SQL injection attacks have been around for more than ten years, and security professionals are more than capable of protecting against them; yet 97 percent of data breaches worldwide are still due to an SQL injection somewhere along the line, according to Neira Jones, head of payment security for Barclaycard.
Speaking at the Infosecurity Europe Press Conference in London last week, Jones said that hackers are taking advantage of businesses with inadequate and often outdated information security practices. Citing the most recent figures from the National Fraud Authority, she said that identity fraud costs the UK more than £2.7 billion (US$4.7 billion) every year, and affects more than 1.8 million people.
"Data breaches have become a statistical certainty," said Jones. "If you
look at what the public individual is concerned about, protecting
personal information is actually at the same level in the scale of
public social concerns as preventing crime."
SQL injection
is a code injection technique that exploits a security vulnerability in
a website's software. Arbitrary data is inserted into a string of code
that is eventually executed by a database. The result is that the
attacker can execute arbitrary SQL queries or commands on the backend
database server through the web application.
In October 2011, for example, attackers planted malicious JavaScript
on Microsoft's ASP.Net platform. This caused the visitor's browser to
load an iframe with one of two remote sites. From there, the iframe
attempted to plant malware on the visitor's PC via a number of browser
drive-by exploits.
Avoidable Attacks
Microsoft has been offering ASP.Net programmers information on how to protect against SQL injection attacks since at least 2005. However, the attack still managed to affect around 180,000 pages.
Jones
said that, with the number of interconnected devices on the planet set
to exceed the number of humans by 2015, cybercrime and data protection
need to take higher priority on the board's agenda. In order for this to
happen, however, the Chief Information Security Officer (CISO) needs to
assess the level of risk within their organization, and take one step
at a time.
"I always say, if anyone says APT [advanced persistent threat] in the
room, an angel dies in heaven, because APTs are not the problem.," said
Jones. "I'm not saying that they're not real, but let's fix the basics
first. Are organizations completely certain they're not vulnerable to
SQL injections? And have they coded their web application securely?"
Generally it takes between 6 and 8 months for an organization to find
out it has been breached, Jones added. However, by understanding their
risk profile and taking simple proactive measures, such as threat
scenario modelling, companies could prevent 87 percent of attacks.
By Sophie Curtis, Techworld.com
0 comments:
Post a Comment