This is a 6 part introduction to Cybersecurity. The fifth part of the guide concludes the guide. The remaining part, to be published tomorrow, includes a glossary of key terms.
II – SQL injection attacks:
In this section we will approach SQL injection attacks. SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
1) Definition and Context:
SQL injection is a top vulnerability of websites. It exploits improper input validation in database queries. Malicious SQL statements are inserted into an entry field for execution (for instance to reveal the database contents to the attacker). A successful exploit will allow attackers to access, modify or delete information in the database. It permits attackers to steal sensitive information stored within the backend databases of affected websites, which may include such things as user credentials, email addresses, personal information, and credit card numbers. In addition, it can let an attacker bypass authentication and compromise the affected Web application. Thus website content generated from a database can be manipulated, potentially allowing an attacker to launch other attacks from the compromised website. These other attacks might be such things as client-side exploits or the distribution of malicious code. SQL injection is one of the most commonly found Web application vulnerability.
SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. In 2012, the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries.
As an example of a SQL injection attack, consider a normal user login request. A user supplies a username and password, and this SQL query checks to see if the user/password combination is in the database.
The query is of the form:
$query = “SELECT username, password FROM login WHERE username =
‘$username’ AND password = ‘$password’”;
The attacker wants to take over the administrative privilege of the database and therefore uses the user name: administrator’#. The # sign indicates the start of a line comment, which although generally useful can typically be ignored. The password can be anything, since the server will ignore anything that follows the # sign. The form of the query and the ignored comment, indicated by the strikethrough, are then:
$query = “SELECT username, password FROM login WHERE username =
‘administrator’# AND password = ‘$password’”;
Through the use of this approach, the attacker gains administrator privilege by dropping the password verification.
3) Prevention against SQL Injection:
SQL injection can be protected by filtering the query to eliminate malicious syntax, which involves the employment of some tools in order t:
- (a) scan the source code using, e.g., Microsoft SQL Source Code Analysis Tool,
- (b) scan the URL using e.g., Microsoft UrlScan,
- (c) scan the whole site using e.g., HP Scrawlr, and (d) sanitize user input forms through secure programming.
In addition, the input fields should be restricted to the absolute minimum, typically from 7-12 characters, and validate any data, e.g., if a user inputs an age make sure the input is an integer with a maximum of 3 digits.
One approach to counter SQL injection is to sanitize SQL queries in a browser.
The server side must employ sanitization to block these SQL injection tricks. This can be done as illustrated by the following for MySQL:
$username = mysql_real_escape_string($username_bad);
This mysql_real_escape_string filters a string that is going to be used in a MySQL query and returns the same string with all SQL injection attempts safely removed.
In fact, the most common way of detecting SQL injection attacks is by looking for SQL signatures in the incoming HTTP stream. For example, looking for SQL commands such as UNION, SELECT or xp_. The problem with this approach is the very high rate of false positives. Most SQL commands are legitimate words that could normally appear in the incoming HTTP stream. This will eventually case the user to either disable or ignore any SQL alert reported. In order to overcome this problem to some extent, the product must learn where it should and shouldn’t expect SQL signatures to appear. The ability to discern parameter values from the entire HTTP request and the ability to handle various encoding scenarios are a must in this case.
Avoid the use of interpreters when possible. If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs
Input validation: use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored.
Reject invalid input rather than attempting to sanitize potentially hostile data.
Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures.
Enforce least privilege when connecting to databases and other backend systems.
Avoid detailed error messages that are useful to an attacker.
Show care when using stored procedures since they are generally safe from SQL injection.
Do not use dynamic query interfaces (such as mysql_query() or similar).
5) Possible technology providers:
a) Imperva Secure Sphere Web Application Firewall:
ImpervaSecureSphere Web Application Firewall analyzes all user access to business-critical web applications and protectsapplications and their data from attacks. SecureSphere Web Application Firewall dynamically learns applications’ “normal” behavior and correlates this with the industry’s leading threat intelligence for web applications to deliver superior protection. SecureSphere Web Application Firewall identifies and acts upon dangers maliciously woven into innocent-looking website traffic; traffic that slips right through traditional defenses. This includes application vulnerability attacks such as SQL injection, cross-site scripting and remote file inclusion; business logic attacks such as site scraping and comment spam; and fraudulent activity like account takeover attacks.
ImpervaSecureSphereobserves the SQL communication and builds a profile consisting of all allowed SQL queries. Whenever an SQL injection attack occurs, SecureSphere can detect the unauthorized query sent to the database. SecureSphere can also correlate anomalies on the SQL stream with anomalies on the HTTP stream to accurately detect SQL injection attacks.
Another important capability that SecureSphere introduces is the ability to monitor a user’s activity over time and to correlate various anomalies generated by the same user. For example, the occurrence of a certain SQL signature in a parameter value might not be enough to alert for SQL injection attack but the same signature in correlation with error responses or abnormal parameter size of even other signatures may indicate that this is an attempt at SQL injection attack.
b): Barracuda Networks
Barracuda Networks is a leading provider of enterprise-class spam, spyware and instant messaging firewall solutions for comprehensive email protection. Winner of numerous industry honors, its flagship product, the Barracuda Spam & Virus Firewall, provides protection for over 100,000 customers throughout the world. Barracuda Networks’ mission is to provide powerful, enterprise-class solutions that are suitable for the largest of businesses yet have the ease of use and affordability that smaller businesses demand.
