2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition

Transcription

1 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition Sponsored by Silver Tail Systems Independently conducted by Ponemon Institute, LLC Publication Date: October 2012 Ponemon Institute Research Report

2 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition Ponemon Institute, October 2012 Part 1. Introduction Ponemon Institute is pleased to present the results of 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition. Sponsored by Silver Tail Systems, this study is intended to learn important information about organizations ability to stop or quickly detect business logic abuses. Also referred to as precision hacking, business logic abuse is quickly gaining the attention of IT security practitioners. According to 88 percent of respondents in this study, it is more important than other security issues or equally important. In the context of this research, business logic abuse results from the criminal discovering a flaw in the business logic or functionality of a website. In most cases, the criminal uses the legitimate pages of the website to perpetrate cyber attacks, hacks or fraud. One objective of this fraud is to steal money, confidential information or exploit the system for illicit gains. Another possible goal is to destroy the reputation or brand of a company. In addition to theft of money and information, fixing the consequences is expensive. We estimate on average the total cost of business logic abuses to be $6.8 million if every customer-facing website of the companies represented in this research had a business logic abuse. The cost includes system downtime, lost revenue, inefficiencies customers must deal with and technical staff dedicated to fixing the problem. There are many ways hackers can take advantage of websites. Respondents admit a high likelihood that these will occur in their organization and agree that in many instances such attacks are very difficult to detect. Remediating these abuses is very challenging because the fixes that stop the bad guys may diminish the web experience of legitimate customers. In this study, we surveyed 643 IT and IT security practitioners (hereafter referred to as IT practitioners) in the United States. A comparable study was conducted in the United Kingdom and the findings are presented in a separate report. To ensure knowledgeable respondents participated in this research, we asked screening questions to determine familiarity with business logic abuse and that they have some responsibility for the security of their website. Further, all respondents work in organizations that derive a percentage of their revenues from website-related activities. On average, respondents have approximately 10 years IT or IT security experience. Most respondents (55 percent) report to the chief information officer and 18 percent report to the chief information security officer. Fifty-eight percent are employed by organizations with a worldwide headcount of more than 1,000. Noteworthy findings from this research include: Ninety percent of organizations represented in this study experienced, at least once, lost revenues due to the financial or brand impact of Internet fraud in the past 12-month period. The majority of respondents in this study believe it is very likely or likely that their companies are at risk for business logic abuse and admit the difficulty of not being able to detect such an attack. Two-thirds of respondents say their organizations lost between 1 percent and 4 percent in revenue as a result of business logic abuse and approximately 25 percent say their organizations lost more than 5 percent. The majority of IT security practitioners (74 percent) say it is very difficult or difficult to distinguish between the real customer and the criminal accessing their company s website. Ponemon Institute Research Report Page 1

3 One-third of respondents say it has taken at least one day to remediate the consequences of one business logic abuse incident and 25 percent say each time a business logic abuse is remediated the business experiences more than four hours of downtime. Fifty-one percent of organizations do not have real time visibility into its website traffic and 13 percent are unsure. More than half (53 percent) of respondents say they do not check business partner websites for business logic abuses or they are unsure if this practice occurs. Ponemon Institute Research Report Page 2

4 Part 2. Key Findings In this section, we provide the detailed analysis of this research. The complete audited findings are presented in the appendix of this report. Topics are organized according to the following themes: Awareness of the risk of business logic abuse to an organization s website How business logic abuse is affecting organizations The business logic abuses most likely to occur and difficult to detect The current state of detection and prevention of business logic abuses Awareness of the risk of business logic abuse to an organization s website IT practitioners are aware of the risk of business logic abuse to websites but many admit it is not a priority within their organizations. Business logic abuse is on IT practitioners radar screen but the majority of organizations are not making it a priority. According to 88 percent of respondents in this study, business logic abuse is more important than other security issues or equally important, as shown in Figure 1. Figure 1. How important is the prevention of business logic abuse? % % More important than other security issues Equally important to other security issues 12% Less important than other security issues Ponemon Institute Research Report Page 3

