How the UK civil service could have protected itself against the recent wave of web attacks
Nick Galea, CEO, Acunetix describes how major organisations, including the UK Civil Service and the US Department of Homeland Security, have been subjected to a new wave of web attacks during the last few weeks and how high-level web vulnerability scanners can ensure website security
During the past weeks there has been a wave of new attacks compromising hundreds of thousands of reputable websites, turning them into launch sites for attacks that install malware, Trojans and viruses on the computers of those who visit them. Once compromised, the visitors' machines can be used by the hackers to do just about anything. High profile organisations have been hit - including the UK Civil Service and the US Department of Homeland Security.
Naturally, a company or organisation whose website is breached in such a way can suffer serious damage to its reputation, in addition to potential legal and financial implications.
These attacks have occurred because of SQL Injection vulnerabilities in the web applications running on the organisations' websites. Web applications are computer programs allowing website visitors to submit and retrieve data to/from a database over the internet using their preferred web browser. Web applications include login pages, support and product request forms, feedback forms, search pages, shopping carts and most of the applications that shape modern websites and provide organisations with the means necessary to communicate with prospects and customers.
Web applications may be either purchased off-the-shelf or developed as tailored-made programmes. Given that by design web applications are publicly available on the internet 24/7, these are much more difficult to protect than traditional applications that reside behind a firewall and that can be scanned with traditional anti-virus software.
Serious organisations, though, can shield themselves by regularly scanning their website for vulnerabilities and pro-actively fixing them before these are detected by hackers.
SQL Injection: What is it?
SQL Injection has become one of the favourite web attack mechanisms used by hackers to retrieve sensitive information from a company or organisation. By taking advantage of improper coding of a web application created by web developers who do not program securely enough, the hacker can gain access to data held within a database.
Many website applications are susceptible to SQL Injection attacks since they use a database as a backend which allows SQL queries to be made to the database directly.
What the hacker does is that he transmits SQL query commands to the database residing on the server via the web application. This is done in two ways: SQL commands are entered in form fields on the webpage, or SQL queries are inserted into required input parameters. Consequently, the hacker is able to run SQL queries and commands on a company's server allowing him to take control of everything in the database - including sensitive business and customer data.
Hackers launching SQL Injection attacks have been successful at gaining access to sensitive information such as bank accounts and personal details of their holders; credit card information and complete individual details of customers from various online stores; annual reports of public companies before these were published; the admission status of university students before these were publicly released; and social security numbers and payroll details of employees working for different companies and organisations.
How can a SQL Injection attack be prevented?
For PR, financial, as well as, legal reasons, it is essential for organisations to make their web applications totally infallible to hackers' attacks; and the use of a web application scanner to perform regular audit updates is crucial to achieve this.
A web application scanner is an automated security program that searches for software vulnerabilities within web applications. A web application scanner first crawls the entire website, analysing in-depth each file it finds, and displaying the entire website structure. After this discovery stage, it performs an automatic audit for common security vulnerabilities by launching a series of web attacks. Web application scanners check for vulnerabilities on the web server, web application server, and even on other web services.
A high-level web vulnerability scanner not only ensures website security by automatically checking for SQL Injection and Cross site scripting, it goes beyond this and can also locate CRLF injection, code execution, directory traversal, file inclusion and authentication vulnerabilities, as well as, scan AJAX and Web 2.0 technologies for vulnerabilities, generate detailed reports that enable organisations to meet legal and regulatory compliances, analyse websites against the Google Hacking Database (GHDB) and feature other advance tools that permit fine tuning of web application security checks. Acunetix www.acunetix.com is an example of a complete Web Vulnerability Scanner that can accomplish all these tasks.
Other companies offering web application scanning products and services are Watchfire www.watchfire.com , HP Application Security - formerly known as SPI Dynamics www.hp.com , and WhiteHat Security www.whitehatsec.com
Nick Galea, CEO, Acunetix
More information on how to protect an organisation's website against the threat of hacker attacks is available at the Web Site security center on www.acunetix.com/websitesecurity/