The Barracuda Web Application Firewall is a powerful security solution for Web applications and Web sites. The product provides award-wining protection against hackers leveraging protocol or application vulnerabilities to instigate data theft, denial of service or defacement of your Website.
- Protection against common attacks
- Outbound data theft protection
- Web site cloaking
- Granular policies
- Secure HTTP traffic
- SSL offloading and acceleration
- Load balancing
The product offers every capability needed to deliver, secure and manage enterprise Web applications from a single appliance through an intuitive, real-time user interface.
- Single point of protection for inbound and outbound traffic
- Protect Web sites and Web applications against application layer attacks
- Monitors traffic and provides reports about attackers and attack attempts
Many applications are vulnerable to attacks because application developers do not consistently employ secure coding practices. The Web Site Firewall is designed to combat all attack types that have been categorized as significant threats, including:
- Cross Site Scripting (XSS)
- SQL injection flaws
- OS command injections
- Site reconnaissance
- Session hijacking
- Application denial of service
- Malicious probes/crawlers
- Cookie/session tampering
- Path traversal
- Information leakage
Online Web-based applications are increasingly at risk from professional hackers who target such applications in order to commit data theft or fraud. Being compromised can damage an enterprise’s reputation, result in loss of customers and impact the organization’s bottom line. In addition, companies that transact online are faced with a host of growing industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS), which mandates that all enterprise and Web applications handling credit card and account information must undergo an extensive and costly audit of custom application code. The alternative to satisfy PCI DSS compliance is simply installing a Web application firewall.
However, to resolve the security issues of Talk Talk effectively, apart from solutions against DDOS and SQL Injection, it is imperative to address the ENCRYPTION needs to start with. The proposed solution would be through creating a Crypto Foundation (approach that incorporates crypto processing and acceleration, key and crypto resource storage and management), as the final objective of the protection from any cyber attacks is to safeguard sensitive data. This is a crucial layer of protection should the attacks occur again, as encryption will serve not only as protective, but equally as a dissuasive factor, making a cyber attack almost senseless.
TalkTalk’s critical issue is to securely manage a large amount of data, that is sensitive (personally identifiable sensitive information of over 4 million customers, including their bank account details), while being able to process it conveniently on a daily basis.
However Simple encryption issue, as widely presented in different sources, in itself would not resolve the overall problem, as to simultaneously satisfy security needs, without compromising daily business-as-usual activities.
Adacom proposes highly customized hybrid solutions to address the encryption need s and the anti-DDOS/SQL Injection, Etc attacks (as no one single solution is best – the security mix will have to be tailor-made to match exactly the TalkTalk needs, taking all the past issues and future needs into account).
ADACOM is a leading IT Security Integrator, a Certification Service Provider and an Enterprise Software Vendor active in Europe and the Middle East.
In Brief: The First step would be to identify the data centers, the data flows that travels between them, which data stays at rest and which is in motion, the structured and unstructured data.
Priority would be to encrypt the data throughout, starting with the one that streams, as it is in the most vulnerable position as can be easily tapped into by cyber criminals, who can inject controls to override your systems completely.
The fact that there have been 3 security breaches in the last 12 months, is a sign of inherent weakness of the system and attractiveness to hackers, thus more attacks are expected to be repeated. The objective would be not only to know about them when the attack actually occurs and then becomes a problem to the company’s reputation and customers’ data safety, but to develop precautionary measures that will enable to mitigate such attacks and prevent them from causing damages.
Adacom, through implementing the right mix of most suitable security solutions can propose to Talk Talk a HOLISTIC APPROACH that not only will resolve the cyber security issues, but will become a foundation for a confidence-inspiring PR with customers, investors and communications with the watchdog (ICO), as to minimize losses from clients, tumbling share price and from possible penalties (when 4 millions customers’ data is exposed to risk of identity theft – high penalties risks are inevitable).
Introduction to Cybersecurity Part 1
Introduction to Cybersecurity Part 2
Introduction to Cybersecurity Part 3
Introduction to Cybersecurity Part 4
Introduction to Cybersecurity Part 5
Introduction to Cybersecurity Part 6
Jean Lehmann is an independent consultant, cyber security expert and editor and business ambassador to Hedge Think. He was recently a guest lecturer at INSEEC on Banking Management and the Hedge Fund industry, and is a member of Keiretsu forum, a global investment community of accredited private equity angel investors, venture capitalists and corporate/institutional investors. Jean has extensive consulting experience for leading such projects as the market entry strategies in the Brazilian market of several mid-size to large European financial institutions. Jean has considerable knowledge of the Hedge Fund and Asset Management industry, for having developed as a quantitative analyst some of the most sophisticated financial models in the structured finance product market for a leading US Hedge Fund and a German investment bank. He also has particular expertise in the field of Network Security and Cryptography. As a research staff member at IBM Zurich, he developed innovative algorithms for anonymous communication systems. He was also in charge of Brazilian security consulting services for Gemalto and recently completed a CyberSecurity consulting study for a European airline company. Jean holds a MSc. in computer science and telecommunication engineering with an emphasis on network security and cryptography from Eurecom/EPFL, a DEA in financial mathematics from HEC School of Management, and an MBA from INSEAD/Wharton alliance.