Incidents.
The report is the industry’s most thorough multi-source analysis of both the prevalence and role of application exploits ever, drawing extensively on the Cyentia Research Library as well as input from a variety of other sources. The report’s publishing is motivated by a desire to advance how the cybersecurity sector as a whole uses various bits of knowledge to piece together the overall picture.
According to The Cyentia Institute’s analysis, 56 percent of the most severe cybersecurity issues in the last five years can be traced back to a web application problem. For six of the previous eight years, web application attacks have been the most common type of data leak. More than $7.6 billion was spent responding to these attacks, accounting for 42 percent of all financial damages associated with “severe cyber loss occurrences.”
The Cyentia Institute also observed that the average time-to-discovery for instances involving web application exploits was 254 days, much longer than the 71-day average for other extreme loss occurrences evaluated.
However, one of the report’s most eye-catching findings was that state-affiliated threat actors were responsible for 57 percent of all known losses for the major web application breaches in the last five years. This alone resulted in $4,3 billion in losses.
The Cyentia Institute’s analysis of the data and reports also indicated a consensus on critical security advice, which it summarises as “Fix your code, patch your systems, double up your credentials, and watch your back(door).”
“All CISOs probably view vulnerability management, access control, and situational awareness as critical aspects of security operations, but in practice, these strategies reveal themselves as moving targets,” said Raymond Pompon, Director of F5 Labs.
“We were surprised to see that underneath the surface, ‘the state of the state’ of is not one of discontinuity and fragmentation, but one of consensus about the difficulty of execution. This is, in reality, quite an eye-opening conclusion. It appears that many security teams know what they need to do, in theory. Putting that theory into practice over time is the real problem here. Security teams don’t need help to figure out what to do, but rather how to do it.”