DATELINE: BEDROCK, 2127 BC - Chief Stone Security Officer Fred Flintstone acknowledges that the Bedrock Mining Company web server was defaced by People for the Ethical Treatment of Rocks. BMC's logo of a dinosaur scraping stone from a quarry was replaced with a picture (obviously doctored using PhotoRock 0.1) showing William Hanna and Joseph Barbera in a very BrokeRock Mountain-esque embrace under the caption "Save The Fallen Rocks!"
DATELINE: ORBIT CITY, 2227 AD: Chief Telepathic Risk/Compliance/Safety/Don't Worry-Be Happy Officer George Jetson acknowledges that the Spacely Sprockets Corporation's web server was defaced by People for the Ethical Treatment of Cogged Entities. SSC's server was broken into and the credit card records of 827 billion global sprocket users were exposed. The PR firm of Hanna/Barbera stated "While we regret this incident, those same records had already been exposed multiple times when the Big One Auditing firm PKWPCMEGYDT employees all used audit HD DVDs as Frisbees at the company picnic, which it turns out was outsourced to a known data piracy firm on Pluto.
Zone-H has released some statistics on successful web attacks in 2005. Now, counting web attacks is not tremendously useful - especially the types of attacks where the attacker brags about it. This is like counting graffiti on a city wall. By far the majority of attacks listed by Zone-H are shown as being done "for fun", "as a challenge" or "I just wanted the best hack." Targeted attacks that go after data for financial gain are a whole nutha story.
There is some interesting data in the Zone-H report, though:
- When you normalize by market share (more Apache servers on the web than IIS servers, see their latest survey which shows Apache has a 3 to 1 market share advantage over IIS) you find that Apache sites are pretty much successfully attacked just as often as IIS sites. Basically, Microsoft rewrote IIS as of Windows Server 2003 and since then there has been no real difference in the security level of web server software.
- The most common successful attack methods were File Inclusion (24%), Obtaining sys admin Password (10%), Web App Bug (10%), Web Server Intrusion (8%) and SQL Injection (7%) are pretty much the same techniques used 5 years ago to attacks web servers and not tremendously different than 10 years ago, either.
What is actually more interesting to look at is: what are the web servers who repelled attacks doing better than those who could not fend off attacks? There are some obvious system administration quality issues - configuration management, patching, etc. I'd say, though, that the biggest differentiator I've seen is companies that have process and controls for two key areas tend to not have successful attacks against their exposed web servers:
- Separate production, QA/test and production application zones- not allowing developer or tester access to production systems.
- Required vulnerability testing of code before allowing movement between zones - lowest hanging fruit is to require vulnerability testing as part of approval process before any application can go production. More difficult but so much more beneficial is to require vulnerability testing in the development cycle - before code can be checked in for integration and test.
If you are not writing your own code, you should require whoever you buy code from to demonstrate that they do both of the above.
If you don't, it will be deja vu all over again as far as your company being successfully attacked as each new wave (CGI!, LAMP!, SOA!) of web app methodologies rolls through - just like the Jetsons getting hit by the same attacks that took down the Flintstones.
Did you ever wonder: Who would win if the Flintstones took on the Jetsons?