3

According to the fourth annual Web Application Attack Report from Imperva retailers suffer from twice as many SQL injection attacks when compared to other industry sectors. What's more, the United States remains the number one source of all web attacks.

Other key findings of the report include the startling revelation that one website was observed to be under attack for 98% of the time, or 176 out of 180 days if you want to be precise. One web application was seen to receive a mind-boggling 94,057 SQL injection requests in a single day which, if you do the math, works out to 1,567 SQL injection attacks per hour or an average of 26 per minute. The typical attack incident lasted around five minutes, but the worst-case incident was about 100 times longer, lasting more than 15 hours. The overall picture isn't as bad as these extremes, obviously, but even so Imperva reports that most web applications will receive four or more web attack campaigns every month.

e97fb44a36e8aebd9467d50b5d222fd0

The bottom line from the research though is that retailers are hardest hit, with the intensity of attack being quite brutal both in terms of number of attacks per incident and duration. Retail applications received an average of 749 individual attack requests per attack campaign. The Imperva analysis suggests that SQL injection attacks on retail applications consisted of more HTTP requests and lasted longer than SQL injection attacks on other applications. This is largely attributable to the design, and the size, of the applications. Think about it, a retail application is likely to contain a relatively large number of pages (online catalogs) hence the length and intensity of the SQL injection attacks hitting them.

Amichai Shulman, CTO at Imperva comments "while these findings undeniably demonstrate that web application attacks are far from consistently distributed, the takeaway is that organizations should base security measures on the worst case scenario, not on the average case. We believe that, with the current threat landscape, organizations can no longer afford to take an every-man-for-himself approach to security. This report demonstrates that the automation and scale of attacks leave a large footprint that can be better addressed by looking at data gathered from a large set of potential victims. Thus it is important to rely on one’s peers to acquire intelligence on malicious sources and apply this intelligence in real time."

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2
Contributors
1
Reply
28
Views
4 Years
Discussion Span
Last Post by LastMitch
0

One web application was seen to receive a mind-boggling 94,057 SQL injection requests in a single day which, if you do the math, works out to 1,567 SQL injection attacks per hour or an average of 26 per minute.

That is very scary. Those softwares that the hackers are creating is working. Which is not good. There are very aggressive.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.