ITP.net’s Cyber Kung Fu Master Class: SQL injection, with Fortinet
Simon Bryden of Fortinet warns of the deadly, stealthy strike responsible for 97% of the world’s data breaches
As summer settles in, you may be too hot and bothered to train on our cyber-mats, but we assure you that data thieves and online hoodlums don’t stop lurking when the seasons change, and you have a few muscles left that need to be toned.
So far, in ITP.net’s digital dojo, we have covered DDoS, DNS cache-poisoning, phishing, website security and software vulnerabilities. This month we turn our attention to your most precious asset: data. Martial arts masters the world over advise students to protect their centre line. Well, your data is just such a weak point. Customer records, intellectual property, financial information and perhaps even bank accounts themselves, are all fodder to a well-executed SQL injection.
Our guest master will teach you how to keep your unmentionables unmentioned.
So assemble on the mats for your next lesson in… Cyber Kung Fu (gong!).
Meet this month’s Cyber Kung Fu Master: Simon Bryden, consulting systems engineer at Fortinet
Simon Bryden represents FortiGuard labs across the EMEA region, promoting Fortinet's threat-intelligence capability both internally, and to customers and partners.
Simon has over 25 years’ experience in the IT industry and before joining Fortinet held engineering and product management positions in a number of vendor, integrator and end-user organisations.
He graduated from the University of Edinburgh with a degree in Mathematical Physics.
The attack: SQL injection
This is the attack that bends you over and pulls your underwear over your head. It is blamed for 97% of the world’s data breaches. In the world of hackers, few ops, great or small, beat the badge earned from accessing an organisation’s full data store. For the victim it is humbling at best, ruinous at worst; for the attacker it is elevating.
Most in the ICT industry are familiar with the structured query language (SQL) SELECT statement. Database administrators (DBA) and coders use it to access databases. If you have a table of bank accounts, say, a statement such as “SELECT * FROM accounts_table” gives you all records and all fields. But relational database management systems (RDMS) also expose transaction keywords such as “INSERT”, UPDATE and “DELETE”. Imagine an outsider getting access to those accounts. The potential damage is incalculable when they wield such sweeping modifiers. It would be a strike to your digital solar plexus.
Continues on next page>>