The OWASP Foundation, the Open Web Application Security Project, publishes a widely watched list of application vulnerabilities. The most prevalent and dangerous type of web application attack is an injection attack, and the single most likely injection attack is a SQL injection attack.
A SQL injection attack consists of insertion (or injection) of a deliberately constructed malicious SQL query into a web application field of a poorly written application, which will then pass it on to the database. A successful SQL injection attack may read sensitive data, modify that data or even delete data from the database. It may also inject administrative commands to the database, such as dropping tables or indices, or removing security constraints. This can have a devastating effect if targeted to your crown jewels, your critical databases.
The obvious course of action is to fix the code, however for many legacy systems this is impractical for a variety of reasons, such as developers moving on, lack of documentation for legacy systems, or just an inability or unwillingness to touch a running system.
Part of the decision making process is assessing how much it will cost. If there is no clear and present danger, should a company just put off the remediation and allocate their assets to functional improvements in their application? It‘s easy to make the wrong decision.
As an example of the damage that data exfiltration may have on a company, consider Heartland Payment Systems. They were breached with a SQL Injection attack in 2009 (with subsequent impact on over 160 banks and 250,000 merchants). The estimated cost to Heartland (estimated by Heartland themselves) was $12.6 million. Admittedly, this is an older example, however it is one of the few that has resulted in a criminal conviction for the perpetrators, with the public disclosure requirements required with that conviction.
It is estimated that there are many more SQL injection attacks that go unreported, and even more that go undetected. Companies have no incentive to report the breaches given the adverse reputational damage (and in many jurisdictions, no mandate to report), and many just don’t have the capabilities to detect an attack. Ignorance is bliss. Unfortunately the reputational damage from a long-standing breach is far greater than if hackers just penetrated once, as the implication is that the company is incompetent.
So why is it so difficult to remediate? The argument goes that if it is still working, then don’t touch it. This lack of urgency makes it easy to just “kick the can down the road” with respect to database security. It’s easy to ignore and hard to fix.
One approach we recommend is to deploy Database Activity Monitoring (DAM), such as with DB Networks. With DAM, no changes are needed to the application as the detection of SQL injection attacks are made by sniffing the network with an engine that has a deep understanding of database protocols, can detect these attacks in real time, and alert Security Operations of an attack in progress.
Where should a company concentrate their resources, fixing the application or deploying DAM? Our recommendation at Hararei is to do both. The application needs to be fixed, however in the short term, DAM may deployed to catch attacks that may already be happening.
DB Networks is an agentless solution that will protect and/or satisfy audit/compliance requirements for all your databases. It is a completely non–intrusive solution for all your databases including the undocumented ones. DB Networks:
With DB Networks, you will be able to quickly identify DB’s, enforce standards, and highlight security vulnerabilities
Hararei is a certified DB Networks channel partner. With DB Networks, in addition to intercepting SQL Injection attacks, you can also map out all interactions with the database(s), and understand who is talking to them. This also helps with containing database sprawl. Hararei can offer a free service where we install DB Networks for one month, collect data, analyze, and provide feedback on your databases
DB Networks can help protect your crown jewels, your critical databases. Contact us for a no obligation consultation.