XSS turns 2019's most popular cyber-attack

News by Mark Mayne

Cross-site scripting or XSS is the most popular attack vector globally in 2019, accounting for 40 per cent of all cyber-attacks

Cross-site scripting, or XSS, grabs the dubious distinction of the most popular attack vector in 2019. This made up nearly 40 per cent of all attacks logged by security researchers, who also noted that almost 75 per cent of large companies across Europe and North America had been targeted over the last year. 

According to the PreciseSecurity.com research, SQL injection came second, followed by fuzzing. The researchers also found that 72.3 per cent of all cyber-attacks specifically targeted websites, with APIs coming in a very poor second at a mere 6.99 per cent. 

Simon Roe, product manager at Outpost24, said that the preference for targeting websites was highly likely to continue into 2020.

"Websites will continue to be hacked. Some of them will result in big hefty GDPR related fines. Many of these will likely be through third-party components. Magecart will continue to feature highly in the successful hacks that impact organisations financial data."

Despite the adoption of Shift left and Dev(Sec)Ops, web breaches will continue to be one of the largest reasons attacks are successful, he noted.  

"This will be especially true as organisations continue to developer applications quickly to meet ever changing market demands. Sadly, the OWASP top 10 is still fairly static in the top issues, and despite training and education available to help developers improve secure coding we will still see the same kinds of issues across many applications."

Looking forward, the endemic enterprise threat ransomware will continue to be a major force into 2020, said Scott Caveza, research engineering manager, Tenable.

"As we move into 2020, ransomware attacks will not only increase, but the potential damage may extend to the physical world. Ransomware dominated headlines in 2019, with reports of various organisations impacted. With more cases of ransomware being reported in 2019, a trend we expect to continue into 2020, the concern is that ransomware infections could have greater links of physical harm to innocent bystanders."

While ransomware undoubtedly been a major thorn in the side of enterprise security teams throughout 2019, a rising threat to all businesses has been business email compromise or BEC. Mimecasts’ October 2019 Email Security Risk Assessment report found a 269 per cent increase in BEC attacks over the previous quarter, and a separate report found that 85 per cent of the 1,025 global respondents experienced an impersonation attack in 2018. 

The BEC threat to increase through 2020, said Hugo van den Toorn, manager -offensive security at Outpost24.

"Business email compromise and phishing in general is ever evolving and will most likely continue to grow in both volume and sophistication. The past year we have seen an increase in advanced phishing methods targeting applications secured with two-factor authentication (2FA) and almost all reporting phishing website appear to use a secure HTTPS connection," he said. 

"Although it is a good trend that 2FA and use of HTTPS is being adopted, we see that end-users still fall prey to phishing. Hopefully 2020 will also be the year of increased support and adoption for hardware authentication devices."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews