December 5, 2012
We are pleased to present the results of the 2013 State of the Endpoint study sponsored by Lumension® and conducted by Ponemon Institute. Since 2010, we have tracked endpoint risk in organizations, the resources to address the risk and the technologies deployed to manage threats.
We have just released the first study we conducted on business logic abuse or as it is sometimes called, precision hacking. The 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition sponsored by Silver Tail Systems is intended to learn important information about organizations’ ability to stop or quickly detect business logic abuses. In the context of this research, business logic abuse results from the criminal discovering a flaw in the business logic or functionality of a website. In most cases, the criminal uses the legitimate pages of the website to perpetrate cyber attacks, hacks or fraud. One objective of this fraud is to steal money, confidential information or exploit the system for illicit gains. Another possible goal is to destroy the reputation or brand of a company.
In addition to theft of money and information, fixing the consequences is expensive. We estimate on average the total cost of business logic abuses to be $6.8 million if every customer-facing website of the companies represented in this research had a business logic abuse.
The cost includes system downtime, lost revenue, inefficiencies customers must deal with and technical staff dedicated to fixing the problem.
There are many ways hackers can take advantage of websites. Respondents admit a high likelihood that these will occur in their organization and agree that in many instances such attacks are very difficult to detect. Remediating these abuses is very challenging because the fixes that stop the bad guys may diminish the web experience of legitimate customers.
We hope you will read the report and consider our recommendations:
Assign responsibility for website security and ensure there is sufficient in-house personnel to minimize business logic abuses.
Establish a partnership between website developers and IT to make sure a prevention and detection strategy is in place and enforced.
Strive to have a strategy that minimizes the risk but does not frustrate legitimate customers.
Ensure ongoing monitoring of websites for business logic abuses.
Check business partner websites for business logic abuses.
Invest in technologies that enable real-time visibility into website traffic.
These recommendations can be key in stopping the criminals from stealing money or confidential information and committing other fraudulent acts that can cost a company its reputation.