Data has often been dubbed the new oil. However, data isn’t as helpful without proper handling methods. One that we’re most familiar with is SQL queries. Because of this, cybercriminals often try to manipulate SQL queries for various reasons.
What is SQL Injection?
SQL Injection is an attack that attempts to insert malicious code using standard SQL queries. The point of insertion (or “injection”) is generally an input field or website address parameter. When this happens, attackers can change the original form of the SQL query.
For example, consider one of the most common SQL queries that checks a website login. The original query is meant to check the information typed in with the content of a database. With an SQL injection, the query can be modified to return all user records in the database.
Notable SQL Injection Attacks and Incidents in Malaysia
SQL injection attacks rank high among the cybersecurity concerns of many Malaysian businesses. While currently not as alarming as phishing and other forms of malware, SQL injection attacks can cause large-scale damage.
Some SQL injection incidents across Malaysia include:
- Two subsdiaries of Prudential were affected by an SQL injection incident in 2023. The MOVEit attack was global and affected over 66 million individuals and 2,500 organizations.
- The National Cyber Coordination and Command Center released an advisory in 2022. It warned of increased activities toward Malaysian domains, including SQL injection attacks.
- Malaysia’s Ministry of Education temporarily stopped its online examination system in 2018. Information pointed to threats of an SQL injection vulnerability putting data from over 10,000 schools at risk.
How to Protect Your Data From SQL Injection Attacks
Because SQL queries don’t always cause direct damage, they can often go unchecked for extended periods. This compounds an already hazardous scenario for any organization.
Bernard Tan
CallNet Senior Systems Engineer
SQL injection attacks don’t typically affect individuals. The exception are, perhaps, only those operating websites or blogs that gather significant amounts of data. Because of this, most preventative measures are typically only necessary at the organizational level.
Here’s what you can do:
- Prepared Statements and Parameterized Queries: Developers should use special statements that predefine SQL code. Parameters can later be passed to the queries. This approach ensures that query intent cannot be modified midway..
- Stored Procedures: These procedures work by separating logic from SQL statements. The separation helps insulate processes from SQL Injection.
- Input Validation: Always enforce input validation to ensure attackers can insert harmful SQL. Anything that isn’t within validation parameters must be removed from queries before they are executed.
- Web Application Firewalls: Aside from many other uses, WAFs can detect and block some SQL Injection attacks. This is a low-cost, high-benefit tool that many businesses can use.
- Reduce Privileges: Don’t over-empower your applications. Let applications have the right to read data, but carefully scrutinize the need for modification or updates.
- Regular Updates: SQL injections often leverage zero-day exploits. Ensure you regularly update your software and systems. This includes your database management system, web server, and other endpoints.
- Security Audits and Code Reviews: Where security is concerned, try to avoid over-reliance on IT teams and developers. Try to reach out to third-party auditors to ensure more stringent checks for potential injection flaws.
Conclusion
Despite the rudimentary nature of SQL injection attacks, the simplicity of the method means it remains a popular choice among cybercriminals. This is especially true in countries like Malaysia, where eCommerce and digital operations are prevalent.
Leaving a gap for an SQL injection attack to occur is seneseless. Especially since these attacks are often preventable. Speak to our experts on how we can use common solutions to provide affordable protection against SQL injection attacks.