5 While 53 percent believe the frequency of these types of attacks is on the rise and 48 percent agree the severity is increasing, less than half (42 percent) say it is a priority in their website s development efforts. The following findings reveal the consequences of not making this risk a priority: only 38 percent say most business logic abuses are quickly detected and remediated, 35 percent say they have sufficient in-house personnel to deal with the problem and 34 percent say their company is vigilant in monitoring all websites for business logic abuses. The challenge is that only 31 percent say they have the technologies and only 29 percent say the budget is sufficient for minimizing logic abuses. Figure 2. Attributions about business logic abuses Strongly agree and agree response combined The frequency of business logic abuses is on the rise 53% The severity of business logic abuses is on the rise 48% The prevention of business logic abuses is a priority in website development Most business logic abuses are quickly detected and remediated My company has sufficient in-house personnel for minimizing business logic abuses My company is vigilant in monitoring all websites for business logic abuses My company is better at preventing business logic abuses than other companies My company has sufficient technologies for minimizing business logic abuses The security budget is sufficient for minimizing business logic abuses 42% 38% 35% 34% 33% 31% 29% Ponemon Institute Research Report Page 4

6 How business logic abuse is affecting organizations Companies are losing revenue and productivity as a result of these precision hacking attacks. Business logic abuse can be costly. In addition to theft of money and information, fixing the consequences is expensive. We estimate on average the total cost of business logic abuses to be $6.8 million If every customer-facing website of the companies represented in this research had a business logic abuse. The cost includes system downtime, lost revenue, inefficiencies customers must deal with and technical staff dedicated to fixing the problem. Ninety percent of companies lost revenues due to the financial or brand impact of Internet fraud. As shown in Figure 3, only 10 percent of respondents say their organizations have managed to escape the consequences of business logic abuse. Approximately 25 percent of respondents say their organizations lost more than 5 percent of their total revenues as a consequence of business logic abuse. Figure 3. The percent of revenues lost due to financial or brand impact of Internet fraud 35% 25% 32% 33% 15% 5% 8% 6% 3% 4% 4% None 1 to 2% 3 to 4% 5 to 6% 7 to 8% 9 to 11 to 15% More than 15% Ponemon Institute Research Report Page 5

7 Many organizations represented in this research have experienced multiple incidents. As shown in Figure 4, 30 percent experienced more than 20 separate incidents in the past 12 months. Only 20 percent say they have not experienced a business logic abuse. Figure 4. Number of business logic abuse incidents 25% 18% 22% 15% 5% 11% 7% 3% 6% 8% 6% None 1 to 5 6 to to to to to to 100 More than 100 Fixing the effects of business logic abuses is time intensive. Thirty-three percent of respondents say it can take more than one day to resolve the attack (Figure 5). Downtime for the business, according to 25 percent, can average more than four hours. Figure 5. How much time is spent remediating the consequences of one abuse incident? 27% 25% 19% 15% 13% 13% 14% 5% 9% 6% None < 1 hour 1 to 4 hours 5 to 8 hours 1 to 2 days 2 to 5 days More than 5 days Ponemon Institute Research Report Page 6

8 Respondents are not confident in their ability to stop business logic abuse. Figure 6 reveals the majority of IT practitioners (74 percent) say it is very difficult or difficult to distinguish between the real customer and the criminal. Most also claim that business logic abuses are difficult to detect (63 percent) and fix (66 percent). Fifty-one percent of respondents complain of not having real time visibility into its website traffic and 13 percent are unsure. This is a real impediment to stopping business logic abuse. Figure 6. Difficulty identifying real customers and fixing and detecting business logic abuses % Difficult 42% Very difficult 32% Difficult 33% Difficult 34% Very difficult Very difficult Difficult to know the real customers from criminals Difficult to remediate Difficult to detect Ponemon Institute Research Report Page 7

