RSS Alerts

Share

More services

Related Links

Related Stories

  • Cyberterrorism: A look into the future
    Cyberterrorism might mean different things to different people, but one thing is certain – it needs to be taken incredibly seriously. What are we dealing with? How can we defend our nation? How will cyberterrorists of the future look to attack? The (ISC)2 US Government Advisory Board Executive Writers Bureau answers these questions
  • Learn about how to protect against data-stealing malware
    Data-stealing malware that can evade current security systems could cause serious harm to an enterprise. Trend Micro’s eBook ‘Outthink the Threat’ offers information on data-stealing malware and how to fight it.
  • Parliamentary forum to discuss Police Central e-crime Unit
    Monday 23 February will see the annual parliamentary forum on e-crime, where the subject of the Police Central e-crime Unit (PCeU) is expected to spark some strong views, following events at last year’s forum.
  • Leaving a trace
    IT forensics is seen by many in the industry as something of a black art. But it's actually a highly professional discipline, with professional software to assist, as Steve Gold discovers
  • Campaign season likely to spur politically motivated cyberattacks
    As the US heads into a presidential election year, politically motivated attacks are likely to increase significantly, predicted Tom Cross, IBM X-Force threat intelligence manager.

Top 5 Stories

News

SQL injection attacks are in decline – or are they?

17 March 2010

IBM's X-Force 2009 Trend and Risk report claims to show an 11% fall in discovered vulnerabilities compared to 2008, including a decline in the largest categories, such as SQL injections and ActiveX.

According to IBM X-Force's report, SQL injection gained a lot of popularity as a flavour of the month and was then exploited to the point that there were few who didn't know what it was.

And, says the company, now that awareness has saturated the industry, more websites are defending against the problem.

Interestingly, however, the IBM report found a significant increase in attacks using code obfuscation, often launched using automated exploit toolkits, to hide from IT security software.

You'd expect the 11% fall in SQL injection and allied attack vectors to be welcomed by the industry, but data security specialist Imperva has cast doubt on the findings.

Amichai Shulman, the company's chief technology officer said that the report is misleading as it covers known vulnerabilities. "IBM only counts vulnerabilities in commercial products and frameworks. While there might be a decline in the number of SQL injection vulnerabilities in products and frameworks it is not necessarily indicative of the number of application specific vulnerabilities", he said.

"Also, whilst the percentage of SQL injection vulnerabilities among total vulnerabilities may decline, their overall absolute number is still on the rise as more vulnerable applications are put online", he added.

Shulman noted a recent Cenzic report that showed SQL injections as being on the on the rise, which he says is correct, as the Cenzic study tracked SQL injections in custom applications that are not counted in the IBM X-Force report.

This, he said, is a much better indicator and confirms what Imperva has been seeing with its own forensic investigations.

Shulman adds that the IBM report could potentially send the wrong message to the industry, as SQL injections are the first choice amongst cybercriminals when it comes to data theft.

"Any hint that such attacks are on the decline could give the wrong impression that SQL injection attacks are on the decline. The reality is that, in fact, enterprises need to be extremely vigilant and do everything they can do to stop hackers' favorite method of attack", he said.

This article is featured in:
Internet and Network Security • IT Forensics

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012