SQL: The Hack Attack You'll Never See Coming
You may not have the slightest idea what an SQL injection attack is, but that's okay, you're in good company.
It turns out that SQL injection attacks are one of the most common hack attacks businesses of all sizes face, but a lot of small business owners don't really know what they are.
And like your peers, you're probably woefully unprepared to meet to the challenge SQL attacks represent, according to Ponemon Institute, the information, privacy and security researchers, which released a report about the gravity of the threat on Wednesday.
Ponemon surveyed 595 IT professionals at businesses of all sizes, ranging from less than 1,000 employees to more than 75,000 people. Twenty percent of the survey sample had fewer than 1,000 employees.
It turns out 65 percent of businesses had experienced at least one SQL attack in the previous 12 months, according to the report, and half of all businesses identified such attacks as a significant threat.
"Organizations believe they struggle with SQL injection vulnerabilities," Larry Ponemon, founder and chairman of Ponemon Institute, said in a press release, but their issues are complex.
Defining an SQL Attack
SQL is shorthand for "structured query language," a computer program that lets you search relational databases, typically used by any business with structured employee records, financial information, or information relevant to manufacturing.
An SQL attack typically occurs through a consumer facing software application, where hackers exploit coding holes and then insert malicious code inside the database itself. Intruders can then use that code to query the database, to find valuable information.
A Growing Problem
SQL attacks are on the rise. Forty percent of respondents said SQL attacks were increasing, yet nearly two thirds said they either had no knowledge at all or were not familiar with the techniques criminals use to launch the attacks, which is to bypass firewall protections that Web applications have built into them.
Despite the escalating problems, about a third of respondents say their IT personnel lack the knowledge and expertise to quickly detect and rid themselves of such an attack. More than a third said they also lacked necessary tools and technology to quickly detect an SQL injection attack.
While forty-four percent of respondents said they use outside professionals to test their Web applications for security threats, only 35 percent said they tested for SQL injection threats. Meanwhile, about half of all companies either don't check for such threats at all, or only on an irregular basis.
How to Prepare
Fortunately, there are some things you can do:
- Run security tests on any third party software you use, especially if it is Web-facing.
- Consider installing behavioral analysis tools that examine all database queries for irregularities that stand out from the normal operation of your business.
- If you don't have an IT professional on staff, bring one in from outside to test your network for vulnerabilities.