Security vendor Imperva recently released its latest Hacker Intelligence Initiative report that details the problems associated with the growing presence of SQL injection attacks. As written in the company’s blog post, “SQL injection is the most pernicious vulnerability in human computer history.”
SQL injection attacks are nothing to sniff at, and Imperva reported that they have accounted for 83 percent of successful hacking-related data breaches since 2005. According to statistics from Privacyrights.org, such hacking resulted in serious losses during that time period. “There were 312,437,487 data records lost due to hacking with about 262 million records from various breaches including TJMax, RockYou and Heartland, all of which were SQL injection attacks,” noted Imperva’s blog post.
For its report, Imperva monitored a collection of 30 different web applications over the last nine months. The vendor found that, on average, web applications typically experience 71 attempted SQL injection attacks per hour. That number is disconcerting on its own, but it is nothing compared to the study’s findings that web applications can experience as much as 1,300 unique hourly injection attempts during peak attack times. Imperva also noted an increase in daily SQL injection attacks against web applications of 34 percent over the last nine months. The existence of vulnerabilities in applications combined with various automated penetration testing tools has helped make such attacks appealing to hackers.
The increased presence of SQL injection attacks is definitely something to keep an eye on. While such attacks do present dangers to businesses, there are some steps that can be taken to keep SQL injection attacks from happening, as presented in a recent InformationWeek article. Here they are:
Collectively Identify and Blacklist Notoriously Malicious Hosts
It’s certainly no easy task to keep abreast of all the sources of SQL injection attacks due to the sheer numbers involved. Still, the top offenders are highly noticeable. According to Imperva’s study, there were 3,845 observed SQL injection attacks since July. The study found that the top three hosts were responsible for 23 percent of the attacks, and the top ten hosts accounted for 41 percent of the attacks.
With so few hosts responsible for so many attacks, the practice of simply blacklisting notoriously malicious hosts adds a significant layer of protection for businesses. Communities that share security information can help with the creation and deployment of such a blacklist to help others identify and block the most active attackers in a quick and efficient manner. It is important to keep the blacklist updated constantly to reflect any new hosts that are deemed to be problematic, since new threats can pop up in little to no time at all. The need for quick updating is reflected by Imperva’s findings, which noted that five of the top 10 hosts executed 2,000 attacks within a period of one to seven days, and 30 hosts launched over 100 attacks within a two-day period.
Practice Data Encryption
Data should always be encrypted, and storing it in plain text format is a huge no-no. The method of salting and hashing passwords and other sensitive information is recommended to limit a hacker’s power if an attack occurs. Keep Database Access at a Minimum
Minimizing database access is another step to employ when attempting to reduce the likelihood of a SQL injection attack. Web applications should never be given administrator level access to a database. A web application should only be given access to the minimal amount of data it actually needs. Restricting the accessible data minimizes a business’ exposure in the event of an attack.
Detect Injection Attacks Properly
It is essential to keep a profile of how web applications normally behave in ideal conditions. Doing so allows you to easily identify abnormal behavior that could signify an attack. A couple of examples of unusual behavior include when an application exhibits the use of rare inputs or if it is trying to perform an abnormally large number of database lookups.
In addition, Imperva recommends normalizing inspected inputs. Doing so helps to prevent evasion attempts. Attacks that are in progress can be detected by comparing the normalized inputs to a database of inputs that are known to be bad.
Identify the Usage of Automated Tools
Imperva acknowledged the fact that many SQL injection attacks occur through the use of automated tools. Luckily, there are various ways to detect the use of such tools. The enforcement of valid client response to challenges is one method of automated tool detection, and rate-based policies are effective as well.
All Input is Evil
Yes, it may sound harsh, but Microsoft truly believes in the mantra that “All input is evil” and that user input should never be trusted. When exercising proper web application security, it is important that developers never use unvalidated user input in a database query.