SQL Injection Risks
Security impact of SQL injection and risk associated to vulnerable systems
Understanding the risks of SQL injections is non negligible for anyone who might be concerned by this security issue. Whether you are a business decision maker, a developer or a system administrator, you need to be aware of the possible consequences of those attacks and realize how frequent they are used in the real world.
Since a few years, SQL injection has become the most frequent method to attack systems and steal information. For a hacker, it represents an effective way to compromise data layers even if firewalls and intrusion detection systems are in place. Once control has been taken over the database, data is easily accessible and the attacker has an excellent position to attack other systems, clients and users related to the database.
Many studies have been made around security breaches and SQL injection attacks come among the most popular year after year. According to the 2011 data breach investigations report produced by Verizon Business, SQL injection attacks were responsible of nearly 25% of all compromised records. It is obvious that this is a major security issue and it must not be taken lightly, but its consequences are frequently overlooked since those attacked are misunderstood.
As this vulnerability’s popularity was growing in the last years, techniques used to gain privileges also did. Recently, attackers have been using this kind of attacks as a way to infect database servers with malware and easily redistribute it.
How Far It Can Go
SQL injection attacks will habitually allow the intruder to view data contained in the database and modify its content. However, data confidentiality and integrity is not the only concern when considering this security issue. In fact, the hacker could gain much more privileges over the database. In some cases, he could even end up acting as a system administrator of the database server. Articles about operating system control (available soon) demonstrate how it is possible to gain a total control over a database server from a simple SQL injection vulnerability.
In order to fully understand the impact a SQL injection attack might have on a business, you need to evaluate the value of the data that can be compromised.
Publicly disclosed attacks habitually involve large amount of stolen customer’s credit card numbers. This translates as an affected public image of the company and it will result in noticeable profit loss. But attacks are often more vicious and it requires further analysis to understand their real impact. Let’s take for example a competitor is attacking your business in order to steal your clients. What is the impact on your business if your client list gets stolen and this competitor tries to get you out of business by targeting special offers to your clients? What about suppliers, marketing strategies, new products specifications? What about your employees’ personal information that could be used against them or against your business in order to gain even more power over your organization?
As discussed earlier, the attacker could also gain control over the entire database server. The database being a trusted element in most networks, it could be an excellent spot for the hacker to launch other attacks across the network. As you can imagine, things can quickly degenerate from there if network security is not solid.
The goal of this section is not to make you paranoid about your database security. Forewarned is forearmed and it is important to realize that this security threat must not be taken lightly. It is essential that you secure software code (available soon) and database system (available soon) to avoid disaster in case of attack. For more information about securing against SQL injection, take a look at the defense section.