SQL injection: how to avoid the same fate as TalkTalk

There’s been no end to the headlines following the Talk Talk cyber breach last month, where the personal details of almost 160,000 customers were stolen.

Although it was surprising that such an attack could have been achieved by hackers as young as 15 years old, or that the breach could cost Talk Talk up to £35 million, it was shocking that an SQL injection attack was used. This attack exploited one of the oldest and well-known types of vulnerabilities on the web.

Despite having been around for over a decade and regularly featuring on the OWASP Top 10 list (the widely accepted standard for application security), this vulnerability continues to expose enterprises to large-scale breaches and brand damage.

>See also: Unencrypted data of 4 million TalkTalk customers left exposed in ‘significant and sustained’ attack

Most notably, last year it was used in a massive cyber attack by a Russian hacker ring, which amassed 1.2 billion username and password combinations and over 500 million email addresses from more than 420,000 separate websites.

Veracode analysed data from its cloud-based application security service containing over 50,000 enterprise applications, which had been scanned at least once between the years 2012 and 2014, and found that just over one in five had at least one SQL injection vulnerability. Imagine if a car thief was practically guaranteed entry into a car if he tried five car doors. That is what it is like for attackers on the web.

This latest attack accounts for the third serious security breach that Talk Talk and its parent company, Carphone Warehouse, have suffered over the past 12 months.

This has led some in the security community to question why sufficient cyber security measures weren’t taken in wake of the previous attacks, which could have prevented the company falling victim to such a common attack vector.

Look and you shall find

While most organisations understand that cybercrime is a massive threat, many have yet to understand or act on the limitations of traditional perimeter defences such as network firewalls, IDS/IPS systems and even next-generation firewalls.

Network-layer defences, for example, generally can’t prevent malicious application-layer traffic from targeting web applications. Nor can they distinguish malicious SQL commands from legitimate user input. Therefore, the responsibility falls to organisations to identify these vulnerabilities before they can be exploited.

Finding SQL vulnerabilities in applications is now relatively easy with automated assessment solutions, whether via static analysis software testing (SAST) or dynamic analysis software testing (DAST). 

The biggest challenge in combatting SQLi is knowing where to look for these critical vulnerabilities. The Internet of Things, mobile and cloud have all significantly increased the attack surface for most organisations, often without them realising to what extent.

In fact, Veracode typically finds organisations have 40% more websites than they originally believed they had, each remaining unchecked and the equivalent of leaving the back door wide open.

While the threat of SQli is real, it’s not insurmountable. And companies looking to reduce their risk should consider the following three tips.

1. The bigger picture

Cyber attackers will look through every nook and cranny of a company’s application infrastructure to find vulnerabilities, such as SQLi. Don’t let them beat you to it and gain full visibility of the entire web application perimeter.

Automated, cloud-based assessment solutions can analyse thousands of production websites simultaneously to quickly identify unknown sites outside your corporate IP range (such as cloud-hosted sites). 

2. Once is not enough

Once you’ve discovered the full extent of your web perimeter, ad-hoc testing once a year isn’t sufficient. Automated cloud-based solutions can help IT teams maintain secure web perimeters by continuously monitoring the entire web perimeter. 

This is important to ensure the organisation remains protected from threats introduced by new or changed applications, or from newly discovered vulnerabilities.

3. Be ruthless

Each ‘forgotten’ or unpatched site that is no longer required significantly adds to a company’s risk. Shutting these sites down is a quick win to reduce your attack surface.

Alternatively, deploying security intelligence from automated application security assessments into web application firewalls (WAFs) can provide ‘virtual patches’ to protect an organisation against the vulnerability until the code itself can be remediated.

>See also: The true price of a data breach and how to avoid paying it

No system is impenetrable, no organisation 100% secure. But with the constant evolution of sophisticated cyber attacks, companies need to ensure that they’re getting the basics right.

Not heeding the warning won’t be an excuse for a company’s customers following a breach, and any company not taking the necessary steps could find themselves in the same shoes as Talk Talk – with high costs, a damaged reputation and angry customers.


Sourced from Chris Wysopal, CTO and CISO, Veracode

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Cyber Attacks
Data Breach