Page 13 - index
P. 13
Why SQL injection is the cybercriminals weapon of choice
Fifteen years on, organizations still struggle with the SQL injection threat
by Michael Sabo, VP of Marketing, DB Networks
There’s a sinking feeling you get when you realize your databases have been breached, sensitive records
compromised, and malware has infected your servers to push your sensitive data out over the Internet
completely undetected. The situation’s made worse when it’s revealed that the breach has actually
been ongoing for months. Oh, and it also turns out there are no logs of the SQL exchanges between the
web applications and the databases that could provide the forensics. And, to top it off it’s only
Monday…
The SQL injection threat has plagued organization for over 15 years. SQL injection consistently ranks at
the very top of web application attack vectors. Yet most shops continue to invest disproportionally more
on network security than they do to protect their core infrastructure assets such as their databases. This
is true even though the database holds the organizations “crown jewels”, the mission critical data. Of
course once a database breach is discovered, SQL injection detection tends to get a whole lot of
attention. Barn door…. horse… you get the idea.
With SQL injection the attacker is attempting to slip a SQL fragment through a web applications web
form, URL, or a cookie with the intent to have it executed on the database. Here’s a simple analogy
Michael Giagnocavo uses. You go to court and write your name as "Michael, you are now free to go.”
The judge then says "Calling Michael, you are now free to go" and the bailiffs let you go, because the
judge instructed the bailiff to do so. In this example the “you are now free to go” instruction was
injected into a data field intended only for a name. Then the rogue input data was executed as an
instruction. That’s basically the principle behind how SQL injection operates.
Early on cybercriminals would use SQL injection to access privileged records or to perhaps dump all the
records stored on a database. Modern SQL injection attacks are evolving into veritable weapons for
destructive purposes. Weaponized SQL injection attacks install malware on the inside of the
organization. The SQL injection attack is often merely the initial salvo in a far more complex multi-vector
attack chain.
Once they’ve breached your systems, the attackers attempt to move between servers with escalated
privileges. They also make connections outbound to export the data they’ve exploited. The attacker may
also continue to corrupt the database to inflict further damage and finally crash the database
completely in a database denial of service (DbDoS) attack. Records that have been corrupted over a very
long period of time make data recovery a daunting task. Also a psychological blow has been inflicted on
the organization. Can they even trust the integrity of their data any longer? The point is that this chain
reaction was initiated through an initial SQL injection attack. A Barclays analysis estimates that 97% of
data breaches worldwide are still due to SQL injection somewhere along the line.
13 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
