SQL injection: the oldest hack in the book
By Dr. Bill Curtis, Chief Scientist, CAST
The latest reports suggest the highly publicised ‘Panama Papers’ data leak was the result of a hacking technique known as SQL injection. With 11.5 million files being leaked, the Mossack Fonseca breach exceeds even the 1.7 million files leaked by the infamous Edward Snowden. Once more, another high profile company has fallen victim to this common technique. Mossack Fonseca’s lawyers aren’t the first to get their pants pulled down by this trick. They are simply the latest in a long line of victims.
SQL injection has been used by cyber-criminals since the late 90’s. So it begs the question – why is ‘The oldest hack in the book’ still causing companies big problems? There are plenty of ways hackers can break in, but SQL injection remains among the easiest because, despite its age, hackers know there are persisting weaknesses they can exploit.
What is SQL injection?
When a user enters information into a system that uses Structured Query Language (SQL), the system should vet it to make sure that it does not contain malicious input that can be turned into a SQL command. If the system has not been explicitly programmed to vet the inputs, then a hacker can enter a string of characters that will be translated into a SQL command which can instruct the underlying database to return some of its contents such as financial records, credit card numbers, or other confidential information.
Vulnerability to SQL injection is why many systems do not allow users to enter certain characters that would be used in a SQL command. Considering how long we have known about the SQL injection weakness and how often it is exploited, why wasn’t it eliminated from systems years ago?
The continuing issue of SQL injection
Despite the numerous hacks that have been linked to SQL injection, too many IT departments have yet to clean up security holes in their applications. From the 130 million customer payment card details that were stolen at Heartland Payment Systems a few years ago, to 40 million customer records being breached at Target Stores, to the recent breaches at UK’s TalkTalk, and Panama’s Mossack Fonseca, the initial penetration into a system too often begins through a SQL injection vulnerability. Clearly, there is a severe lack of diligence in making systems secure.
IT organisations mobilized a massive attack on the turn of the century (Y2K) that threatened to bollix many computer systems at midnight on New Year’s Eve Year 2000. Why aren’t we attacking security weaknesses such as SQL injection with similar urgency to prevent this unending flood of breaches? With some of these breaches costing over $100,000,000, the financial justification should be clear. At Target, not only was the CIO fired, the CEO was released as well.
How businesses can protect themselves
Fixing the SQL injection issue is simple yet complex at the same time. New automated testing and measurement tools have come to market, removing the need to tediously go through each line of code manually. However, it is still a requirement to go through each system individually, and in today’s modern business environment that is no easy task. The main goal for companies embarking on this measurement process is to continually assess their systems for security and other IT risks before entering new code into production and exposing it to users.
At the crux of the issue is implementing the proper assurance processes and tools. Without automated analysis technologies, a thorough analysis of code cannot be performed at the scale of modern multi-tier applications. Without a system-level analysis of their applications, IT departments are unable to identify potential entry points where cyber-attacks can begin. Fortunately, static analysis and penetration testing technologies have improved dramatically over the past decade and enable businesses to address their security risks before hackers discover opportunities for SQL injection.
What will it take to change?
CIOs face increasing pressure to do more with less as budgets tighten. At the same time businesses are demanding more functionality, and application quality is sacrificed in the trade-off. To increase focus on software trustworthiness and dependability, CIOs must elevate IT security and risk management to the business level, making it a boardroom issue. Only when other C-level stakeholders buy in can the necessary effort be budgeted.