Subscribe to Inc. magazine
DATA DETECTIVES

SQL Injection Attacks Are Rampant: How to Stop Your Next Hack Attack

The latest security report from Ponemon Institute says an SQL attack is your biggest enemy, and most businesses don't know what one is.

Listen up people, we've said it before, but we'll say it again: you need to do more to protect your businesses against hack attacks. In particular, structured query language (SQL) threats that take over your databases with malicious code are the chief threat du jour, and they can inflict a mortal blow to your business.  

Yet most business owners are woefully ignorant and unprepared to ward off these security threats and others, according to the latest report from the privacy and information research firm Ponemon Institute.

So, let's talk some terms and tell you what you can do about the problem.

First off, what is an SQL injection attack?: 

SQL is shorthand for "structured query language," a computer program that lets you search relational databases, typically used by any business with structured employee records, financial information, or information relevant to manufacturing.

An SQL attack typically occurs through a consumer facing software application, where hackers exploit coding holes and then insert malicious code inside the database itself. Intruders can then use that code to query the database, to find valuable information.

Ponemon surveyed 595 information technology and security professionals starting in February about their own organizations and the large hack attacks against retailers Target, Neiman Marcus and Michaels to see if they could ascertain some throughlines for you.

Here are some key takeaways:

  • Sixty-five percent of organizations represented in the study had experienced an SQL injection
    attack that successfully evaded their perimeter defenses in the last 12 months.
  • Almost half of respondents say the SQL injection threat facing their company is
    very significant and 42 percent of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals. Less than half of respondents are familiar with the term Web Application Firewalls.
  • Bring Your Own Device, or BYOD, policies make understanding the root causes of an SQL injection threat more difficult. Fifty-six percent of respondents say determining the root causes of SQL injection is becoming more difficult because of employees’ use of personally owned mobile devices in the workplace.

The study urges you not to sit on your hands. IT professionals rank, in this order, the steps you should be taking to secure your networks and your business. Here's the low down:

  • Continuously monitor your database network.
  • Perform advanced database activity monitoring.
  • Use database encryption.
  • Opt for chip and pin technology for payment cards if you can.
  • Prevent data leakage.
  • Educate your IT staff about potential hacker threats. 

Remember, threats to your business can emerge from literally anywhere. The Target break-in, where hackers made off with informaton on 40 million credit card accounts, allegedly started when the log-in credentials for an HVAC contractor were compromised. Part of what's difficult here is that protecting your business from an attack is a full-time job. 

"Target’s IT security systems were able to identify the hackers suspicious activity multiple times during the attack," Ponemon says in the report. "But unfortunately those alerts were not agreed upon by Target’s IT security staff."

 

*Data courtesy of Ponemon Institute

 

 

 

More:
IMAGE: Getty Images
Last updated: Jun 10, 2014

JEREMY QUITTNER | Staff Writer | Staff Writer, Inc. and Inc.com

Jeremy Quittner is a staff writer for Inc. magazine and Inc.com. He previously covered technology for American Banker and entrepreneurship for BusinessWeek.




Register on Inc.com today to get full access to:
All articles  |  Magazine archives | Livestream events | Comments
EMAIL
PASSWORD
EMAIL
FIRST NAME
LAST NAME
EMAIL
PASSWORD

Or sign up using: