log inhelp

  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Web Hacking Incident Database 2007 Annual Report

Page history last edited by Ryan Barnett 13 years, 10 months ago

The Web Hacking Incidents Database is unique in tracking different aspects of web incidents. Most incident reports focus on the technology used to carry the attack. However to understand the risk associated with web hacks, we need to fully understand the likelihood and the impact of the attacks, and not just the technical details. To be able to answer those questions, WHID tracks the following key attributes for each incident:

  • Attack Method - The technical vulnerability exploited by the attacker to perform the hack.
  • Outcome - the real-world result of the attack.
  • Country - the country in which the attacked web site (or owning organization) resides.
  • Origin - the country from which the attack was launched.
  • Vertical - the field of operation of the organization that was attacked.

 

The WHID 2007 annual report, sponsored by Breach Security Labs, utilizes those attributes to provide answers about:

  • The drivers, business or other, behind Web hacking.
  • The vulnerabilities hackers exploit.
  • The types of organizations attacked most often.

 

Key findings were:

  • 67% percent of the attacks in 2007 were "for profit" motivated. Ideological hacking came second.
  • With 20%, good old SQL injections dominated as the most common techniques used in the attacks. XSS finished 4th with 12 percent and the young and promising CSRF is still only seldom exploited out there and was included in the "others" group.
  • Over 44% percent of incidents were tied to non-commercial sites such as Government and Education. We assume that this is partially because incidents happen more in these organizations and partially because these organizations are more inclined to report attacks.
  • On the commercial side, internet-related organizations top the list. This group includes retail shops, comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers. It seems that these companies do not compensate for the higher exposure they incur, with proper security procedures.
  • In incidents where records leaked or where stolen the average number of records affected was 6,000.

 

Download the full report.

Comments (0)

You don't have permission to comment on this page.

Printable version