Blog 11: SQL Injection

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on a topic called SQL Injection.  

Structured Query Language, or SQL, has been around since the 70's and is heavily utilized in today's connected web of data access. The purpose of SQL is to provide the instructions to interact with the data residing within database systems. These back-end database systems can hold important information that may be personal and confidential to the organization, as well as the organization's customers, and should only be viewed by authorized individuals. 

However, many attacks have been reported over the years that have jeopardized the data held within these systems, called SQL Injection. SQL injection is a technique used to "inject" malicious SQL code/queries, generally within a web form input box, to gain unauthorized access or harvest information from a database server. For example, VTech, a company that sells a plethora of kid's toys and more, was one of the largest attacks in 2015 that utilized SQL injection (ThompsonM, 2015). VTech's database servers were compromised during this attack allowing the hacker full authorization and control of the data.     

Even though organizations have built a level of awareness around this issue, SQL injection vulnerabilities are among the most exploited flaws (Baker, A. 2013). In fact, a survey conducted from Ponemon Institute is claiming SQL injection as the number one attack vector for 2015 and OWASP has it listed as a top ten threat category (Paganini, P. 2014). The impact of this type of vulnerability could lead to the internal compromise of a database that could tarnish an organizations trust and brand with its customers, as it did with VTech. 

Some of the primary defenses to consider for SQL injections attempts are; parameterized queries, stored procedures, least privilege, and input validation. Parametrized queries allows the database to distinguish between code and data by having the developers define all of the SQL code before passing the parameters to the query, regardless of the input that is supplied. Additionally, stored procedures can be utilized to prevent user input, as they are called directly from within the application. Another simple, yet effective defense that could be applied is the principal of least privilege. This method minimizes the privileges assigned to every database account to provide users with the permissions required to perform their job function, but nothing more. Lastly, providing input validation to detect unauthorized input prior to the application processing it could assist in preventing an injection attack.        

With the many internal and customer-facing applications spanning the Internet to support business initiatives, it is exceptionally important to provide methods to protect the confidentiality and integrity of this data. To assist in this effort, OWASP has provided tips in the form of a Prevention Cheat Sheet that can be viewed, modified, and implemented. The link to the Cheat Sheet can be found here (SQL Injection Prevention Cheat Sheet. n/d). 

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!

References:

Baker, A. (2013, August 22). 14 Years of SQL Injection and still the most dangerous vulnerability. Retrieved February 25, 2016, from https://www.netsparker.com/blog/web-security/sql-injection-vulnerability-history/

Paganini, P. (2014, April 18). Ponemon study – SQL Injection attacks too dangerous for organizations. Retrieved February 27, 2016, from http://securityaffairs.co/wordpress/24094/cyber-crime/ponemon-sql-injection-attacks.html

SQL Injection Prevention Cheat Sheet. (n.d.). Retrieved February 27, 2016, from https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

ThompsonM. (2015, December 03). VTech Hack Reminds Us that SQL Injection Can Have Serious Consequences. Retrieved February 25, 2016, from http://coar.risc.anl.gov/consequences-of-sql-injection-attacks/

Blog 10: Security's Weakest Link (Social Engineering)

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on a topic called Social Engineering. Social Engineering is a technique that can be used to manipulate individuals for a desired outcome. It is a form of human trickery and has been called one of the weakest links in security.

Unlike technical controls, that are built on rules and algorithms, humans revolve around feelings, and emotions. These human responses make up our natural instincts to trust and feel the need to help others. For most of us, we have been raised to "love thy neighbor", or to "do unto others as you would have them do unto you." These types of actions and response are exactly what a skilled social engineer is counting on to breach the human firewall and bring unsuspecting individuals to a potential cybercrime event.

To illustrate, in 2015, Ubiquiti Networks, a San Jose based technology company, fell victim of an email based social engineering attack that resulted in the loss of $39.1 million dollars (Honan, B. 2015). As stated by Honan (2015), "it appears a member of staff in one of its subsidiary companies based in Hong Kong fell victim to what is known as a "CEO scam", which is where a social engineer impersonates a senior staff member within the organization. By successfully impersonating a senior staff member, individuals tend to fall back to their natural human response of trust. In this case, the natural response created a devastating monetary and brand repercussion for the organization. One of the most powerful ways for these social engineers to penetrate the human firewall is through phishing attempts, as it takes less time and efforts to achieve their desired results (Mijares, A. 2015).

