Your database has been breached, malware has infected your systems and sensitive records are available for anyone to download on the internet. Your first action is to launch an investigation to find out more about the breach. The report shows that the vulnerability has been exploited for months and all forensic logs have been deleted.
SQL injection isn’t new and it has been around for more than 10 years. However, most companies still plunge huge amounts of dollars into IDS/IPS, firewalls, security gateways and anti-virus software. Web application attacks are growing at an alarming rate and most security teams focus is network security and not business critical data that is found in databases. Unless there’s a breach, then focus tend to shift but it’s simply too late.
How does SQL-injection work?
SQL injection is a very simple attack that is easy to execute. Basically the attacker adds a SQL statement into a web form and tries to modify, extract, add or delete information from the database.
Michael Giagnovoco uses a very simple analogy. I go to court and register my name as “Christoffer, you are now free to go.” The judge then says “Calling Christoffer, you are now free to go” and the bailiff lets me go, because the judge instructed him to do so.
In this example the “you are now free to go” instruction was injected into a data field intended only for a name. Then the rogue input data was executed as an instruction. That’s basically the principle behind how SQL injection operates.
How does SQL-injection impact my business?
As all other types of attacks SQL injection has evolved. When the first instances of SQL injection were discovered the attackers simply tried to dump all records from a database. Today, SQL injection is usually part of an attack toolkit that hackers downloads and uses to launch several types of attacks. It’s no longer a challenge to dump the database records but the challenge has moved to installing malware behind expensive firewalls and other security measures in place deep inside the victim organization. The installed malware is far more dangerous and destructive than a simple database attack. Imagine a hacker eavesdropping on sensitive communication, dumping the windows password file to gain access to restricted systems or stealing the private keys for your SSL and Code Signing certificates? The private keys for Code Signing certificates can be protected by Symantec Secure App Service but unfortunately not all sensitive assets have proper security measures and are vulnerable to theft.
How does SQL-injection impact consumers?
Imagine that you’re about to log onto your favorite e-commerce site, greathappybargains.com. You enter your user name and password. When you look at your order history you find several orders that you didn’t make. What happened could be the result of a SQL-injection attack. Due to poor programming, some sites allows an attacker to log onto the site posing as the previous user, you. If your credit card info is linked to a user account you can be certain that the hacker has access to that information by now. Did you use the same user name and password for other e-commerce accounts? Chances are that those accounts are compromised as well using the information from the first breach.
How do I protect my company from an SQL-injection?
- Install a Web Application Firewall (WAF).
- Keep in mind that a WAF can’t interpret an obscured SQL injection attack as it is based on signatures
- It comes free with all Symantec SSL certificates and provides a daily scan of your web applications and provides you with a detailed report if a SQL injection vulnerability is found
- Hire a penetration tester to test all web applications tied to a relational database.
- Great option but time consuming and testing needs to be conducted continuously.
- Re-write all web applications
- Doable but consumes resources and budget. Training your staff in secure coding is critical and a good investment.
- Apply a database defense in depth strategy
- The only way to protect your business from the SQL injection threat is to monitor all SQL statements at the database tier using an arsenal of tools.
There is no such thing as perfect security but following these steps will get you closer to it. Follow us on Facebook and Twitter to stay up to date on SQL injection techniques and how you can help better keep your environment safe. Take the first step by contacting us today about applying a Web Application Firewall and a DDoS Mitigation Service today.