9 There is no clear assignment of responsibility for reducing the risk of business logic abuses. Twenty-two percent of respondents believe no one person or function has overall responsibility followed by 20 percent who say it is the CIO s responsibility and 14 percent who say it is under the CISO s jurisdiction as shown in Figure 7. Only 10 percent say it is the responsibility of the website development leader or manager. Figure 7. Who is most responsible for stopping business logic abuse? No one person has overall responsibility 22% Chief information officer Chief information security officer Business unit management 14% 14% Website development leader/manager Fraud prevention leader/manager 5% Web hosting service provider Data center management Corporate compliance or legal department Chief risk officer Chief technology officer Other 4% 3% 2% 2% 2% 3% 5% 15% 25% Ponemon Institute Research Report Page 8

10 Business logic abuse scenarios The majority of respondents believe the following situations are likely to occur and are difficult to detect. Scenarios are presented in the order they are most likely to least likely to occur. Scenario 1: Web scraping. A cyber criminal wants to obtain confidential information contained on public pages of a company s website (such as price or inventory lists). This information can be gleaned by a criminal writing a script that goes page by page on a public site without the company s knowledge. Sixty-nine percent say it is very likely or likely to occur and 74 percent say it is very difficult or difficult to detect (Figure 8). Figure 8. Web scraping % Likely 35% Very likely Likelihood of occurring 29% Difficult 45% Very difficult Difficult to detect Scenario 2: Account hijacking. A successful spear phishing scam resulted in cyber criminals obtaining the user names and passwords of customers. The leakage of customer account information occurred because employees were duped by what appeared to be a legitimate internal company communication. The crime originated when the criminal obtained key employee addresses directly from the website. Sixty-three percent say it is very likely or likely to occur and 67 percent say it would be very difficult or difficult to detect (Figure 9). Figure 9. Account hijacking % Likely 35% Very likely Likelihood of occurring 28% Difficult 39% Very difficult Difficult to detect Ponemon Institute Research Report Page 9

11 Scenario 3: Click fraud. A company hires an agency to conduct an online advertising campaign. The agency is paid on a per click basis. In reality, many of the paid per clicks are not authentic (i.e. not involving an interested consumer). Sixty-two percent say it is very likely or likely to happen to their company and a much higher percentage say it would be very difficult or difficult to detect (Figure 10). Figure 10. Click fraud % Likely Very likely Likelihood of occurring 39% Difficult 33% Very difficult Difficult to detect Scenario 4: Testing stolen credit cards. A cyber criminal steals hundreds of credit card numbers and uses a company s credit or debit card payments function to validate active credit cards. More than half (53 percent) of respondents say this very likely or likely to happen and 65 percent say it would be very difficult or difficult to detect (Figure 11). Figure 11. Testing stolen credit cards % Likely 21% Very likely 31% Difficult 34% Very difficult Likelihood of occurring Difficult to detect Ponemon Institute Research Report Page 10

12 Scenario 5: Botnet and DoS. A cyber criminal targets a botnet against a company and this results in a denial of Service (DoS) attack that ultimately brings down its websites. Fifty-two percent say it is very likely or likely to happen and 67 percent say it would be very difficult or difficult to detect (Figure 12). Figure 12. Botnet and DoS Likely 22% Very likely Likelihood of occurring 32% Difficult 35% Very difficult Difficult to detect Scenario 6. Mobility use case. A company expanded its consumer reach using a mobility platform that allows customers to access its websites using smart phones and other mobile devices. Cyber criminals infiltrate these devices with malware that captures customers account access credentials. The criminals harvest this information to takeover accounts using a laptop or desktop computer. Fifty-two percent say it is very likely or likely to occur and 69 percent say it would be very difficult or difficult to detect (Figure 13). Figure 13. Mobility use case % Difficult 4 29% Likely 23% Very likely 41% Very difficult Likelihood of occurring Difficult to detect Ponemon Institute Research Report Page 11

