Today, on the last day of RSA2013, InformationWeek has published an article that analyzes the security spend of companies vs the problems that they need to tackle. While referencing OWASP Top 10 Threats, they cover some of the more modern vectors of attack, focusing mainly on SQL Injection.
To quote our CTO, Amichai Shulman, “SQL Injection should have died years ago. Sadly, it didn’t.” SQL injection is one of the biggest threats and easiest vectors for an attacker to steal data and compromise an organization. Not only that, it has become industrialized, with tools like Havij, SQLmap and others automating the attack and “dumbing it down” to make the it easier to approach by non-experts.
Today, even in the largest organizations, CIO’s still focus spending on fixing problems from the past: viruses and network threats that used to be acute. What is interesting is that companies did so well in spending in the right place in the past, and putting the right controls around their assets to fix the old problems, that the problem has moved. Hackers are now lurking in new places. It’s a classic example of “win the battle and lose the war.”
Nowdays, hackers are all about data and how to get it for profit. When that is the case, you should always expect them to look for the weakest point in your organization, because easy money is the best kind of money. SQL Injection is an easy way to get data.
What should you I do ?
- Dork yourself, check what SQL Injection really is and what is your threat.
- Check your access control, is your organization dealing with SQL Injection?
- Verify that you evaluate your online assets and applications to make sure that you are safe
- Regularly schedule “clean ups” to remove nasty bits.
- Put proper Web Application security controls such as Web Application Firewalls in place.