The obvious takeaway here is that these two most commonly breached application vulnerabilities represent low hanging fruit for attackers.

Forum software is a favorite target for attackers because they consume user content that if not sanitized properly could be a crafty little malicious script that injects a PHP backdoor. Forum makers (as well as CMS providers that have similar issues with their software) consistently publish critical remote code execution vulnerabilities. In turn, attackers automate their recon scans to look for the specific forum software for which they have written an exploit. If you are running a forum software with an unpatched critical remote code execution vulnerability, the chances are high that you have already been exploited.

SQL injection, a critical vulnerability that enables an attacker to inject SQL queries and execute administrative operations on the backend database, shouldn’t require explanation because it’s been around for decades. It’s a complete and utter InfoSec fail for this to be a top attack root cause. These vulnerabilities are extremely easy for anyone (an attacker, or the company’s security team) to find—and for attackers to exploit.

Security professionals should expect these types of vulnerabilities to be targets of attack and plan their vulnerability management accordingly.

Getting to Your Data through User Identity Attacks

When the development and security teams have done a good job securing an application, it’s much easier for attackers to get to the data through users who have access to the application and the data within it.

In the cases we researched, identities were the initial attack target in 33% of the breaches. Most of these attacks were attributed to phishing; it turns out tricking a user into giving up their credentials is remarkably easy, despite the industry’s security awareness training efforts. Thanks to social media and consumers’ eagerness to share every aspect of their personal lives (see data collected from various public forms), phishing attacks will remain highly effective for the foreseeable future.