13 Scenario 7. ecoupons. Fraudsters do an end-run around a company s pricing policy. They select a heavily discounted item and place it in the shopping cart. They delay the checkout in order to obtain and apply an ecoupon to the final purchase price, thus obtaining the item well below the company s cost. Again, 52 percent say this is very likely or likely to happen and a significant percentage (69) say this would be very difficult or difficult to detect (Figure 14). Figure 14. ecoupons % Likely 26% Very likely Likelihood of occurring 32% Difficult 37% Very difficult Difficult to detect Scenario 8. Electronic wallet. A company has expanded customer payment options to include Internet payment methods such as PayPal, Google Wallet, Amazon Checkout and others. A criminal looking for sites that have recently added Internet payment processes identifies its site and exploits the lack of fully implemented security controls. Fifty-one percent say this is very likely or likely to happen and a much higher percentage say it would be very difficult or difficult to detect (Figure 15). Figure 15. Electronic wallet % Likely % Likely 22% Very likely Likelihood of occurring 44% Very difficult Difficult to detect Ponemon Institute Research Report Page 12

14 The following two scenarios are considered less likely to occur but are still considered very difficult or difficult to detect. Scenario 9. App store fraud. A company has an app store/marketplace, providing access to products and instant rebates. Criminals masquerading as a merchant and a buyer manipulate the open platform for financial gain, cashing in on rebates and earning points from credit card incentive programs. Less than half (48 percent) say this is very likely or likely to occur but a much larger percentage (76 percent) says such a scheme would be very difficult or difficult to detect (Figure 16). Figure 16. App store fraud % Likely 23% Very likely Likelihood of occurring 31% Difficult 45% Very difficult Difficult to detect Scenario 10. Mass registration. A cyber criminal creates a fake website that imitates your company s website. Loyal and prospective customers are lured to this bogus website, which asks them to provide personal information in order to register for a promotion or offer. This results in the theft of sensitive information. In this case, 45 percent say it is very likely or likely to occur but a higher percentage (59 percent) says it would be very difficult or difficult to detect (Figure 17). Figure 17. Mass registration % Likely 21% Very likely Likelihood of occurring 28% Likely 31% Very difficult Difficult to detect Ponemon Institute Research Report Page 13

15 The current state of detection and prevention of business logic abuses It seems as if the barriers to preventing and detecting business logic abuses are similar to those encountered when dealing with other security threats. There is not enough budget, in-house expertise and technologies to manage this risk, according to respondents. Based on this, many steps that are necessary are not taken. The IT security function is often left out when making decisions about reducing the risk. According to Figure 18, only 11 percent say the security function is involved all the time regarding the prevention and detection of business logic abuses and 40 percent say it is only sometimes. A key vulnerability is a business partner that might have business logic abuses. Also shown in Figure 18, only 12 percent say their organization inspects or tests business partner websites that link to their websites. Forty-one percent say they do not take this step and 12 percent are unsure. Figure 18. Current state of business logic abuse prevention & detection 45% 4 35% 25% 4 35% 36% 41% 15% 11% 12% 13% 12% 5% Yes, always Yes, sometimes No Unsure Is your company s IT security function involved in the prevention or detection of business logic abuses? Are partner websites that link to your websites inspected or tested for business logic abuses? Ponemon Institute Research Report Page 14

16 Manual inspections during development and production of web pages are considered most important to prevent and detect business logic abuses. Manual inspections and assessment during development of web pages are considered very important or important according to 52 percent of respondents. Fifty percent say this step is very important or important during the production of web pages. These steps are followed by content aware firewalls (including next generation firewalls), according to 44 percent of respondents. Intrusion detection and prevention systems are not considered as important to the security of web pages. Figure 19. Steps organizations take to prevent or detect business logic abuses Manual inspection and assessment during development of web pages Manual inspection and assessment of web pages in production 25% 23% 27% 27% Content aware firewalls 19% 25% Security intelligence systems such as SIEM 12% 26% Use of WAF Automated forensic tools that detect business logic abuses Testing of the website s functionality prior to production Network security and VPN 19% 13% 17% 9% 18% 24% 18% 22% Intrusion prevention systems 11% 15% Intrusion detection systems 14% Very important Important Ponemon Institute Research Report Page 15

