Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
Editor's Blog and Industry Comments

The painful injection that strikes the core of business data.

17 January, 2008
ProSecurityZone has improved its web security after joining thousands of other high profile web sites which became victims of SQL injection attacks last weekend.
With improved IT security technology and wider deployment of firewalls, anti-virus software and data protection methods, it is becoming harder for cyber criminals to access the data they want so new methods are being developed by them all the time. Hackers have therefore dug deeper into their toolboxes and have now come up with an exploit that dates back to the days of the VAX mini computer. Left dormant with the age of the personal computer, direct access to database resources through applications has now re-emerged as holes are discovered in database application software which provide a kind of access to databases known as SQL Injection.

This is a particularly dangerous route into company resources that makes use of insecure web applications often developed by webmasters with few resources to develop water tight security procedures.

After reporting that 70,000 websites around the world had been hit by such attacks last week, ProSecurityZone similarly fell victim over the weekend. With first class technical expertise on our team and a stringent back-up procedure, we were able to recover quickly without any detriment to our operations.

In the knowledge that this site could be considered something of a target for hackers, we have firewalls and other security measures to prevent such attacks. However, similar to other well-protected sites in the security industry, government and education sectors, the hackers managed to get through.

I subsequently spoke to Ravid Lavinsky, Product Manager at Applicure, a supplier of the web application security product, dotDefender, and asked her why our barricades appeared to fall so easily despite the care we'd taken in building them. Her response centred around the need for application protection, something that falls outside the scope of existing Unified Threat Management products and only partially covered by intrusion detection and prevention systems.

Ravid went on to give some scope to the risks involved. Having taken control of the web application, the hackers have effective control of the database. With Enterprise Requirement Planning and CRM applications being increasingly web enabled, this can put the hacker in control of an organisation's critical data.

The hacker's motivation could be as benign as simply making a point or could be malicious with extortion, blackmail, manipulation or financial gain all featuring strongly in the reasons for hacking a database.

Perhaps as worrying is the ability of the hacker to gain entry to the database and simply extract what he wants without the webmaster ever knowing that the database had been compromised. Applicure's freely available monitoring tool however, will alert the webmaster that the database has been accessed.

Commenting on the ProSecurityZone breach, Lumension Security's EMEA regional Vice President, Alan Bently highlighted that in light of the constantly changing face of IT threats, any preventive measure that's taken should be backed up by sound policies and procedures.

He went on to explain that in our case, there is a known security vulnerability with the database we use and for which there is no patch available as yet. Given this knowledge, a risk assessment should be made and further security measures taken such as additional software specifically for that vulnerability.

Lumension Security is an advocate of the practice of only allowing transactions and applications which are known to be good to run on your system. Having a list of authorised transactions would not allow SQL Injection via binary code or scripts to execute, thus affording the right level of protection.

Whether taking the Lumension Security approach of white listing authorised transactions or Applicure's approach of using software to trap SQL injections before they hit your database, it is clear that this latest hacking trend has serious implications and needs some form of defence.

Making a final comment on the matter, Lumension's Alan Bently told me, "It's a tough job trying to stay ahead of the bad guys but with clear policies and technologies that allow you to understand the risk, and the steps needed to mitigate that risk, you can make their job tough too!!'
Bookmark and Share