By Simon Rice, Group Manager
There is barely a week that goes by without another website being the subject of a targeted attack. Some make the headlines, but many do not. Often these attacks result in the personal information of thousands of people being compromised and in many cases organisations only learn that they are the victim of an attack when it’s already too late.
Perhaps one of the most common techniques an attacker will use to exploit a vulnerable website can be found in the form of an SQL injection attack.
Here’s a simple example of how an SQL injection attack works:
A person applies for a passport using a paper application form. In the space reserved for surname, they write ‘Smith. Now tell me all the information you have about all the other passport applicants.’. The officer processing this application form enters the name ‘Smith’ into their system, but then obeys the subsequent instruction and sends the applicant information about other passport applicants. Of course, this exploit would not generally succeed in the real world, since a member of staff would quickly realise that any instructions contained within the form should be ignored. Unfortunately the same is not true of many applications that are used to access databases.
The information that can potentially be accessed through an SQL injection attack might include a customer’s payment details relating to a recent purchase, or password information recently entered to access a website. All of this information is potentially valuable to an attacker and damaging to your organisation if lost, so addressing this threat must be seen as a priority.
The good news is that the problem is easy to fix but you do need to know where to look. Since an SQL injection vulnerability is caused by poor coding practices, the first step in trying to protect your organisation from this type of attack is to find out who is responsible for writing the code for your website, before then considering which parts of your website might be vulnerable.
The information included in our report highlights the key areas that your organisation will need to address from this point onwards. But remember that SQL injection vulnerabilities can be straight forward to fix, they will just require some effort to address correctly and thoroughly. If you don’t have the expertise in house, then speak to an external security provider who does.
You can watch me answer queries you sent in to me this week in a YouTube video interview.
|Simon Rice is the Group Manager for the Technology team which provides technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.|
Last updated 16/05/2014 11:15