17 Part 3. Conclusion Business logic abuse poses serious risks to revenue and reputation. Not only are the attacks likely to occur they are also stealthy. We recommend organizations consider taking the following steps. Assign responsibility for website security and ensure there is sufficient in-house personnel to minimize business logic abuses. Establish a partnership between website developers and IT to make sure a prevention and detection strategy is in place and enforced. Strive to have a strategy that minimizes the risk but does not frustrate legitimate customers. Ensure ongoing monitoring of websites for business logic abuses. Check business partner websites for business logic abuses. Invest in technologies that enable real-time visibility into website traffic. These recommendations can be key in stopping the criminals from stealing money or confidential information and committing other fraudulent acts that can cost a company its reputation. Ponemon Institute Research Report Page 16

18 Part 4. Methods A random sampling frame of 23,413 IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. As shown in Table 2, 956 respondents completed the survey. Screening removed 228 surveys and an additional 85 surveys that failed reliability checks were removed. The final sample was 643 surveys (or a 2.7 percent response rate). Table 2. Sample response Freq. Pct% Total sampling frame 23, Total returns % Rejected surveys % Screened surveys Final sample % As noted in Table 3, the respondents average (mean) experience in IT, IT security or related fields is 9.73 years. Table 3. Other characteristics of respondents Mean Total years of IT or IT security experience 9.73 Total years in your current position 5.21 Pie Chart 1 reports the industry segments of respondents organizations. This chart identifies financial services (18 percent) as the largest segment, followed by public sector (13 percent) and e-commerce (10 percent). Pie Chart 1. Industry distribution of respondents organizations 5% 3% 4% 5% 3% 3% 2% 2% 4% 3% 8% 8% 9% 18% 13% Financial services Public sector E-commerce Retail Health & pharmaceuticals Technology & software Services Transportation Hospitality Communications Entertainment & media Gaming Industrial Consumer products Energy & utilities Other Ponemon Institute Research Report Page 17

19 Pie Chart 2 reports the respondent s organizational level within participating organizations. By design, 57 percent of respondents are at or above the supervisory levels. Pie Chart 2. What organizational level best describes your current position? 34% 5% 3% 1% 1% 1% 16% 23% Senior Executive Vice President Director Manager Supervisor Technician Staff Contractor Other 16% According to Pie Chart 3, 55 percent of respondents report directly to the Chief Information Officer and 18 percent report to the Chief Information Security Officer. Pie Chart 3. The primary person you or the IT security practitioner reports to within the organization 6% 5% 3% 2% 4% Chief Information Officer Chief Information Security Officer Compliance Officer 7% 55% Chief Risk Officer Data Center Management Chief Security Officer 18% Chief Financial Officer Other Ponemon Institute Research Report Page 18

20 More than half of the respondents (58 percent) are from organizations with a global headcount of over 1,000 employees, as shown in Pie Chart 4. Pie Chart 4. Global headcount 6% 9% 18% 7% 16% 19% < to to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 25% As shown in Figure 20, 100 percent of respondents reported they have employees located in the United States and 62 percent reported they have employees located in Europe. Figure 20. Location of employees More than one choice permitted % 61% 54% 47% United States Europe Canada Asia-Pacific Latin America (including Mexico) 43% Middle East & Africa Ponemon Institute Research Report Page 19

21 Part 5. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. Ponemon Institute Research Report Page 20

22 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in August Survey response Freq. Pct% Total sampling frame Total returns % Rejected surveys % Screened surveys Final sample % Screening questions S1. How familiar are you with business logic abuse as defined above? Freq. Pct% Very familiar 171 Familiar % Somewhat familiar No knowledge (Stop) % Total S2. Approximately, how much of your organization s revenues (gross sales) are from website-related activities? Freq. Pct% None (Stop) 34 5% 1 to 51 7% 11 to 39 5% 21 to 40 6% 31 to % 41 to % 51 to % 61 to % 71 to % 81 to % 91 to 10 (virtually all) 56 8% Total S3. Do you have any responsibility for the security of your organization s websites? Freq. Pct% Yes, full responsibility % Yes, some responsibility % Yes, minimum responsibility 75 11% No responsibility (Stop) 38 6% Total Final sample (after removal of screened surveys) 643 Ponemon Institute Research Report Page 21

