Establishing Digital Trust: Don't Sacrifice Security for Convenience
In a new report, the firm said hackers aren't necessarily targeting operating systems but rather applications themselves, a scenario that Fortify describes as bot "storms" in which applications are targeted.
Over a six-month period, Fortify analyzed nearly three million requests for sites that use its Application Defense product. Fortify's analysis identified two key tools used by hackers: bots and Google hacks. They represented the majority of attacks they recorded.
Fortify found that, on average 50 to 70 percent of attacks came from bots. Bots and Botnets are large groupings of compromised computers that attack targets at the command of the botnets leader. The bots were apparently searching for known vulnerabilities.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iVulnerabilities were also found by hackers via search engines such as Google. Google Hacking is a term used to describe hackers using sophisticated search queries to locate vulnerable sites and applications. According to Fortify, 20 to 30 percent of the attacks it recorded as part of its six-month study came as a result of some form of search engine hacking.
Fortify's study did not find that any particular operating system was more targeted than any other.
"With respect to platforms, it's not necessarily an operating system game," Brian Chess, chief scientist at Fortify Software, told internetnews.com. "We most frequently saw attempts to attack known PHP vulnerabilities. We certainly also observed our fair share of attempts to stuff dll's onto Web servers with the anticipation that they were Windows machines, but the 'application layer' was more of the target."
Chess noted that Fortify found many buffer overflow, SQL injection and command injection techniques used by hackers; the study didn't focus on the vulnerability so much as the attack techniques.