These types of attacks are on the rise, however, with the right amount of training, awareness, and guidance, the people within the organization can become an exceptional defense against social engineers who seek to exploit the human firewall for malicious purposes. Instead of accepting an email or unknown individual at "face value", learn to overcome the natural instincts we have and verify the information before opening the "ports" of your human firewall. 

For more information on protecting against social engineering attacks, spend some time on Google and possibly the book The Art of Deception, by Kevin D. Mitnick, William L. Simon, and Steve Wozniak (Review of the Art of Deception, n/d). You will find a plethora of information designed to give you the information you need to put a training program together for your organization.

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!

References:
Honan, B. (2015, August 6). Ubiquiti Networks victim of $39 million social engineering attack. Retrieved February 18, 2016, from http://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social-engineering-attack.html

Mijares, A. (2015, October 22). Social engineering: Employees could be your weakest link. Retrieved February 18, 2016, from http://www.computerworld.com/article/2996606/cybercrime-hacking/social-engineering-employees-could-be-your-weakest-link.html

Review of The Art of Deception. (n.d.). Retrieved February 18, 2016, from http://www.techsoc.com/deception.htm

Blog 9: Tales from the Crypt(ography)

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

In my effort to increase security awareness and obtain a cultural acceptance, I wanted to bring a focus on the importance of utilizing the science of cryptography to secure your data and communication channels with the implementation of encryption techniques. 

The main focus for this post is to provide the reader with an understanding of the basic science behind cryptography. To do this, we will look at a fairly simple encryption algorithm called the Substitution Cipher, to see how it can be applied against a basic clear text messages to produce a ciphertext for secrecy. To decrypt the message, the recipient will need to have the algorithm, as well as the associated key.

In the days before microcomputers, messages were passed in written form, such as ink on a scroll, and carried by a soldier on a horse for delivery to the intended recipient. In these days, specific methods were put in place to protect the confidentiality of the message by manipulating the placement of the words to make it appear as nonsense to an individual who may intercept the message maliciously or unintentionally. However, for the intended recipient, the method could be reversed to allow the message to be interpreted, as long as the algorithm and key were shared. 

These methods are knows as the science of cryptography, which is the art of secret writing with the implementation of an algorithm and key to a message to make it difficult, if not impossible, to view the original information. In addition, it is called encrypting and decrypting the message.

To illustrate, let's begin with the Substitution Cipher. This algorithm applies a key to shift the original letters of the message a number of spaces to the right. The number associated with how many shifts to the right is the "key" within the algorithm. For example, a "Rot 3" (Rotate 3) would have you shift the first letter of our cleartext message below, which is M, three spaces to the right, which would be P.

By utilizing the image below, we will begin with what is known as the plaintext, or original message, and apply the algorithm against it to produce a ciphertext. The algorithm we will use is the Substitution Cipher with the Rot 5 key and the plaintext I have chosen is:

MEET ME AT FOUR PM ON ELM STREET TODAY

Image Produced by Troy Bevans

To encrypt the plaintext, thus making it a ciphertext, simply start with the first letter of the message, which is M. Since we are using the Rot 5 algorithm, find M in the top portion of the grid where the alphabet is written in the shaded gray area. Once you have found M, select the number directly below it, which is R, to make your first letter of your encrypted ciphertext. Once you have completed the entire message, your encrypted ciphertext will look as follows:

RJJYRJFYKTZWURTSJQRXYWJJYYTIFD

As you can see, if this message was received with out understanding what encryption algorithm was applied, it would be difficult to decipher. For example, let's say you were aware that the Substitution Cipher was used, but did not know which key, such as Rot 3, 4, or 5. In this case, it would take a little time to decrypt the ciphertext back to cleartext. This value of knowing which Rot # was used is called the key. The use of the Substitution Cipher is the algorithm and knowing how many letters to shift (Rot 5) is the key. By applying all of this together, you can encrypt and decrypt your message, thus applying a layer of protection, for the confidentiality of the message the soldier is carrying on the horse, along it's path to the intended recipient.

Encryption algorithms have come a long way since the days of the scroll and delivery by horse. With that in mind, I am sure glad my computer does all of this encrypting/decrypting for me!!! Aren't you?!   

Thank you for reading! Until next time, remember that you don't have to become a victim of a threat to become aware of a threat!