23 Attributions Please rate each one of the following ten (10) statements using the opinion scale from strongly agree to strongly disagree provided below each item. Strongly agree Agree Q1a. Business logic abuse represents a significant security issue for my company. 22% 33% Q1b. The prevention of business logic abuses is a priority in my company s website development efforts. 18% 24% Q1c. Most business logic abuses that occur on my company s websites are quickly detected and remediated. 18% Q1d. My company is vigilant in monitoring all websites for business logic abuses. 14% Q1e. My company is better at preventing business logic abuses than other companies in our industry. 16% 17% Q1f. My company s security budget is sufficient for minimizing business logic abuses. 19% Q1g. My company has sufficient in-house personnel (experts) for minimizing business logic abuses. 17% 18% Q1h. My company has sufficient technologies and tools for minimizing business logic abuses. 13% 19% Q1h. The frequency of business logic abuses experienced by my company is on the rise. 26% 27% Q1i. The severity of business logic abuses experienced by my company is on the rise. 23% 26% Q1j. Remediating business logic abuses are difficult because fixes that curtail criminals may diminish the web experience of legitimate end-users. 34% Q2. Approximately, how many customer-facing websites does your company have in production today? Your best guess is welcome. Pct% Between 1 and 5 7% Between 6 and 10 5% Between 10 and 20 15% Between 21 and 30 15% Between 31 and 40 7% Between 41 and 50 11% Between 51 and % More than % Total 10 Q3. In a 12-month period, what percent of your company s total revenues (gross sales) were lost due to the financial or brand impact of Internet fraud? Your best guess is welcome. Pct% None 1 to 2% 32% 3 to 4% 33% 5 to 6% 8% 7 to 8% 6% 9 to 3% 11 to 15% 4% More than 15% 4% Total 10 Ponemon Institute Research Report Page 22

24 Q4. In the past 12 months, how many separate incidents of business logic abuses did your company experience? Your best guess is welcome. Pct% None Between 1 and 5 18% Between 6 and 10 22% Between 10 and 20 11% Between 21 and 30 7% Between 31 and 40 3% Between 41 and 50 6% Between 51 and 100 8% More than 100 6% Total 10 Q5. On average, how much time is spent by your technical staff (or contractor) remediating the consequences of one business logic abuse incident? Your best guess is welcome. Pct% None 13% < 1 hour 9% 1 to 4 hours 19% 5 to 8 hours 27% 1 to 2 days 13% 2 to 5 days 6% More than 5 days 14% Total 10 Q6. On average, how much downtime does your company experience each time a business logic abuse is being remediated? Your best guess is welcome. Pct% None 5% < 10 minutes 7% 11 to 15 minutes 12% 16 to 30 minutes 11% 31 to 45 minutes 17% 46 to 60 minutes 1 to 2 hours 9% 2 to 4 hours 4% 4 to 8 hours > 8 hours (1 full day) 15% Total 10 Q7. On average, how much does it cost your company in lost traffic and/or online sales when a website is down for one hour? Your best guess is welcome. Pct% None 3% Less than $1,000 19% $1,000 to $5,000 15% $5,001 to $10,000 12% $10,001 to $20,000 14% $20,001 to $50,000 8% $50,001 to $100,000 9% $100,001 to $500,000 7% $500,000 to $750,000 6% $750,001 to $1 million 2% More than $1 million 4% Total 10 Ponemon Institute Research Report Page 23

