SQL injection attacks have been in the news lately given two recent highly publicized attacks against security vendors.  According to a recent IBM report, SQL injection attacks increased 30X between this past summer and the end of 2008 and resulted in a 50 percent increase in the number of malicious URLs hosting exploits. The report concludes that SQL injection has played a large part in Web applications becoming the Achilles heal of corporate IT security.  SQL injection attacks historically have been somewhat limited to the concerns of risks associated with unintentional data disclosure.  However, it is important to also consider that SQL injection attacks today have evolved to become the preferred method used by hackers to breach popular websites and insert malware or redirect users to malware-laden websites.

While they would be expected to have the necessary security measures in place, we are again reminded that software vendors of any kind are an attractive target for the hacking community.  Security software vendor websites are perhaps even more attractive as they generally are afforded a level of implied trust with their users that can allow a hacker to take advantage of this trust from a social engineering perspective. Simply put, users of security software sites typically don’t think twice about these risks when downloading and installing software or patches from a security vendor’s website.

Breaching a software vendor’s network may very well be the ultimate prize for a mischievous hacker. The malicious possibilities offer a rewarding bounty:

  • Gain competitive information such as weaknesses exposed in lists of bugs to sell on the black market
  • Steal intellectual property and sell it to competitors
  • Redirect purchasers to a fake shopping cart and then steal credit card data
  • Redirect purchasers to download Trojaned version of the product
  • Create a bogus patch or update and direct users to download it - installing instead malware buried within the patch
  • Create fake postings to force negative or positive stock movements and cash in on insider trading

While we don’t know the specifics of the network security defenses of the recently attacked vendors, this is a not so subtle reminder that today’s protective measures need to go deep and must include a multi-faceted security measure to be effective in today’s threat environment. While the available information on this breach only points to perhaps the disclosure of sensitive information, we must consider that SQL attacks have become commonly associated with the introduction of malware in popular websites.

From an enterprise server/Internet facing server perspective:

  • While SQL driven websites have become the norm today, consideration must be given to limit the ability of unauthenticated/casual users from having the ability to have any access at all to backend databases to limit your overall threat envelope. Separating and fully isolating Web content from product and client data is a necessary consideration in the current environment.
  • Vulnerability management is a necessary first step in minimizing the damage of a SQL injection attack by limiting both the authority the malicious hacker can obtain and by reducing their ability to exculpate privilege by taking advantage of underlying application vulnerabilities.
  • Application control whitelisting has become necessary in the current environment on Internet facing Web servers to prevent a hacker that has gained unauthorized access from downloading and executing an unauthorized application from their toolkit that would typically be used in both expanding their control over the Web server and penetrating deeper into the compromised network hosting the Web server.

From an enterprise client perspective:

  • The time is long overdue to recognize that the implicit trust we had become accustomed to with known and popular websites is long gone
  • It is important to recognize that any website today can become a victim and inadvertently give up sensitive data or quickly be used as a pawn in the distribution of web-borne malware
  • An important step in mitigating your risk is vulnerability management to keep your browser and browser add-ons patched and up-to-date with the most secure versions of vendor software. Less then 1 percent of web-borne malware takes advantage of a vulnerability that was patched less then 30 days before an incident and the vast majority use exploits that had available vendor patches up to a year earlier.
  • Application control whitelisting can play an important role in preventing a potentially malicious and unauthorized application from being downloaded from a compromised Web server and running on any PC in your environment. Further, the normal toolkit downloaded to a compromised PC to expand the reach can effectively be stopped in its tracks.
  • Policy management is a necessary additional level of defense and can dramatically reduce the ability of a hacker to reach beyond the level of authority granted to a typical user account and limit the damage that can be done even after a successful compromise of a client machines Web browser.