The Forrester Research Top Cybersecurity Threats In 2020 report analyzes common attack patterns responsible for 2019 breaches and how security professionals can protect against them. Forrester recently published its report based on the data obtained from 3,890 respondents as part of an extensive survey performed between April 2019 and June 2019.
One of the key findings in the report—which is not surprising to application security professionals—is that three of the top five threats are application security-related issues that caused data breaches. Another well-known industry report, the Verizon DBIR June 2020, also confirms the increase in cyber-attacks on web applications, both in terms of percentage and in the raw number of breaches.
Why are web applications increasingly targeted?
Let's take a step back to understand why web applications are a top target for attackers. Websites, mobile applications and APIs are designed to provide value to users who expect a rich and engaging experience. These applications collect a lot of personally identifiable information (PII) and sensitive data like credit card details. With application security improving over time to address data security issues related to misconfiguration, privileged access, or traditional denial-of-service (DDoS) attacks, hackers have upped their game and are attacking the front door—using the same entry points as your users: web pages of your applications or API endpoints.
The rise of brute force credential stuffing
The Forrester report notes that “Adversaries commonly leverage public-facing vulnerabilities, phishing, and brute-forced remote access credentials to infiltrate organizations.”
While phishing helps attackers launch targeted attacks and harvest user credentials, it is a lot easier for cybercriminals to use automated bots and launch credential stuffing attacks with a high degree of success. It is 2020, but users reuse the same passwords on many websites, and there are billions of stolen credentials readily available from past breaches! This threat of account takeovers or application DDoS resulting from credential stuffing attacks is not limited to a few industries. This is the headline-grabbing statistic from the Verizon DBIR that makes it clear for all application owners: "Over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials."
APIs and third-party code are easy pickings for attackers
The need for faster innovation to support the quick rollout of differentiated products and services to the market has also opened up new entry points for attackers: API endpoints and third-party code. Unlike web requests that have to go through browsers, APIs can serve as a direct pipeline into specific resources and actions. Lax controls on APIs make them a preferred target for cyberattacks. The Forrester report provides more details on recent breaches and how they have exploited unauthenticated API endpoints and poor access control.
“Even if you regularly test your web components against code injection attacks, third-party components are outside your code control.” - Top Cybersecurity Threats In 2020 report, Forrester
You may be up to date with your security patches, but do you know if your third-party service provider in the supply chain has the same cybersecurity posture as your organization? A single phishing email to an employee of the third-party service provider can compromise many websites. This emerging threat of digital skimming or Magecart attacks is another instance where cybercrime is evolving and evading traditional defenses like web application firewalls.
Best practices for application owners
“Web application firewalls may detect or block some bot attacks, but they won’t stop the influx of attempts—nor will they protect against other forms of fraud.” - Top Cybersecurity Threats In 2020 report, Forrester
The truth is that threats will keep evolving. Risk management requires you to rethink your security strategy and address data protection by prioritizing application security. You will need to keep your DDOS protection, continue phishing scam simulations, use machine learning and artificial intelligence, account for the internet of things (IoT) and many such security initiatives.
Do a continuous assessment of the emerging threats by analyzing top industry publications and research data and see how it affects your business. For example, ransomware attacks may be creating headlines in the news, but many top antivirus or endpoint security solutions already offer superior protection. It may be better for you to invest your time to learn about the advanced application security threats if the digital or online store is the most important part of your business. For applications leveraging APIs, the Forrester report provides an in-depth analysis of the different API protection strategies and how it can bolster your API security.
You can get ahead and prevent security breaches by working with solution providers who can provide the best of breed protection against multiple threats on a single platform. Call your cyber insurance company and find out if addressing new threats like digital skimming to protect sensitive data or personal information of users can lower your insurance premium.
The Top Cybersecurity Threats In 2020 report by Forrester provides security and risk pros historical trends of attack patterns responsible for 2019 breaches to ease the challenge of prioritizing IT spend and combat bad bots so the company can stay focused on revenue growth. The best practices outlined in this report, create measurable processes in your organization so you know where you need to be doing better, and fix things.
Find out more about the top cyber threats for 2020 and assess the risk for your organization. Download the report here.