25 Q8. Relative to other security issues in your company, how important is the prevention of business logic abuses? Pct% More important than other security issues 21% Equally important to other security issues 67% Less important than other security issues 12% Total 10 Q9. What steps does your organization take to prevent or detect business logic abuses? Please rate each one of the following steps in terms of its importance using the following scale: 1 = very important, 2 = important, 3 = somewhat important, 4 = not important, 5 = Irrelevant Very important Important Manual inspection and assessment during development of web pages 25% 27% Manual inspection and assessment of web pages in production 23% 27% Thorough testing of the website s functionality prior to production 17% 18% Automated forensic tools that detect business logic abuses 13% 24% Content aware firewalls (including next generation firewalls) 19% 25% Security intelligence systems such as SIEM 12% 26% Intrusion detection systems 14% Intrusion prevention systems 11% 15% Network security and VPN 9% 22% Use of WAF 19% 18% Opinion questions. Very difficult, difficult, somewhat difficult and not difficult. Very difficult Difficult Q10a. In your opinion, how difficult are business logic abuses to detect? 33% Q10b. In your opinion, how difficult are business logic abuses to fix or remediate? 34% 32% Q10c. In your opinion, how difficult is it to know the real customers from criminals who are accessing your website? 42% 32% Q11. Does your organization have real time visibility into its website traffic? In other words, can you detect the presence of a criminal or fraudster immediately? Pct% Yes 36% No 51% Unsure 13% Total 10 Q12. Who is most responsible for curtailing business logic abuses on your company s websites? Pct% Chief information officer (CIO) Chief technology officer (CTO) 2% Chief information security officer (CISO) 14% Chief security officer (CSO) 1% Chief risk officer (CRO) 2% Data center management 3% Business unit management 14% Website development leader/manager Fraud prevention leader/manager 5% Corporate compliance or legal department 2% Web hosting service provider 4% No one person or function has overall responsibility 22% Other (please specify) 2% Total 10 Ponemon Institute Research Report Page 24

26 Q13. Is your company s IT security function involved in the prevention or detection of business logic abuses? Pct% Yes, always 11% Yes, sometimes 4 No 36% Unsure 13% Total 10 Q14. Are business partner websites that link to your company s websites inspected or tested for business logic abuses? Pct% Yes, always 12% Yes, sometimes 35% No 41% Unsure 12% Total 10 Business logic abuse scenarios The following ten (10) scenarios are examples of business logic abuses that may affect your company s websites. Please rate each scenario in terms of likelihood and difficulty using the scale below each item. Select the not applicable response when the scenario does not fit the nature or context of your company. Already happened, very likely, likely, not likely, not applicable. And, very difficult, difficult, somewhat difficult, not difficult, easy. Testing stolen credit cards. A cyber criminal steals hundreds of credit card numbers and uses your credit or debit card payments function to validate active credit cards. Very likely Likely Q15a. How likely could this happen to your company? 21% 32% Very difficult Difficult Q15b. How difficult would it be to detect this situation? 34% 31% Web scraping. A cyber criminal wants to obtain confidential information contained on non-public pages in your website (such as price or inventory lists). Assume this criminal gains access to restricted pages and proceeds to scrape your company s site without your knowledge. Very likely Likely Q16a. How likely could this happen to your company? 35% 34% Very difficult Difficult Q16b. How difficult would it be to detect this situation? 45% 29% Click fraud. Your company hires an agency to conduct an online advertising campaign. The agency is paid on a per click basis. In reality many of the paid per clicks are not authentic (i.e., not involving an interested consumer). Very likely Likely Q17a. How likely could this happen to your company? 32% Very difficult Difficult Q17b. How difficult would it be to detect this situation? 33% 39% Account hijacking. A successful spear phishing scam resulted in cyber criminals obtaining the user names and passwords of customers. The leakage of customer account information occurred because employees were duped by what appeared to be a legitimate internal company communication. The crime originated when the criminal obtained key employee addresses directly from the website. Very likely Likely Q18a. How likely could this happen to your company? 35% 28% Very difficult Difficult Q18b. How difficult would it be to detect this situation? 39% 28% Ponemon Institute Research Report Page 25

