SecureWorks, a leading Managed IT Security Services Provider, announced that it has seen a dramatic increase in the number of hacker attacks attempted against its banking, credit union and utility clients in the past three months using SQL Injection (a type of Web application attack).

ATLANTA, Jul 18, 2006-–"From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day," said SecureWorks CTO Jon R. Ramsey. "As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day," said Ramsey.

"The majority of the attacks are coming from overseas," said Ramsey. "And although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack." This is a type of attack where the hacker has targeted a particular organization, versus a worm which spreads indiscriminately.

"Depending on the sophistication of the attacker, the online criminal can potentially gain access to a bank or utility company's key customer databases containing social security numbers, account numbers, credit card numbers, email addresses, etc," continued Ramsey.

SQL Injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to an organization's resources or to make changes to data. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server. "What makes this vulnerability so pervasive is that SQL Injection attacks can prey on all types of Web applications - even those as simple as a monthly loan payment calculator or a 'signup for our customer newsletter' form," said Ramsey.

Recent SQL Injection Attacks

"The CardSystems security breach, where hackers stole 263,000 customer credit card numbers and exposed 40 million more, is a prime example of a SQL Injection attack," said Ramsey.

A more recent example of a SQL Injection attack occurred last December when Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during this attack.

How to Protect Against SQL Injection Attacks: Secure Your Web-based Applications

"SQL Injection is successful only when the web application is not sufficiently secured," said Ramsey. "Unfortunately, the majority of websites and web applications are not secure. Thus, we are advising all organizations to use 'input validation' for any form to ensure that only the type of input that is expected is accepted."

Additionally, it is important to note that protecting against a SQL Injection attack also requires organizations to not only protect their web applications but also the web server on which the web application is running, the database from which the web application is retrieving information, and the operating systems upon which the web servers, applications and database reside.

Network Intrusion Prevention System and Host Intrusion Prevention System can offer many of these protections, especially if they are being monitored by a 24x7x365 security team that can stay on top of the newest types of SQL Injection attacks, as there are new variances being released all the time.

SecureWorks has been successful in protecting its clients because it is constantly monitoring the attack landscape and developing countermeasures for any new attacks that might arise. SecureWorks is also recommending that organization follow these Safe Computing Guidelines.



Never trust user input

Validate all textbox entries using validation controls, regular expressions, code, and so on

Never use dynamic SQL

Use parameterized SQL or stored procedures

Never connect to a database using an admin-level account

Use a limited access account to connect to the database

Don't store secrets in plain text

Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings

Exceptions should divulge minimal information

Don't reveal too much information in error messages; display minimal information in the event of unhandled error; set debug to false

"A SQL Injection attack is certainly not a new form of attack or the most sophisticated type of attack; however, as illustrated, it can be quite malicious so we are advising all organizations, with an Internet presence to take their web application security very seriously," concluded Ramsey.

About SecureWorks

SecureWorks, named by the Yankee Group as a leading MSSP, ranked 79th on the Inc. 500 Fastest Growing Private Companies List for 2005 and 39th on the 2005 Deloitte Technology Fast 500, a ranking of the 500 fastest growing technology companies in North America. SecureWorks is the only service that prevents network intrusions at the perimeter, firewall and host levels; monitors client networks 24 x7x365; provides ongoing vulnerability assessments; and protects email from spam and viruses while automatically encrypting email to protect confidential information. SecureWorks is a member of the elite FIRST (Forum of Incident Response and Security Teams). It has been listed twice on CIO magazine's "CIO 100 List"


See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.