Imperva's latest annual Web Application Attack Report (WAAR) shows that retailers suffer twice as many SQLi attacks as other industries, and the attacks are both more intense and longer in duration. "In fact", says the report, "retail applications received 749 individual attack requests per attack campaign," on average. The maximum recorded, however, was 46,027, showing the wide variation in attack magnitudes.
The average for other industries was 298 with a maximum of 7,700. The incident duration shows a similar pattern: the average duration for retail was 22 minutes with a maximum duration of 575 minutes, while the average for other industries was 12 minutes with a maximum of 260.
The difference, suggests the report, "can be attributed to the design and size of the applications. For example, it is plausible to assume that retail applications contain a relatively large number of pages in the form of online catalogs, and that this factor may have contributed to the length and the intensity of SQL injection attacks."
Dwayne Melancon, CTO at Tripwire, suggests that retail organizations have become a major target for cybercriminals because "they have widely distributed networks, they handle payment data, and many of them have taken a ‘bare minimum’ approach when it comes to funding information security." He adds, "Due to a high percentage of human involvement in retail operations, retailers also have a much larger attack surface."
Imperva's report shows that the USA remains the foremost source for SQL attacks (based on the IP address of the initiating hosts). China is second, followed by the Netherlands and Germany. The UK comes eighth behind the Russian Federation. In all, the study looks at six different attack methodologies – the others are remote file inclusion, directory traversal, local file inclusion, email extrusion and comment spam. For all attacks other than email extrusion (where Senegal dominates), the USA is the primary source of attack initiation.
Imperva believes that the solution to web application attacks is their automated detection as early as possible. This in turn requires a detailed knowledge and understanding of the threat landscape, which is best achieved by sharing intelligence with peers. Furthermore, says Amichai Shulman, Imperva's CTO,“While these findings undeniably demonstrate that web application attacks are far from consistently distributed, the takeaway is that organizations should base security measures on the worst case scenario, not on the average case."