Managed IT security services provider SecureWorks announced Tuesday that they have seen a significant rise in the number of attempted SQL injection hacks aimed at some of its financial and utility company clients over the last three months. "From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day," said SecureWorks CTO Jon Ramsey. "As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day," said Ramsey.
"The majority of the attacks are coming from overseas," said Ramsey. "And although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack." This is a type of attack where the hacker has targeted a particular organization, versus a worm which spreads indiscriminately.
"The CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, is a prime example of a SQL Injection attack," said Ramsey. A more recent example of a SQL Injection attack occurred last December when Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during this attack.
"SQL Injection is successful only when the web application is not sufficiently secured," said Ramsey. "Unfortunately, the majority of websites and web applications are not secure. Thus, we are advising all organizations to use "input validation" for any form to ensure that only the type of input that is expected is accepted."
Additionally, it is important to note that protecting against a SQL Injection attack also requires organizations to not only protect their web applications but also the web server on which the web application is running, the database from which the web application is retrieving information, and the operating systems upon which the web servers, applications and database reside.
"A SQL Injection attack is certainly not a new form of attack or the most sophisticated type of attack; however, as illustrated, it can be quite malicious so we are advising all organizations, with an Internet presence to take their web application security very seriously," concluded Ramsey.