This week, Imperva's ADC released the latest Hacker Intelligence Initiative Report. Our focus this month was hacker forums.
The purpose of studying hacker forums is simple: learn about the hacking community by studying their chatter. I have to give credit to Ericka from Dark Reading whose title best summarized our findings so I'm stealing her title: The SQL Injection Disconnection.
Hackers are focusing a lot on this vulnerability for several reasons:
- SQL injection supports a proven, profitable business model: steal data and sell it. For hacktivists, stealing data helps demolish a company's value--just look at Sony's stock price the day after it was breached on March 15, 2011.
- Many tools exist to automated the attacks. See our old blog on this.
- Security teams continue to rely on IPS, network firewalls and antivirus--all of which don't even know a SQL injection from a hole in the wall.
The question is: Why does SQL injection continue to be ignored? One security journalist I spoke to was frustrated by constantly writing stories about how SQL injection with little impact. Why is this? Here are some possible reasons (and feel free to submit your own):
- Security is driven by renewals as Imperva's CEO Shlomo Kramer explained in this Forbes interview, "IT managers at large companies — typically chief information officers (CIOs) — prefer to sign checks for the same, established software to protect their web applications, rather than make the uncomfortable changes necessary. It’s easier to do the former than change how money is spent, which can require all manner of approvals."
- A strong reliance on traditional security technologies--IPS, AV and network firewalls--means many people simply aren't seeing how their applications are being attacked. You can't protect yourself if you don't know what is hitting you.
- Compliance requires older technologies. Many compliance mandates emphasize technologies that don't stop SQL injections (PCI is a notable exception).
For more on stopping SQL injections, please visit our extensive blog on the topic.
Our report is available here (no reg required).