SQL: The Hack Attack You'll Never See Coming

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.inc.com/jeremy-quittner/sql-attacks-on-the-rise.html

You may not have the slightest idea what an SQL injection attack is, but
that's okay, you're in good company.

It turns out that SQL injection attacks are one of the most common hack
attacks businesses of all sizes face, but a lot of small business owners
don't really know what they are.

And like your peers, you're probably woefully unprepared to meet to the
challenge SQL attacks represent, according to Ponemon Institute, the
information, privacy and security researchers, which released a report
about the gravity of the threat on Wednesday.

Ponemon surveyed 595 IT professionals at businesses of all sizes, ranging
from less than 1,000 employees to more than 75,000 people. Twenty percent
of the survey sample had fewer than 1,000 employees.

It turns out 65 percent of businesses had experienced at least one SQL
attack in the previous 12 months, according to the report, and half of all
businesses identified such attacks as a significant threat.

"Organizations believe they struggle with SQL injection vulnerabilities,"
Larry Ponemon, founder and chairman of Ponemon Institute, said in a press
release, but their issues are complex.

Defining an SQL Attack

SQL is shorthand for "structured query language," a computer program that
lets you search relational databases, typically used by any business with
structured employee records, financial information, or information relevant
to manufacturing.

An SQL attack typically occurs through a consumer facing software
application, where hackers exploit coding holes and then insert malicious
code inside the database itself. Intruders can then use that code to query
the database, to find valuable information.

A Growing Problem

SQL attacks are on the rise. Forty percent of respondents said SQL attacks
were increasing, yet nearly two thirds said they either had no knowledge at
all or were not familiar with the techniques criminals use to launch the
attacks, which is to bypass firewall protections that Web applications have
built into them.

Despite the escalating problems, about a third of respondents say their IT
personnel lack the knowledge and expertise to quickly detect and rid
themselves of such an attack. More than a third said they also lacked
necessary tools and technology to quickly detect an SQL injection attack.

While forty-four percent of respondents said they use outside professionals
to test their Web applications for security threats, only 35 percent said
they tested for SQL injection threats. Meanwhile, about half of all
companies either don't check for such threats at all, or only on an
irregular basis.

How to Prepare

Fortunately, there are some things you can do:

- Run security tests on any third party software you use, especially if it
is Web-facing.
- Consider installing behavioral analysis tools that examine all database
queries for irregularities that stand out from the normal operation of your
business.
- If you don't have an IT professional on staff, bring one in from outside
to test your network for vulnerabilities.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!