SQL is being hammered by bad guys. Why is that, and is there anything that can be done to fix the situation? A recent Ponemon survey about SQL injections and potential solutions are discussed.
SQL has been around since the 1970s, so one would assume all vulnerability bugs in the language have been eliminated. Yet, there are still numerous reports of attackers being able to leverage weaknesses in SQL to consistently breach high-profile companies.
I have been told it is the nature of the beast. Any time people are allowed to access information stored on backend servers trouble is just a query away. Bad guys use a SQL injection to liberate data from the server hosting the database under attack.
So what exactly is a SQL injection attack?
According to the Ponemon Institute, SQL injection is used to:
"Attack data-driven applications: in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application's software. SQL injection is most commonly known as an attack vector through public-facing websites, but can be used to attack SQL databases in a variety of ways."
Why are SQL injection attacks still prevalent?
The fact that SQL injection attacks were discovered more than 15 years ago by Jeff Forristal and are still successful has many people frustrated. Other vulnerable software applications eventually are fixed, but not SQL. The Open Web Application Security Project (OWASP) offers this explanation:
"SQL Injection attacks are unfortunately very common, and this is due to two factors: the prevalence of SQL Injection vulnerabilities and the attractiveness of the target (databases containing the interesting/critical data for the application)."
The prevalence of vulnerabilities and seeming inability to do anything about it puzzled Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, an independent research organization. Dr. Ponemon decided to do what he does best: research the problem.
With the sponsorship of DB Networks, the Ponemon Institute collected responses from close to 600 IT staff and IT security professionals in an attempt to understand how organizations respond to SQL injection threats and the participant's awareness of how to manage the risk — put simply, why are SQL injection attacks still happening.
From the respondents' survey answers, the Ponemon Institute derived interesting findings that it published in The SQL Injection Threat Study.
Before getting to what Ponemon discovered, I'll share how he set up the survey, especially selecting participants:
"A sampling frame of 16,520 experienced IT and IT security practitioners located in the United States were selected as participants to this survey. Total returns amounted to 701. Screening and reliability checks required the removal of 106 surveys. The final sample consisted of 595 surveys."
The following pie chart (Figure A) provides the breakdown of the final respondents' position in their organizations.
The number of attacked organizations
A conference call was held with Dr. Ponemon and Michael Sabo, vice-president of marketing for DB Networks, to discuss the findings. The extent of the problem surfaced when reviewing the respondents' answers to the following questions:
- In the past 12 months, did your company experience one or more successful SQL injection attacks?
- If yes, how long did it take to detect the attack?
- If yes, how long did it take to contain the attack?
Sixty-five percent of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defenses in the last 12 months. Twenty-one percent (the largest group percentage-wise) stated it took up to six months to detect the attack, and twenty-one percent (the largest group percentage-wise) said it took a month to contain the attack.
Why the high rate of success?
The next set of questions tried to decipher why so many attacks were successful, and why it took so long to detect and contain the attacks:
- How familiar are you with the term weaponized SQL injection attack?
- How often does your company scan for active databases?
- Does your company test and validate third-party software to ensure it is not vulnerable to SQL injection attacks?
Forty-eight percent of the respondents were not familiar with the term weaponized SQL injection attack. As for scanning active databases, twenty-five percent do so at irregular intervals, and twenty-two percent do not scan at all. Fifty-two percent of the respondents do not test or validate third-party software for susceptibility to SQL injection attacks.
Trying to pinpoint weaknesses
Next, the participants were asked to rate the following statements (Figure B).
The question referring to BYOD seemed out of place. To explain, Sabo mentioned SQL injection attacks via a PC began with the web browser, of which there are only a few versions and relatively easy to secure. Whereas with BYOD, more often than not each application connects with a SQL server, making it almost impossible to safeguard devices and data, and explaining why 56 percent of the respondents are concerned about BYOD.
Like most surveys, The SQL Injection Threat Study provides the information, but not conclusions. Ponemon and Sabo were asked to speculate on the survey report's findings. Both focused on how SQL's weak link is the query, and that ensuring all queries are doing what they are supposed to and nothing more is a difficult task.
Sabo also mentioned that, until recently, it required a high-level of expertise to construct a malicious query. Now the internet is flooded with tools that allow inexperienced individuals to obfuscate malicious queries, making it easy to be a bad guy, and even more difficult for SQL security measures to detect malicious queries.
One potential solution
There are solutions available to combat SQL injection: SQL Whitelisting, OWASP's prevention cheat sheet, and Web Application Firewalls; however, their effectiveness seems questionable. Sabo mentioned that DB Networks provides a solution based on behavioral analysis. It's a technology that's successful in other security venues, but to the best of his knowledge, one not currently offered by any other company attempting to secure SQL:
"The process begins by automatically learning and modeling the application's proper SQL generation behavior. The Core IDS then uses a suite of procedures to independently test and evaluate each SQL statement against the learned behavioral model. Fuzzy logic is applied to determine the overall threat of each SQL statement."
Skepticism about solutions is justified based on SQL's past. But, Joe McCray, an independent security consultant and veteran pen tester, in this YouTube video explained that DB Network's answer to SQL injection blocked every attack he tried:
"The way the product works is unique. The real-time monitoring and anomaly-based detection was something I had not seen in this app space. It was able to show all of the attacks I was attempting, even some very sophisticated tricks I use."
Images and quotes courtesy of Ponemon Institute and DB Networks.