enterprisesecuritymag

Defining SQL Injection and Risk to your Organization

By Monya Demirjian, Corporate Director of Fraud, MGM Resorts International

Monya Demirjian, Corporate Director of Fraud, MGM Resorts International

How much does the public know about SQL and what it stands for, let alone how attackers are using this programing language to inject into a company’s database in order to take your personal information? The misconceptions are vast, but the idea and functionality are quite easy once you understand the language. SQL stands for Structured Query Language and has multiple functions within the computing world. The capabilities within this language are important and will help when discussing threats of injection. Most analysts use SQL to execute queries to retrieve data within the system(s) for gaining company statistics on performance; however, this language can also write, change tables, set permissions and much more.

"A few basic methods of prevention are to secure your coding software by always adhering to proper coding standards, completing security updates, using correct database roles, encrypting sensitive information, hardening the database and completing database integrity checks"

Most companies utilize developers and cybersecurity professionals whose focus and responsibility are to code applications to assist business needs. If the user’s programming is poor and/or user input in queries is accepted, there is a higher risk of exposure to a SQL injection attack. What is SQL Injection (SQLI)? SQLI occurs when characters in input are not properly escaped to account for other SQL commands. If an application is vulnerable to SQLI, the attacker has free reign to be completely destructive in a database.

Although the largest percentage of SQLI attacks are mostly present in website attacks, typically through the username and password function, poor coding for a program or software may also leave a business open to an SQLI attack. Typically, SQLI vulnerabilities are created when a programmer fails to validate user input. By perpetrating an SQLI attack, the objectives of the attacker are to inject SQL commands and influence the query to gain access and control to extract sensitive and proprietary data usually for malicious use or for ransom.

SQLI is used to gain access to company information through vulnerabilities within the coding to penetrate database servers with the intent to then spread across different fields of data to eventually be able to gain view and modify access. If not monitored correctly or secured and encrypted, an injection may also give a path to system administrator rights causing full control of the company network. Once the attacker has operating system control, they can remove or block access and infect the rest of the network, crippling an organization. The question then becomes, how much is your company’s data worth? How much will your company lose each hour or day they are not in business? For some companies, there is no price tag that could account for their proprietary and confidential information lost or the ramifications of negative publicity leading to the trust lost by your consumers. 

Every year companies spend thousands of dollars protecting their IT structure against attackers who will utilize every avenue to gain access to your systems and data. Not only can your company’s information collected by the attackers be sold in the dark web, but database information can also be held hostage and potentially returned for a hefty price using Bitcoin or another cryptocurrency. So how do we maintain SQLI hygiene? A few basic methods of prevention are to secure your coding software by always adhering to proper coding standards, completing security updates, using correct database roles, encrypting sensitive information, hardening the database and completing database integrity checks. Since the realization of these types of attacks, there are additional resources used online, that completes an injection which can then be used to identify the vulnerabilities and risks of your application in a controlled setting.

Read Also

Leveraging Technology and Consumer Education to Reduce Fraud Risk

Leveraging Technology and Consumer Education to Reduce Fraud Risk

Jason Castillo, Head of Enterprise Fraud Management at Citizens Bank
Healthcare Digitization - Easier and More Secure

Healthcare Digitization - Easier and More Secure

Brian Lancaster, Vice President-Information Technology, Nebraska Medical Center
You Want to Do What With your Data?

You Want to Do What With your Data?

Andrew Sohn, SVP - Global Digital and Analytics Srvcs, Crawford & Company
Tactical Decisions in Fighting Cyberattacks must be based on a Security Framework

Tactical Decisions in Fighting Cyberattacks must be based on a Security Framework

Mike Benjamin, Senior Director of Threat Intelligence, CenturyLink

Weekly Brief