I’ve given many presentations about website security statistics, most recently at SANS, stating somewhere between 70% and 90% have serious vulnerabilities. I dig into severity breakdowns, top ten lists, vertical industry comparisons, and more. After bearing witness to the data at hand, what the “bad guys” could do (or already have done), attendees emerge from the Denial stage of Web security grief and enter Anger. Others remain skeptical, completely understandable, and curious about something particularly relevant. They ask, “If these statistics are accurate and the Web so insecure, why aren’t websites hacked more often”? This is a darn good question!
Why aren’t the bad guys pillaging everything in sight?
First off, websites ARE getting hacked. A LOT! The Zone-H defacement archive clearly illustrates the size of the problem. Secondly, the public isn’t always made aware of every website hack and media doesn’t advertise every incident. Many profit-driven website hacks will never be made public because both the bad guy and victim keep the incident confidential. The various state disclosure laws only apply to customer personal and private data, not with incidents that compromise source code, trade secrets, brokerage account access, etc. The point is we only know the best-case scenario out there based upon the published information.
However, these explanations aren’t satisfying, probably because we can’t measure it. Perhaps there is another possibility. Consider that Netcraft says there are roughly 128 million websites and about 2 million more are added per month. Those in the industry know the challenge of finding, hiring, training, and retaining web security people. Could it be there simply isn’t enough bad guys with the necessary skills and motivation to monetize web hacks? Could there be more than 2,000 of such morally flexible people? I have no idea if this number is accurate or not, but it seemed reasonable. This could explain why Web banks aren’t yet getting compromised hourly or and why isn’t MySpace or Facebook suffering Web Worms daily.
Something to consider anyway.