"SQL Injection remains a top security threat, and while the instances may be down in relation to investigated breaches, it continues to be a major problem for SMBs and Enterprises with web applications," says Adrian Lane, analyst for Securosis. "This despite a clear understanding of the problem for over a decade."
This week, database security firm GreenSQL released data from a survey of over 6,000 SMB technology decision-makers that asked respondents to dish on the database security problems that keep them up at night. While just 18 percent of SMB respondents said they were worried about compliance and just under a third were worried about internal threats like malicious insiders, a full 51 percent of said SQL injection was a big concern for them. That made the attack method far and away the most-cited concern for those questioned, says David Maman, CTO for GreenSQL.
"To be honest, this was a surprise for us, because all of the big research out there today talks about how SQL injection is declining," he says. "But this is the biggest threat to the SMB community. There's a lot of fear about Anonymous and a lot of fear of exposing customers and exposing sensitive information."
In the face of automated worms seeking SQL injection vulnerabilities and mass SQL injection attacks, many SMBs tend not to have the visibility into these attacks or the means to stop them. Often they have no clue they're being besieged, Maman says. He cites one instance when a new Green SQL SMB customer came to him wondering if there was something wrong with the software when it found his infrastructure was seeing 2,000 SQL injection attempts per day against it.
After helping the administrator investigate, Maman not only found out that the figure was right, but that one of the IP addresses committing the attacks was within the SMB's own network.
"He told me, 'SEE! This is false positive, because this is my network IP address,'" Maman says. "I told him, 'Listen, this is a real SQL injection attack.' It turned out that one of his computers was infected with the malware that tried SQL injection in his website."
According to Chris Porter, principal for the RISK team at Verizon, the breach investigation statistics it put out recently may rate SQL injection attacks as a lower priority than other attacks against weak credentials, but it is still something SMBs need to take seriously.
"It is a big problem," he says. "You have seen in our data sets over the last couple of years that SQL injection has been shrinking. Really, that shrinking is in proportion to all the other things that are happening out there."
In regard to SQL injection, he believes one of the biggest factors affecting SMBs is their more frequent use of off-the-shelf ecommerce solutions. He says SMBs tend not to patch this software or configure it securely, making it an easy target for automated attacks to pick off. Even without any sort of database security or web application firewall solution in place, many organizations can reduce their risk surface simply by keeping up on these ecommerce and third-party web app patches.
"I think a lot of small businesses are not really maintaining, and so they fall behind on patches," Porter says. "And what'll happen is sites like that will have a SQL injection vulnerability and the bad guys, usually organized crime, will identify that there's this type of attack and they'll automate this attack or they'll just scan the internet looking for it. And then, they'll inject the script automatically."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.