27 Botnet and DoS. A cyber criminal targets a botnet against your company and this results in a denial of service (DoS) attack that ultimately brings down your websites. Very likely Likely Q19a. How likely could this happen to your company? 22% Very difficult Difficult Q19b. How difficult would it be to detect this situation? 35% 32% Mass registration. A cyber criminal creates a fake website that imitates your company s website. Loyal and prospective customers are lured to this bogus website, which asks them to provide personal information in order to register for a promotion or offer. This results in the theft of sensitive information. Very likely Likely Q20a. How likely could this happen to your company? 21% 24% Very difficult Difficult Q20b. How difficult would it be to detect this situation? 31% 28% App store fraud. Your company has an app store/market place, providing access to products and instant rebates. Criminals masquerading as a merchant and a buyer manipulate the open platform for financial gain, cashing in on rebates and earning points from credit card incentive programs. Very likely Likely Q21a. How likely could this happen to your company? 23% 25% Very difficult Difficult Q21b. How difficult would it be to detect this situation? 45% 31% Mobility use case. Your company has expanded its consumer reach using a mobility platform that allows customers to access its websites using smart phones and other mobile devices. Cyber criminals infiltrate these devices with malware that captures customers account access credentials. The criminals harvest this information to takeover accounts using a laptop or desktop computer. Very likely Likely Q22a. How likely could this happen to your company? 23% 29% Very difficult Difficult Q22b. How difficult would it be to detect this situation? 41% 28% ecoupons. Fraudsters do an end-run around your company s pricing policy. They select a heavily discounted item and place it the shopping cart. They delay the check out in order to obtain and apply an ecoupon to the final purchase price, thus obtaining the item well below your company s cost. Very likely Likely Q23a. How likely could this happen to your company? 26% 26% Very difficult Difficult Q23b. How difficult would it be to detect this situation? 37% 32% Electronic wallet. Your company has expanded customer payment options to include Internet payment methods such as PayPal, Google Wallet, Amazon Checkout and others. A criminal looking for sites that have recently added Internet payment processes identifies your site and is able to exploit the lack of fully implemented security controls. Very likely Likely Q24a. How likely could this happen to your company? 22% 29% Very difficult Difficult Q24b. How difficult would it be to detect this situation? 44% 35% Ponemon Institute Research Report Page 26

28 Your role and organization D1. What organizational level best describes your current position? Pct% Senior Executive 1% Vice President 1% Director 16% Manager 23% Supervisor 16% Technician 34% Staff 5% Contractor 3% Other 1% Total 10 D2. Check the Primary Person you or your IT security leader reports to within the organization. Pct% CEO/Executive Committee 1% Chief Financial Officer 2% General Counsel 1% Chief Information Officer 55% Chief Information Security Officer 18% Compliance Officer 7% Human Resources VP 1% Chief Security Officer 3% Data Center Management 5% Chief Risk Officer 6% Other 1% Total 10 D3. Total years of relevant experience Pct% Total years of IT or security experience 9.73 Total years in current position years 5.21 D4. What industry best describes your organization s industry focus? Pct% Agriculture & food services 1% Communications 3% Consumer products 2% E-commerce Education 1% Energy & utilities 2% Entertainment & media 3% Financial services 18% Gaming 3% Health & pharmaceuticals 8% Hospitality 4% Industrial 3% Public sector 13% Retail 9% Services 5% Technology & software 8% Transportation 5% Other 2% Total 10 Ponemon Institute Research Report Page 27

29 D5. Where are your employees located? (Check all that apply): Pct% United States 10 Canada 61% Europe 62% Middle East & Africa 43% Asia-Pacific 54% Latin America (including Mexico) 47% D6. What is the worldwide headcount of your organization? Pct% < 100 7% 100 to % 501 to 1,000 19% 1,001 to 5,000 25% 5,001 to 25,000 18% 25,001 to 75,000 9% > 75,000 6% Total 10 Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 28