Friday, August 17, 2007

Why aren’t more website hacked?

I’ve given many presentations about website security statistics, most recently at SANS, stating somewhere between 70% and 90% have serious vulnerabilities. I dig into severity breakdowns, top ten lists, vertical industry comparisons, and more. After bearing witness to the data at hand, what the “bad guys” could do (or already have done), attendees emerge from the Denial stage of Web security grief and enter Anger. Others remain skeptical, completely understandable, and curious about something particularly relevant. They ask, “If these statistics are accurate and the Web so insecure, why aren’t websites hacked more often”? This is a darn good question!

Indeed....

Why aren’t the bad guys pillaging everything in sight?

First off, websites ARE getting hacked. A LOT! The Zone-H defacement archive clearly illustrates the size of the problem. Secondly, the public isn’t always made aware of every website hack and media doesn’t advertise every incident. Many profit-driven website hacks will never be made public because both the bad guy and victim keep the incident confidential. The various state disclosure laws only apply to customer personal and private data, not with incidents that compromise source code, trade secrets, brokerage account access, etc. The point is we only know the best-case scenario out there based upon the published information.

However, these explanations aren’t satisfying, probably because we can’t measure it. Perhaps there is another possibility. Consider that Netcraft says there are roughly 128 million websites and about 2 million more are added per month. Those in the industry know the challenge of finding, hiring, training, and retaining web security people. Could it be there simply isn’t enough bad guys with the necessary skills and motivation to monetize web hacks? Could there be more than 2,000 of such morally flexible people? I have no idea if this number is accurate or not, but it seemed reasonable. This could explain why Web banks aren’t yet getting compromised hourly or and why isn’t MySpace or Facebook suffering Web Worms daily.

Something to consider anyway.

12 comments:

Anonymous said...

DD from SA covers this better than anyone in his blog: http://beastorbuddha.com/category/web-application-security/

amanfromMars said...

If you can hack code, you can crack code and if you can crack code you can write code and if you can write code the Computer world is yours to shape.....which is what the Masters are doing whilst you deal with the "bad guys" ...the flies around the beast.

Jordan said...

@Anonymous

Umm, which entry/entries were you referring to specifically? I'm not going to go read the entire blog to find out, and the first few posts were neither directly relevant, nor particularly mind-blowing.

Not trying to knock on Senior Drazic here, but if you're going to spam a link, at least have some direct relevance.

Anonymous said...

Jordan, general theme mainly. From last one disclosure to the 90% of web applications suck. Not sure how but sorry if felt spammed.

Drazen Drazic said...

Cool to get a mention. Thanks. I don't really profess to doing much more than ranting...keeps me sane in this industry. And if I only have one person interested in my rants, well that's a pretty poor percentage. Nice article JG.

thorin said...

"hourly or and why isn’t MySpace and Facebook"

Looks like a little typo in there. Unless you meant "and/or". But, really if you meant "and/or" you should just say "or" since in an "or" both is an acceptable answer.

@ amanfrommars ... I'm curious what's the distrinction between "hack" and "crack"

Jeremiah Grossman said...

Thorin, thanks! I think all this blogging has really helped my writing. FAR fewer typos have been showing up.

Thorin said...

No problem. It was a good article. I'm suprised that clients don't ask this question more often.

Jeremiah Grossman said...

happens every once in a while, but more and more.

MustLive said...

Nice article, Jeremiah.

Yes, the public isn’t aware of every website hack and media doesn’t advertise every incident. And to change this situation I work on my own Hackers Activity Summary. I'm looking for all information about sites hacks in Uanet and writing my summaries. World needs to know its heroes ;-).

I wrote next summaries already:

Hackers activity in Uanet in 2006
http://websecurity.com.ua/474/
Totals of hackers activity in Uanet in 2006
http://websecurity.com.ua/613/
Hackers activity in Uanet in 1st half year 2007
http://websecurity.com.ua/1244/

Jeremiah Grossman said...

@MustLive: The more that is documented, the more chance we have to learn from it. Nice work.

anders said...

Interesting:
http://www.gnucitizen.org/blog/i-dont-think-that-you-understand-firefox3-vulnerable-by-design

(didn't bother to find a "good" entry to comment on.. ;P)