In part 2 of the series ‘Growing Cybersecurity Threats,’ we learned about Denial of Service attacks. In continuing Part 3 we shall learn about another form of rising cybersecurity threats – SQL Injections.
You may not know what a SQL Injection attack is, but perhaps have heard of the attacks on Yahoo!, Target, Equifax, LinkedIn, and Talk Talk. All these attacks have occurred due to an SQL Injection attack.
What is an SQL Injection attack?
SQL stands for ‘Structured Query Language’ which is a command in databases software like MS SQL, PL SQL, Oracle, and more. To learn how a SQL Injection attack is performed, here is an example:
| SQL Query – Select * from table_number:
The asterisks (*) return the contents from the contents of a database table. The attacker inserts information in the database to spread vulnerability. An example query used by attacker is – Insert into users(username,userid) values (“iamacybercriminal”, “AB123”); |
9 Tips to Reduce the Risk of SQL Injection Attacks:
1. Release updates and patches regularly
Discovering vulnerabilities is a regular task and cybercriminals can exploit them anytime to launch SQL Injection attacks. By performing updates and patches whenever released, many vulnerabilities can be treated.
2. Avoid constructing queries with user input
To avoid the consequences of an attack during the sanitization process, parameterized queries or prepared statements are best practice. Stored procedures can also be an alternate but are not fully reliable as they lack efficacy in protecting all types of SQL Injection attacks.
3. Use a web application firewall
Web application firewall (WAF) can be used to filter malicious data before releasing a patch. There are certain open source modules freely available that can be used to protect web applications from SQL Injection attacks.
4. Use input validation
Define strings to restrict user data, which is not according to the context. Input validation ensures the sanitization of incorrect characteristics in the database. For example, a column for names should be allowed only alphabetic input, and phone numbers should be allowed only numeric values and must have an exact number count.
5. Remove unwanted functionality
Retaining functionalities that no longer serve the purpose would attract attackers to the application. When a specific functionality is not in use, it is better to remove it rather than leave it to become a gateway for attackers.
6. Use privileges only when needed
Admin-level privileges should not be used unless you have compelling reasons to do so. For example, when on the login page, it should query only the relevant credentials from the database. If a breach occurs, it cannot compromise excess confidential data.
7. Monitor SQL statements continuously
When the SQL statements of the application’s database are monitored continuously, you can locate vulnerabilities quickly before an attacker can exploit them. Instead of manually monitoring, automated tools can be used to analyze the behavior of applications.
8. Error messages should be customized
Error messages usually display much information that would be enough for an attacker to study the database architecture and execute an SQL Injection attack. Customize error messages so that the attacker gets nothing more than an unhandled error.
9. Re-check before going live
A detail-eye on coding before the delivery can remove many vulnerabilities. Ensure that security programmers re-check the code for any flaws, especially in customized applications.
SQL Injection attacks have already targeted big businesses and may continue to grow in the future. The web industry is seeking to hire cybersecurity professionals who can help them defend from this evolving sophisticated cyber attacks type. In the next part of the series, growing cybersecurity threats, we shall learn about ‘Cross-site scripting’ threats. Stay tuned!
To pursue a career in cybersecurity, it is recommended that one must possess a relevant educational background.
EC-Council University (EECU) provides 100% online, flexible time and place, practitioner faculty-led, iLab supported, accredited programs in cybersecurity. The programs will equip graduates with the knowledge to assess the latest IT security risks and expert skills to handle them successfully. The university offers undergraduate and graduate programs. The Bachelor of Science in Cyber Security (BSCS) gives required exposure, builds cybersecurity skills, and develops leadership abilities that help students to grow as a cybersecurity professional. The Master of Science in Cyber Security (MSCS) and graduate certificate programs help students gain expertise in industry-recognized skills and help gain domain knowledge to stand ahead in competitive career advancements. ECCU programs allow for students to sit for EC-Council certifications when courses that cover such topics are taken. Transfer credit for many cybersecurity certifications and past college courses is granted as applicable to programs of study.
ECCU is accredited by Distance Education Accrediting Commission (DEAC) which is a recognized accrediting agency by the U.S. Department of Education and is also an acknowledged member of the Council for Higher Education Accreditation (CHEA).
