A totality – a full 100% – of web applications are vulnerable to hackers.

According to Trustwave’s 2018 Global Security Report, derived from the analysis of billions of logged security and compromise events worldwide, all apps tested displayed at least 1 vulnerability, with 11 as the median number detected per application. A majority (85.9%) of web application vulnerabilities involved session management, allowing an attacker to eavesdrop on a user session to commandeer sensitive information.

Vulnerabilities overall have seen a sharp surge, the report found. After remaining relatively level from 2008 to 2011, a marked increase in vulnerability disclosures began in 2012, with a dramatic spike in 2017. This is in part due to the doubling of internet users over the course of a decade, Trustwave pointed out: The technically savvy, including both security researchers and criminals, are now actively looking for vulnerabilities with the latter selling corresponding exploits on the dark web to make hefty profits. More vulnerabilities of course equate to greater potential for exploitations.

The report also found that web attacks are becoming more targeted, more prevalent and much more sophisticated. Many breach incidents show signs of careful preplanning by cybercriminals probing for weak packages and tools to exploit. Cross-site scripting (XSS) was involved in 40% of attack attempts, followed by SQL injection (SQLi) at 24%, path traversal at 7%, local file inclusion (LFI) at 4%, and distributed denial of service (DDoS) at 3%.

Meanwhile, even as cyber-defenders log improvements in such areas as detection times, bad actors are showing increased sophistication in malware obfuscation and social-engineering tactics.

On the malware front, although 30% of malware examined used obfuscation to avoid detection and bypass first-line defenses, 90% used persistence techniques to reload after reboot.

Social engineering, including phishing, tops methods of compromise at 55%. That’s followed by malicious insiders at 13% and remote access at 9%. This indicates that the human factor remains the greatest hurdle for corporate cybersecurity teams. CEO fraud, a social engineering scam encouraging executives to authorize fraudulent money transactions, also continues to increase.

In the good-news column, the median time between intrusion and detection for compromises discovered internally dropped from 16 days in 2016 to zero days in 2017, meaning businesses discovered the majority of breaches the same day they happened.

North America and retail lead in data breaches, although the number is slightly down from the previous year. The US, Canada and Mexico accounted for 43% of breaches, followed by the Asia Pacific region at 30%; Europe, Middle East and Africa (EMEA) at 23%; and Latin America at 4%. The retail sector suffered the most breach incidences at 16.7%, followed by the finance and insurance industry at 13.1% and hospitality at 11.9%.

“Our 2017 threat intelligence and investigations along with a retrospective view of the last 10 years has unequivocally exposed cybercriminals and their attacks are becoming more methodical and organized,” said Steve Kelley, CMO at Trustwave. “As long as cybercrime remains profitable, we will continue to see threat actors quickly evolving and adapting methods to penetrate networks and steal data. Security is as much a ‘people’ issue as it is a technology issue. To stay on par with determined adversaries, organizations must have access to security experts who can think and operate like an attacker while making best use of the technologies deployed.”