What is SQL Injection and How Can It Be Prevented?
SQL injection attacks are some of the oldest and simplest hacks out there, yet they still pose serious threats to enterprise networks. Here’s how CIOs can safeguard their data against SQL injection.
In 2008, Heartland Payment Systems suffered a data breach that affected 650 financial services companies, compromised 160 million credit card numbers, and resulted in damages totalling over $300 million. One year later, one of NASA’s websites was breached, and the organization lost the credentials of 25 administrator accounts. Just two years after that, hackers breached Sony Pictures’ websites and accessed the unencrypted personal information of over 1 million people.
These events represent three of the most high-profile cyberattacks of the past 15 years, and alarmingly, each breach was linked back to the same hacking technique: SQL injection (SQLi). SQLi is a fairly simple hack that dates all the way back to 1998. Unfortunately, being an old and simple method doesn’t make SQLi any less effective. Between 2003 and 2011, the Common Vulnerabilities and Exposures dictionary linked 3,260 vulnerabilities back to SQLi attacks, and as of 2017, SQLi accounts for over half of all data hacks.
SQL injection attacks are an easy-to-use attack vector and often don’t require sophisticated technical skills to carry out. As a matter of fact, SQLi is so simple — and so effective — that some hackers are building automated attack botnets that use SQLi automation as a means to breach databases more quickly.
Despite the frequency of enterprise SQLi attacks and the continuous attempts to raise awareness, these attacks continue to wreak havoc. To better defend against SQL injection, it’s important to understand what it is, and how it works.
What is a SQL Injection Attack?
SQL — short for Structured Query Language — is the most commonly utilized database language. If a database is designed to store data, SQL can be thought of as the language used to query the data to and from the database. Since SQL is so commonly used, exploiting its language can in theory offer an adversary control over the data held by most websites, applications, and programs.
Traditionally, SQL queries are used to execute database commands like data requests, updates, and record removal. When an application requests user data in an entry field — for example, a user portal on a website — there is an opportunity for a threat actor to insert malicious code into that entry field in place of user data. If the code entered resembles SQL, the database may mistakenly interpret the malicious code as a real query. As a result, sensitive data such as passwords, credit card details, and medical records can be easily exfiltrated.
This straightforward technique works so frequently in part because many websites and portals fail to take them seriously. Often, these tools are simply built to carry out basic functions, and will not have the ability to differentiate between instructions and user data.
The good news is that SQLi is the low-hanging fruit of digital hacks — because it’s so simple to carry out, it’s also easy to defend against. This is part of what makes the continued success of SQLi so alarming. In spite of how simple it is to prevent, enterprises still fail to do so.
Four Ways to Defend Against SQL Injection
For those concerned that their organization might be vulnerable to an SQLi attack, rest assured that all it takes to keep your network secure is a little bit of IT due diligence. The following are four best practices that all IT departments can implement to better protect their networks.
1. Keep Credentials Isolated and Encrypted
When planning for where to store database credentials, it’s important for IT teams to consider how much damage can be caused if authentication details fall into a threat actor’s hands. It’s advisable to keep all important database credentials in an isolated, encrypted file so that even in the event of a database breach, attackers won’t be able to access useful login credentials.
2. Patch Vulnerabilities
With better patch management, CIOs can more effectively identify SQL vulnerabilities in their applications and databases. As such, it's advisable for IT teams to make it standard procedure to apply patches and updates as soon as they are made available. Although a patch management solution might be expensive, it can be significantly less costly than a data breach.
3. Use Prepared Statements
Using prepared statements — a feature commonly utilized alongside SQL to execute the same or similar database statements with better security — is one of the best ways to prevent SQL injection attacks. Prepared statements are simple to write and easier to understand than most dynamic SQL queries. More importantly, they are resilient against SQL injection because the values used by prepared statements are transmitted in a different protocol that is harder for hackers to mimic.
4. Install a Web Application Firewall (WAF)
Finally, organizations should consider installing a WAF to help filter out malicious data and keep databases secure. A WAF is deployed to protect a specific web application from malicious attacks, most commonly cross-site scripting and SQL injection. A high quality firewall is especially helpful for defending against new SQL vulnerabilities before patches are made available to IT teams.
SQLi-Proofing Your Network
As the world becomes increasingly digital, more data will be generated and stored across websites, applications, and software. We can only expect that SQL injections will continue to be a popular hack-of-choice due to their simplicity, and CIOs must be prepared to defend their databases accordingly. Luckily, organizations and their CIOs don’t need to do this alone.
With nearly thirty years of experience managing and securing state-of-the-art networks, we at Turn-key Technologies, Inc. (TTI) are well-versed on the ins and outs of all things cybersecurity. By working with TTI, CIOs can ensure their valuable data is adequately secured against all cybersecurity threats - from SQL injection attacks to botnets and beyond.