Protecting your business from malicious SQL injections

What is a SQL Injection? 

An SQL injection is carried out when an attacker detects a vulnerability in the target web application and then interferes with the queries being sent by the web application to it’s data base.   

SQL injections enables the attacker to view the data that is typically inaccessible for example, the data of other users. The purpose behind the attack is usually to steal, delete or modify data as well as to gain administrative control over the targeted system.  

In some instances, the SQL injection attack can be extended to a denial-of-service attack or to further compromise the underlying server.  

The SQL injection mode of attack is typically regarded by experts in the cybersecurity field as one of the least sophisticated method. Once an attacker chooses their target website, they will use an automated program to execute their attack. All that needs to be done on the attacker’s part is to input the URL of the target site, which will show the attacker the stolen data sets. Protecting your business against SQLIs is less difficult compared to protection against other malwares.  

Despite this, SQL injections are a common method of attack. The Ponemon Institute reported in a 2014 study that 65% of surveyed businesses became victims of an SQL injection. On average, 49% of the respondents believed that SQL injections were a significant threat to the security of their company.  Frequently targeted are small to medium sized businesses who lack cybersecurity awareness. 

How is a SQL injection carried out? 

SQL (structured query language) is one of the methods used for managing online databases. These databases can be composed of prices and stock. When a user wishes to access this information, SQL is enabled to allow the user to view that data. These databases may also contain sensitive data such as usernames, passwords, payment method and other important details, especially if a user has enabled their browser to remember these details.  

A SQL injection is when a threat actor enters a malicious command into the search field, login field or URL of the targeted website to gain unauthorized access to the sensitive and valuable data stored by the website.  

The threat actor can exploit the query function in such a way that an online shopper requesting information on a product can result their payment details being sent to the threat actor. If the threat actor remains undetected, they will continue to steal data from every customer, including the owner, leading to a huge data breach.  

The threat actor may then decide to sell the stolen data on the dark web or use it to cause further damage by infecting their victims with various destructive malwares such as ransomware, adware, cryptojackers and trojans. The threat actor may also decide to craft detailed phishing scams to steal more money from their targets.  

Stolen logins could be used to send spam messages and steal more logins from additional sites. An example of this is a hack that occurred on LinkedIn, where users were spammed with messages that contained bad URLs or fake Google Doc logins to gather Google usernames and passwords.  

Preventing an SQL attack   

Although it is a less sophisticated method of cyber-attack, the potential damage that an SQL injection should not be underestimated.  

As reported by IMB, the highest average cost of data breaches rose from $3.86million to $4.24 million US dollars, the highest recorded in 17 years. The LinkedIn data breach costed the networking site $1.25 million (£928,475), agreed to in a court settlement. Small to medium businesses may be expected to pay approximately $148 (£110.05) for each stolen client data. 

The following steps will help guard your system against SQL injections: 

• Regularly update the software– The software used to manage your business’s database need to be updated as soon as the latest version is possible. This will patch detected vulnerabilities, helping to prevent a data breach from occurring.  
• Administer the principle of least privilege (PoLP) – This means that each account is enabled with the appropriate level of access it needs to do its job. 
• Use prepared statements – Instead of the usual SQL method, adopting the use of prepared statements will limit the chance of a legitimate SQL being hijacked with a malicious SQL injection. 
• Employ experienced developers – SQL injections tend to be successful on websites that not coded properly.  

How Securiwiser can help 

An SQL injection is successfully executed by an attacker when a vulnerability in the targeted web application is detected. A highly effective method against this is to perform regular scans of your software to find and fix potential underlying vulnerabilities before criminals exploit these. 

By joining Securiwiser, we can provide our clients with daily scans to alert businesses and independent users of the exact underlying compromises and provide advise on how to handle arising issues in the most cost effective and time saving manner.