In a recent survey of 571 community banks across 37 states, more than 70% of respondents listed cybersecurity as their number one concern. That’s not surprising, as financial services firms are more than 300X as likely to be targeted by a cyberattack than organizations in other sectors. According to data from Akamai, SQL Injection attacks account for nearly half (41.64%) of all cyberattacks in the financial services sector.
What is a SQL Injection Attack?
In a SQL injection attack, the attacker inputs or “injects” malicious SQL queries into a SQL database. These commands can execute a variety of actions, e.g., read, transfer, erase, or alter the contents of the database. A sophisticated attack can even shut down the database.
Financial services firms are particularly susceptible to SQL injection attacks due to the nature of their business. Because they handle copious quantities of data, SQL databases are the norm in the industry. And these databases contain data that command a high price on the dark web: Personally identifiable information (PII), bank accounts, credit card details, etc.
The digital transformation of the financial services sector means that more and more of the applications built on SQL databases will be accessible via the web, so SQL injection attacks will continue to be a problem. Attackers can gain access by stealing credentials (e.g., through spear phishing) then exploit vulnerabilities in the applications remotely.
7 SQL Injection Attack Protection Best Practices
SQL injection attacks are a bit unique in the world of cybersecurity. Unlike some of the other action items, such as increasing employee awareness, SQL injection attacks require head-on countermeasures. Here are seven best practices to implement in your organization.
1. Make sure your developers understand the risk and the countermeasures
Financial institutions still develop a lot of their applications in house, and that requires developers who know how to write SQL code that doesn’t increase the organization’s exposure to SQL injection attacks. From parameterized statements to sanitizing inputs, there are plenty of tricks of the trade. If your developers aren’t as well-versed as they ought to be or they have too much on their plate, consider partnering with an organization that can provide third-party security oversight of your development projects.
2. Use third-party authentication tools
There are third-party authentication tools that allow users to access your site. This saves you from having to develop the authorization code yourself. And, it saves your users from having to remember their login credentials.
3. Implement credential-protection protocols
Here’s where SQL injection protection and standard IT security best practices overlap. If your passwords are unencrypted or your users are sharing login credentials, no coding-based countermeasures are going to be effective.
4. Use third-party apps from trusted sources
If you need to provide access to your SQL database to a third-party app, e.g., a banking app, make sure you’re only using apps from trusted sources. (Those that know how to minimize the risks.) Then, make sure these apps are only given access to just as much of the database as they need to perform their job.
5. Maintain solid patching protocols
All systems and applications have vulnerabilities. Implementing patches issued by your vendors promptly can help you close any new vulnerabilities discovered. (Always remember, hackers watch for patch announcements, too. These announcements alert them to potential vulnerabilities, and they know that a large percentage of organizations won’t implement a patch right away.)
6. Implement an advanced Web Application Firewall
A Web Application Firewall, or WAF, sits between your web application and the database, inspecting traffic to weed out anything that looks suspicious. However, your WAF needs to be finely tuned by someone who knows what they’re doing to ensure your advanced security measures don’t impact the user experience.
7. Web application scanning, penetration testing and source code analysis
Here is where you validate the security of the code before it goes into production. Web application scanning is when a scanning tool crawls your website to identify weak points in your web application. Penetration testing (pen-testing) is a technique used to test your web application using simulated attacks. A source code analysis tool, often the deepest level of vulnerability testing, will also help you review your code to identify any security flaws.
Prepare for and defend against SQL injection attacks
Mergers and acquisitions activity is heating up, especially in the financial services sector. Download our latest eBook to learn how SQL Server 2016 can help you assimilate new systems quickly and securely. Contact us to learn more about creating a HA/DR strategy for SQL Server 2016.