SQL injection attacks are currently at a high-point. Bot-net driven attack and exploit engines like ASPROX are targeting vulnerable IIS web servers and turning their databases in malware distribution points. Those who have been exploited have received their wake-up call. The fortunate ones recognize their time may becoming. Both parties want a solution. JACADIS has been busy helping clients recover from this attack, as well as help others prevent being affected. Keep this in mind:
1. ASPROX and other SQL injection attacks are a development problem. It's not Microsoft's fault. Yes, the attack targets IIS servers, but that's based on the ubiquity of the IIS platform. The underlying problem is a development issue. Blaming it on Microsoft is like holding your homebuilder accountable for a home burglary when you left your windows and doors unlocked. If you're not making sure your form inputs only allow what's expected, you're inviting unwanted guests. Bottom line: sanitize your input and use parameterized queries.
2. Know your attack surface. If you have an Internet presence, you must know how Internet users and processes can access your network. Get a vulnerability scanner. Make sure it can identify not only network and host-based weaknesses but also web-based holes like Cross-site scripting (XSS) and SQL injection (SQLi). Qualys and Acunetix are a great place to start. Both offer free demos.
3. Run with least privilege. Yes, developers are still attaching their web applications to databases using the "sa" account. Please don't do this. Identify the absolute least privileges required by your application. Just like your users do not need administrative privilege at the desktop, neither do your web applications need admin access to your SQL database. Resources exist for securing your SQL database -- read them, then act.
4. Know when your systems are being abused. Prevention is one thing. Detecting and responding to attacks when prevention fails is another. These SQL bots leave tell tale signs in your IIS logs. Tune your SIM or log management solution to look for this and similar signatures.
Stay tuned for more information.
-- Si
Comments