Web hacking is shifting towards smaller targets, multipath attacks and social engineering, according to Dave Shackleford, a respected ethical hacker, security expert and SANS certified instructor.
The 2011 DBIR (Data Breach Investigations Report), an annual study by the Verizon RISK Team with cooperation from the US Secret Service and the Dutch High Tech Crime Unit, found that records stolen in its sample had fallen from 361 million in 2008 to just 4 million in 2010.
"The numbers are a reflection of fewer massive breaches that were notable in previous years," explains Shackleford. However, the current problem is a rise in "smaller and more vulnerable organisations seen as easier targets [for hackers]," he says.
Malware was involved in 49% of breaches and 79% of record thefts, with the most common infection pathway being installation or injection by a remote attacker (where a hacker breaches a system and then deploys malware or injects code via SQL injection or other web application).
Indeed, the DBIR study indicates that these web attacks accounted for almost four-fifths of the malware infections in the 2010 caseload, up from around half in last year's study.
"The blended nature of many of the attacks is also evident," comments Shackleford. "If you look at the raw data, you see many more attacks that had a social engineering element and the problem is growing."
And although he believes that security professionals are better informed about the dangers of social engineering, he still seems a lack of communication to end users. "The data suggests that more needs to be done to educate the users, who unwittingly open the door to attackers," comments Shackleford.
As part of the upcoming SANS Security 542: Web App Penetration Testing and Ethical Hacking course Shackleford will teach in London this June, he stresses the need to understand how to use multiple attack techniques.
"Competent IT security professionals need to know the methods used by attackers to become good defenders," he explains, "Increasingly, that means a much wider remit than just, say, cross-site scripting and SQL injection. These are complemented by areas like reconnaissance and mapping, username harvesting and cookie exploitation, among others."