You may not know what a SQL injection (SQLI) attack is or how it works, but you definitely know about the victims. Target, Yahoo, Zappos, Equifax, Epic Games, TalkTalk, LinkedIn, and Sony Pictures—these companies were all hacked by cybercriminals using SQL injections.
A SQLI is a type of attack by which cybercriminals exploit software vulnerabilities in web applications for the purpose of stealing, deleting, or modifying data, or gaining administrative control over the systems running the affected applications.
How does a SQL injection work?
Developed in the early 70s, SQL (short for structured query language) is one of the oldest programming languages still in use today for managing online databases. These databases contain things like prices and inventory levels for online shopping sites. When a user needs to access database information, SQL is used to access and present that data to the user. But these databases can also contain more sensitive and valuable data like usernames and passwords, credit card information, and social security numbers. This is where SQL injections come into play.
Put simply, a SQL injection is when criminal hackers enter malicious commands into web forms, like the search field, login field, or URL, of an unsecure website to gain unauthorized access to sensitive and valuable data.
How do SQL Injections affect my business?
As reported in our Cybercrime Tactics and Techniques report, cyberattacks (of all kind) on businesses went up 55% in the second half of 2018, while attacks on individual consumers rose only 4%. The stats are not surprising. Businesses with crummy security present criminals with a soft target, holding a treasure trove of valuable data worth millions.
Conversely, a business at the center of a data breach can expect to pay out millions. An IBM study found the average cost of a data breach, including remediation and penalties, to be $3.86 million. The LinkedIn data breach mentioned previously ended up costing the business networking site $1.25 million in an out-of-court settlement.
After their data breach, Target was forced to pay the largest amount on record—$18.5 million—to settle investigations brought on by multiple states. This was in addition to the $10 million Target paid to settle a class action lawsuit brought on by consumers.
Granted, these are huge data breaches affecting millions of consumers. However, small-to-medium sized businesses can still expect to payout $148 for each stolen consumer record.
The moral of the story? Take your security seriously and avoid being a “Target” for cybercriminals.
How can I protect against SQL injections?
All this hand wringing aside, you’re here because you know SQL injections are a serious threat. Now, let’s do something about it. Here’s some tips for protecting your business against SQL injection attacks.
Update your database management software. Your software is flawed as it comes from the manufacturer. This is a fact. There’s no such thing as bug-free software. Cybercriminals can take advantage of these software vulnerabilities, or exploits, with a SQLI. You can protect yourself by just patching and updating your database management software.
Enforce the principle of least privilege (PoLP). PoLP means each account only has enough access to do its job and nothing more. For example, a web account that only needs read access to a given database shouldn’t have the ability to write, edit or change data in any way.
Use prepared statements or stored procedures. As opposed to dynamic SQL, prepared statements limit variables on incoming SQL commands. In this way, cybercriminals can’t piggyback malicious SQL injections onto legitimate SQL statements. Stored procedures similarly limit what cybercriminals are able to do by storing SQL statements on the database, which are executed from the web application by the user.
Hire competent, experienced developers. SQLI attacks often result from sloppy coding. Let your software developers know in advance what you expect as far as security is concerned.
What if my personal information was stolen in a data breach? You should take a look at our data breach checklist. There you’ll learn all about cleaning up and staying safe after a SQLI attack data breach impacts you.
Visit OWASP. The Open Web Application Security Project, OWASP for short, is the leading authority on web applications and they have lots of additional reading on how to prevent SQL injections.
And if you just can’t get enough SQL injection in your life, visit the Malwarebytes Labs blog for all the latest happenings in the world of cyberthreats and cybersecurity.
For inquiries, email us at firstname.lastname@example.org