IT security and data protection firm Sophos has produced advice for businesses affected by SQL injection attacks, including how to report incidents to the authorities and the various legal implications within different countries and jurisdictions.
In the UK for example, a malicious hacker behind a SQL injection attack initially commits the Computer Misuse Act (CMA) offence of "Unauthorised Access" by using SQL injection to facilitate access to a server, and then commits a further CMA offence of "Unauthorised Act with Intent to Impair” if database tables are modified or deleted.
Sophos suggests that businesses take the following steps to protect websites from SQL injection attacks:
- Ensure all data is regularly and adequately backed-up
- Enable full, secure logging of the server to be able to analyse and identify future attacks
- Add scripts to catalogue the entire contents of the web folders, in order to highlight unexpected file additions or modifications
- Consider proper security auditing of websites by a suitably accredited penetration testing professional or company
“Following a SQL injection attack companies should archive the contents in the current state, take down the affected website and replace it with a holding page, whilst also restricting secure file transfer and other remote access programmes as well as changing all passwords,” advised Bob Burls, writing on the Sophos Naked Security website. “All server logs that have been gathered before and during the attack should be archived and retained as potential evidence. Once the site has been cleaned and audited, only then should it be brought back online.”
“In general, it's important that all computer crime is reported. Even if no investigation follows, intelligence can be built up and an accurate picture of the levels of computer crime can be produced. If victims of a particular crime do not come forward to report incidents, then statistics will not be an accurate reflection of the number of crimes taking place.” summarised Burls.