Posted on

Biggest Data Breaches 2022

OWASP Top 10 Caused the World’s Biggest Data Breaches?

The OWASP Top 10 is a well known index of web app security vulnerabilities which is used every day by security professionals. But one thing is missing from the index—how often are each of these vulnerabilities used by hackers to breach organizations?

We looked at a data set of 1,792 security breaches and found that of the 10 OWASP vulnerabilities, the most severe, A1-Injection, caused only 4 of the 50 most devastating breaches (8%). OWASP’s 9th most severe vulnerability, A9-Known Vulnerable Components was the biggest with 12 breaches (24%). And 15 breaches (30%) were caused by problems not listed in the OWASP Top 10 at all. Read on to see the differences between OWASP Top 10 in theory, vs. massive security exploits in practice.

IN A BIT MORE DETAIL

The OWASP Top 10 is a list of “the ten most critical web application security risks”, including SQL injection, Cross-Site Scripting, security misconfiguration and use of vulnerable components. The vulnerabilities in the list were selected based on four criteria: ease of exploitability, prevalence, detectability, and business impact.

However, one criterion is missing from the Top 10, by design. The OWASP Top 10 2013 Release document states: “This approach does not take the likelihood of the threat agent” (p. 20)—in other words, how likely it is for attackers to strike, leveraging one of these vulnerabilities.

Leaving out this criterion is reasonable in some respects—even if no burglars in our neighborhood entered a house through an open window, it’s still important for homeowners to secure their windows, as this is a common and easily preventable vulnerability.

However, in other respects, it’s a problematic omission. If no burglars entered through windows in the past year, while 90% entered through the front door, this crucial info could help you decide where to invest first to secure your home.

In the world of web app security, we can learn about virtual “burglaries” by examining publicized security breaches. In the real world, which of the OWASP Top 10 are exploited most often by hackers? Which are exploited only rarely?

We based our research on the Breach Level Index, published by Gemalto. It is a list of 1,792 data breaches (in 2016 alone) ranked by their severity, taking into account multiple factors like the amount of data taken, its sensitivity, etc.

We investigated: What was the root cause of the top 50 data breaches in 2016? Which of the OWASP Top 10 do those root causes belong to? And in turn, which of the OWASP Top 10 was responsible for the biggest data security catastrophes in 2016?

Methodological note: We surveyed the top 82 breaches in Gemalto’s Data Breach Index, and found 50 with known root causes according to publicly available sources. We will treat these as the “Top 50 Data Breaches”—in fact these are the “top 50 with known root causes”. For all 82, if there was information available about any OWASP Top 10 Vulnerabilities which contributed to the attack (even if not root causes) we noted them as well.

OWASP Top 10 Ordered by their Role in Major Data Breaches

The top 50 data breaches of 2016 included 77 million records stolen from the Philippines’ Commission on Elections, the Panama Papers scandal in which offshore accounts of several world leaders were exposed, the Adult FriendFinder breach which exposed the private information of 412 million account holders, and many more.

Let’s start with root causes. A data breach may involve several OWASP Top 10 vulnerabilities (e.g. weak passwords, classified as A2, and SQL injection, classified as A1). But which was the main one that enabled the attacker to penetrate and perform the attack? We label this the “root cause”.

Methodological note: In our research, we relied on a variety of publications to determine what happened in each data breach and what was the root cause. Some of these are primary sources or security research, while some are general press or even social media postings by knowledgeable parties. We tried to select only sources that seemed authoritative, but most sources were not in direct contact with the breached organization or the attackers and could be wrong. Even if reports are true, details may have been unreported or unknown, even by the breached organizations themselves. Our data is only as good as the information reported by these sources, cited in our data spreadsheet for your reference.

In the table below we show which of the OWASP Top 10 was the root cause for the most devastating data breaches.

data breach

A6-Sensitive Data Exposure, which was only the root cause for 3 breaches, was present in as many as 26 (52% of the sample). Every second data breach had sensitive data, mainly passwords, which was not sufficiently protected or encrypted, which dramatically increased the damage caused.

data breach

A9-Using Components with Known Vulnerabilities is interesting because, in 100% of the incidents that exhibited this problem, it was also the root cause of the breach. This teaches us that in high profile, high impact breaches, A9 is a wide open gate through which hackers will typically penetrate the system. A9 was the only OWASP vulnerability which was the root cause of the breach in 100% of cases.

Similarly, A5-Security Misconfiguration (a root cause in 9 of 10 breaches) and A7-Missing Function Level Access Control (a root cause in 3 of 4 breaches) seem more likely to be a root cause for a major data breach.

A2-Weak Authentication and Session Management and A1-Injection were a root cause in about half of the breaches in which these problems were reported. Quite surprising since both of these issues are thought to be a classic way hackers would penetrate an enterprise system. But as it turns out, large data breaches often start from a different direction—even while weak authentication or injection vulnerabilities are in place.

For more information also read – click here

you can also visit – https://www.facebook.com/theitarchitects

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *