Monday

Tag: SQL Injection

5 Common Types of Cyber Attacks

Cybersecurity is a crucial aspect of any organization that relies on digital systems and networks. Cyberattacks can cause significant damage to the reputation, operations, and finances of a business, as well as compromise the privacy and security of its customers and employees. Therefore, it is important to understand the different types of cybersecurity attacks, how they are used, and how they can be prevented.

In this blog post, we will discuss 5 common types of cybersecurity attacks that every organization should be aware of and prepared to remediate.

Types of Attacks

1. Malware
Malware is a term that encompasses various types of malicious software, such as viruses, worms, trojans, ransomware, spyware, adware, and more. Malware can infect a computer or device through phishing emails, malicious links, downloads, or removable media. Malware can perform various harmful actions, such as deleting or encrypting data, stealing information, spying on user activity, displaying unwanted ads, or hijacking system resources.

To prevent malware attacks, organizations should use antivirus software and firewalls, update their systems and applications regularly, avoid opening suspicious attachments or links, and educate their employees on how to recognize and avoid phishing emails.

Continue reading “5 Common Types of Cyber Attacks”

Enterprise Security Tips

Network security is increasingly important. Private and public enterprises have already spent billions of dollars to bolster security over the past several years, yet attackers consistently succeed in evading whatever roadblocks are erected to block their access to sensitive data.

This issue has led many organizations to embrace a simpler approach focused on securing people, processes, and technology. You can’t view security functions as a nuisance,  but as a strategic enabler of new initiatives and a way to make your company more competitive in a global market.

These simple steps might help your company return to basic security techniques.

1.  Alerts and Response Documentation

A vast majority of the attacks against enterprises these days are targeted strikes carried out by organized criminal gangs, hacktivists, or nation-state actors. The random attacks of the past have been replaced by serious campaigns that are designed to carefully extract corporate information, acquire intellectual property, disclose trade secrets, and steal financial data. Rather than an old school smash and grab style attack the technique most often used today is more covert and focused siphoning large quantities of data in small unnoticeable increments over a lengthy period of time.

With this harder to detect technique comes the need for better detection and response paired with traditional prevention. Augmenting existing log-centric monitoring with network packet capture and endpoint-monitoring technologies will enable security administrators to get a more complete picture of network traffic, allowing detection of hacker activity. Most serious administrators will use identity management, identity governance, and behavioral analytics tools to spot and limit the impact of compromised credentials and identities.

You want to document the process of detection, test that it works, and document the response to each alert.

2. Strong Network Perimeter

Traditional perimeter technologies like firewalls, antivirus tools, and intrusion-detection software still have a place in your modern enterprise security strategy. These tools work by looking for specific signatures of known viruses and other types of malware and then block the malicious programs in near real time. Most compliance requirements outline the expectations around this type of security.

Based on recent breaches at major organizations we now understand that these signature-based perimeter tools are ineffective against the highly targeted attacks of the type launched by organized and educated malicious hackers. It’s important for enterprises to view perimeter-based defenses as just one of the necessary tools of the trade from a strategic and tactical standpoint.

You want to document the perimeter security settings, test that it works, and document the response to issue or alert that can be generated.

3. Secure Development

Common, well-understood shortcomings like SQL Injection errors, cross-site scripting flaws and broken authentication and session management functions have tripped up numerous organizations. But the recent wave of intrusions at major organizations has really driven home the need for secure code. Vulnerable applications have often provided hackers with relatively easy access to corporate networks and data, so securing them is vital to ensuring data integrity and confidentiality.

For many large organizations, manual code review would be prohibitively expensive. So a viable alternative would be to automate the code-review process by combining static and dynamic program analysis and by making the code analysis process an integral part of application development. Developers and operations teams need to recognize that security must be a shared responsibility and work to integrate controls earlier in the product life cycle.

You want to document the development security requirements, review the requirements periodically, and document the procedures are be followed with all in-scope development efforts.

4. Educate People

People are usually easier to compromise than machines. Many of the biggest attacks in recent years have started with attackers gaining entry into networks using log-in credentials belonging to legitimate users such as employees, business partners, or vendors. Hackers use well known and effective social engineering techniques and even phishing emails to help users disclose passwords and usernames to accounts with access to a corporate networks. The hackers then use that initial foothold to find and access critical enterprise systems and data stores. In most cases the people with access to sensitive data don’t feel personally obligated to protect system access, usually because it is seen as an IT function.

You want to provide formal education to all in-scope users, review the training periodically, and document who has gotten the training as part of new hire or required annual re-training.

5.  Secure Business Processes

Process and procedure mistakes can compromise corporate security technology. Written policies and procedures, communicated and enforced, can help reduce errors where sensitive data is emailed to vendors, shared on personal hard drives, or uploaded to shared internet drives.

This could also include third parties and security firms come in periodically to do penetration tests and mock attacks where nothing is off limits. This should probably also be pushed out to all vendors and suppliers so that your requirements are communicated to them, so they implement the same requirements when they have access to your sensitive data.

You want to create and maintain written polices and procedures, review the documentation periodically, and verify the requirements are being followed through testing and training of employees.

SQL Server Injection Tool

There is a tool available for your hacker toolkit called Sqlninja. Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X
  • iOS

Sqlninja does not run on Windows and they are not planning a port in the near future.

Sqlninja’s behaviour is controlled via the configuration file (default: sqlninja.conf), which tells sqlninja what to attack and how (target host, vulnerable page, exploit strings, …), and some command line options, which tell sqlninja what action to perform. These command line options are the following:

  • -m <attack mode> : specifies the attack mode. Basically, tells sqlninja what to do. Possible values are:
    • test
    • fingerprint
    • bruteforce
    • escalation
    • resurrectxp
    • upload
    • dirshell
    • backscan
    • revshell
    • dnstunnel
    • icmpshell
    • metasploit
    • sqlcmd
    • getdata
  • -v : verbose output
  • -f <configuration file> : specifies a configuration file to use.
  • -p <‘sa’ password> : used in escalation mode to add current DB user to the sysadmin group, and in other modes to run the query as administrator, if the DB user does not belong to such group. This option is rarely used, as bruteforce mode by default adds the DB user to the sysadmin group when the ‘sa’ password is found. For more information about when to use this parameter, refer to the escalation mode
  • -w <wordlist> : wordlist to use in bruteforce mode
  • -g : combined with upload mode, generate debug script and exit
  • -d <debug mode> : activates debug, to see what is going on under the hood. Possible values are:
    • 1 : print each SQL command that is being injected
    • 2 : print each HTTP request that is sent to the target
    • 3 : print each HTTP response that is received from the target
    • all : all of the above

You can get more information here.

Database Security

As a Database Administrator, your are primarily responsible for the security of you databases. According to technology vendor Application Security, Inc., the following are the top 10 threats related to databases:

  1. Default or weak passwords
  2. SQL injection
  3. Excessive user and group privileges
  4. Unnecessary DBMS features enabled
  5. Broken configuration management
  6. Buffer overflows
  7. Privilege escalation
  8. Denial of service
  9. Un-patched RDBMS
  10. Unencrypted data

Database Security Essentials

There are 5 key steps to ensuring database security, according to Applications Security, Inc.

  1. Isolate sensitive databases—maintain an accurate inventory of all databases deployed across the enterprise and identify all sensitive data residing on those databases.
  2. Eliminate vulnerabilities—continually assess, identify and remediate vulnerabilities that expose the database.
  3. Enforce least privileges—identify user entitlements and enforce user access controls and privileges to limit access to only the minimum data required for employees to do their jobs.
  4. Monitor for deviations—implement appropriate policies and monitor any vulnerabilities that cannot be remediated for any and all activity the deviates from autho rized activity.
  5. Respond to suspicious behavior—alert and respond to any abnormal or suspicious behavior in real time to minimize risk of attack.

One study showed  that overall, 22% of the survey groups are classified as leaders at one end of a bell curve, while 20% can be considered laggards on the other. Across the board leaders exemplify more security defense-in-depth measures and say they are less likely to experience a breach than their laggard counterparts.

Are you monitoring your database security settings? Do you know who can (and can’t) access your data? Have you tested and verified your security settings?

SQL Injection

SQL injection is a type of security exploit in which the attacker adds SQL code to a user input text to gain access to resources or make unauthorized changes to data. This allows users to insert malicious code into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

While the primary form of SQL injection consists of the example above, a less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code could be executed.

The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malicious user terminates the injected string with a comment mark “–“. Subsequent text is ignored at execution time.

The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:

var sShipcity;sShipCity = Request.form ("ShipCity");var sql = "select * from OrdersTable where ShipCity = '" + sShipCity + "'";

The user is prompted to enter the name of a city. If they enters Nashville, the query assembled by the script looks similar to the following:

SELECT * FROM OrdersTable WHERE ShipCity = 'Nashville'

However, assume that the malicious user enters the following:

Nashville'; drop table OrdersTable--

In this case, the following query is assembled by the script:

SELECT * FROM OrdersTable WHERE ShipCity = 'Nashville';drop table OrdersTable--'

The semicolon (;) denotes the end of one query and the start of another. The double hyphen (–) indicates that the rest of the current line is a comment and should be ignored. If the modified code is syntactically correct, it will be executed by the server. When SQL Server processes this statement, SQL Server will first select all records in OrdersTable where ShipCity is Nashville. Then, SQL Server will drop OrdersTable.

As long as injected SQL code is syntactically correct, tampering cannot be detected programmatically. Therefore, you must validate all user input and carefully review code that executes constructed SQL commands in the server that you are using. You can limit the impact by altering the user permissions of the account used to access the database objects, but that isn’t always reasonable.

Coding best practices suggest you sanitize the user inputs. One way of protecting against SQL injection attacks is to validate user input, checking for special characters, so that they cannot modify the underlying SQL command and therefore cannot cause execution of arbitrary SQL code. If, for example, you are asking the user for the name of a city, there is no need for the user to enter numbers or symbols as part of the provided text, and the programmer can remove those characters as the user types, when the user presses the Enter key, or they can be stripped from the input text before it is passed to the database.

Even XKCD has an sample of this in a cartoon.

%d bloggers like this: