Comment: Securing Data from the Threat of SQL Injection

"One of the biggest problems with SQL injection attacks is that many developers are simply not aware of how to combat this threat", says McAfee's Markovich
"One of the biggest problems with SQL injection attacks is that many developers are simply not aware of how to combat this threat", says McAfee's Markovich

We now live in a data-driven world, where information is the core of business systems. Just last year, analyst firm IDC predicted that we would consume 1.8 zettabytes of information each year, and the amount of information being processed by businesses continues to grow.

Naturally enough, this trend is concerning to some consumers, and the onus is increasingly falling on businesses and public sector organizations to ensure that the data they store is completely secure. Initiatives such as the midata project, part of the Consumer Empowerment Strategy in the UK, will allow people to view, access and use their personal and transactional data in a way that is portable and safe. With consumers expected to demand further transparency and security in the future when it comes to sensitive personal data, most businesses will be expected to follow suit.

So What’s the Problem?

Even a cursory glance at news headlines shows that data is not always successfully protected. With very public breaches making front-page news, the common thread has been targeting the customer data held by affected organizations. It is clear that databases, and therefore data, are still subject to various attacks – from both internal and external sources – leaving the biggest database vendors struggling to fix the numerous new vulnerabilities discovered every year.

SQL injection was first described in the mid-1990s and is still considered the most critical web application security risk; the Open Web Application Security Project (OWASP) Top 10 list notes SQL injection as the most abused technique for data-targeting attacks. Just this year, Neira Jones, head of payment security for Barclaycard, highlighted that 97% of data breaches worldwide incorporate a SQL injection somewhere in the attack. It’s not just stand-alone websites that are vulnerable to SQL-injection. Even professional web applications and platforms are at risk, and weaknesses can be successfully exploited multiple times for different attacks, making it an incredibly popular method for hackers.

In the majority of cases, SQL injections are simply used to steal data. However, in 2011 we witnessed the impact broad-scale SQL injection attacks could have on the security world when it was discovered that LizaMoon had compromised thousands of websites. In this instance, the visitors of compromised websites were the primary victims. Nevertheless, the loss of reputation also impacted businesses and became a significant issue for large firms trusted to process lots of customer information in a safe and secure manner.

Data Security

Over the last year, we have witnessed the data security world become the most volatile of information technology domains. Every new attack technique causes a reaction from security companies, which then invest in new technologies and products. And every new security technique causes the cybercriminal to puzzle over how to bypass the technology.

This approach does not generally apply to SQL injection, because an attacker requires only a primitive knowledge of SQL to be successful. Alternatively, those who don’t want to get involved in the technical details can choose from free, automated, commercial SQL injection tools. These tools are very effective at scanning large numbers of web pages but become a dangerous weapon in the hands of script users, who can carry out attacks with little technical knowledge.

This current situation is discouraging; the cybercriminal does not generally need to innovate because well-tested SQL injection techniques work flawlessly in most cases.

The Next Generation

One of the biggest problems with SQL injection attacks is that many developers are simply not aware of how to combat this threat. Yet, in the majority of cases, vulnerabilities can be prevented by introducing secure code development standards, and developers should start using parameterized statements as a secure alternative to commonly used dynamic SQL, which is the essence of every SQL injection.

In addition, proper input validation is a common security problem. It is abused not only in all manner of injections, but also by many other exploits (for example, buffer overflows). Several other mechanisms are available to improve security or minimize the consequences of SQL injection attacks.

No Cause for Despair

In spite of the advantages attackers enjoy, this is far from a lost cause. In the majority of attacks, attackers look for low-hanging fruit, so the more obstacles that are placed in their way, the lower the chance that a system will be hacked.

To introduce security obstacles, organizations must focus on creating an effective defense in depth strategy. Adopting secure development concepts and setting database configurations form a foundation for protecting information. These approaches should be considered in tandem with specific solutions, which may include regular audits to understand the security posture of the database. The implementation of a dedicated vulnerability manager for databases is also another option.

Additionally, activity monitoring should be utilized to detect and terminate unauthorized or malicious behavior. Another technique to consider, for maintaining the availability of content, is virtual patching, which protects the database from the latest database security threats without the disruption of downtime. These techniques not only provide protection, but also can support compliance activities against a multitude of regulations.

With such an approach, the continued growth of data storage can be managed without putting user data at unnecessary risk.

Slavik Markovich is chief technology officer for Database Security at McAfee EMEA and has over 20 years of experience in infrastructure, security and software development. Slavik was previously the CTO and co-founder of Sentrigo, a database security software company that was acquired by McAfee in April 2011.

What’s Hot on Infosecurity Magazine?