DevOps-5-BG

SQL injection has been a threat for more than 15 years, so it’s astonishing to recognize that it’s still one of the top data threats to organizations. In a recent report published by *Akamai, there is an 87% increase in SQLi attacks in Q1 2016 compared with the previous quarter.

Why is this such a persistent problem?

The two reasons SQLi is still on the rise are related to the nature of the attackers and the ease of performing such attacks.

 …

Who and how?

Today, the attacks are done by professionals who are well-funded. Simply put, there is some real money to be made by stealing corporate data, personal data, government data, and financial information. In some places, law enforcement is quite lax about punishing for these types of crimes, therefore, cyber-crime organizations usually have more leeway -taking criminal activities to another level.

Another group responsible for a large number of recent cyber-crimes are – HACKTAVISTS. Even though, they do not have the financial resources of organized cyber-crime professionals, they are very determined and will stop at nothing.

Finally, when looking at attackers who target the goverment, we are talking about some very sophisticated, well-funded professionals who aren’t subject to the law. Covert actions are carried out by just about every government. You don’t have to look far to find out that the government wants to know what their citizens,  other governments, or commercial bodies are doing worldwide.

The second reason what we see a growth in SQLi attacks is due to the ease of use of available tools on the market. It’s simple to just search for automated tools and run SQLi attacks on vulnerable sites and apps. Many of these tools are well-known, but again, it’s fairly easy to make a few customizations – giving the hacker a good start.

What is SQLi?

In short, an SQL injection attack is where an attacker attempts to use existing access to a database to perform commands that are not supposed to be performed. In other words, a legitimate application, such as online banking, is accessed using a variety of illegal commands. If the site or application does not have all the appropriate rules in place, some commands might get through and be able to access the data directly.

How can organizations protect themselves?

A variety of methodologies can be used to protect your organization from SQLi attacks.

  • First and foremost, applications should be written using best practices. It’s important to harden your databases using the proper database configuration.
  • Implementing an Intrusion Detection System (IDS) is the next step in protecting a database. Such systems are basically access control systems that ensure only authorized users can access the database. However, they do not identify situations where SQL insertions pretend to be a legitimate user, but perform non-legitimate activities. If an authorized user or related database has been compromised, the IDS system will still allow access, because it is user-based and not command-based. Database triggers are also used, but they are only useful for identifying obvious cases of data manipulation.
  • Some organizations have consultants or internal staff who actually try to perform attacks on their own sites and apps, to ensure that they are not vulnerable and identify exceptions.
  • Application-layer input validation is the essential step for ensuring SQLi attack is stopped. That means checking every single command for all of the parameters, including the source of the command, the request being made itself, and the validity of the command under normal conditions.
  • One of the more effective methods of preventing SQLi attacks is to use a dedicated database firewall. DB firewalls identify all of the common SQLi attacks and prevent them. Also, such software has a range of built-in hardening tools, such as input validation. Another built-in function of a database firewall is to will ensure that the names of your servers are hidden from anyone who does not directly need to know them.
  • A comprehensive database firewall acts as a proxy, identifying every single command coming into the database, including the source of the command and the specific data that is being requested. It can identify specific attacks, and also repeated requests in a short time period, which usually would indicate a kind of a brute force attack.

Conclusion

SQL injection attacks are on the rise, but you can prevent them with available tools on the market. Organizations need to start adopting a comprehensive security policy to protect their databases alongside all of their other traditional security measures.