Andrea Danti - Fotolia

Organisations remain unprepared for SQLi attacks, despite popularity

SQLi attacks on web applications most likely in the UK and Norway, an NTT study reveals – even though such attacks are well-documented and understood

SQL injection (SQLi) attacks are the most popular for hackers targeting web applications, according to the 2015 Global Threat Intelligence Report by NTT Com Security.

The report, based on the analysis of six billion attacks in 2014, said SQLi attacks were the most likely on web applications in the UK and Norway.

SQLi attacks accounted for 26% of web application attacks across all countries, but made up 58% of web application attacks in the UK and Norway. This compared with just 19% in the US and Sweden, 12% in France and Germany and 10% in the Netherlands.

SQLi involves entering malicious commands into URLs and text fields on vulnerable websites, usually to steal the contents of databases storing valuable data, such as credit card details.

"Injection attacks are the biggest vulnerability in web applications and have been for the last few years,” said Stuart Reed, senior director, global product marketing at NTT Com Security.

“If you look at many of the major security breaches that have hit the headlines recently, typically they are injection attacks because they are attractive targets containing sensitive information like credit card details and valuable customer data.”

Firms fail to defend against common and well-understood SQLi attacks

Reed said that, despite SQLi attacks being common and well-understood, many companies still fail to use effective processes to close the vulnerability.

“Organisations need to ensure they are building the right level of security into web applications to avoid this type of attack, and that they have effective incident response plans in place to handle any potential or actual security breaches,” he said.

Read more about SQLi attacks

  • SQL injection and XSS remain among the top attacks.
  • Enterprise threats expert Nick Lewis reveals two key ways to prevent SQL injection attacks without breaking the bank.
  • Automation is the most effective way to tackle multiple prolonged cyber attacks on web applications, a study shows.

The Open Web Application Security Project (Owasp) continues to rank SQL injection attacks at the top of its 10 most-critical web application risks.

In November 2014, the Information Commissioner’s Office (ICO) urged UK organisations to protect their websites against SQLi attacks after the hotel booking website Worldview Limited was fined £7,500 following a serious data breach. Worldview's breach happened after an SQLi vulnerability on the company’s website allowed attackers to access the full payment card details of 3,814 customers.

The ICO said research had shown SQLi as an extremely common attack method. The ICO said that, in the past 10 years, it had been linked to 90% of database records stolen.

Regional variations in attack types

Across all attack types, the report showed that web application attacks represented 10% of all attack types in the UK in 2014, lower than in other markets, including the US (13%) and the Netherlands (17%). The Nordic nations top the table of web application attacks, with Sweden and Norway seeing reporting a fifth of all the attacks that hit web applications. 

Other key findings of the report included the fact that 76% of identified vulnerabilities throughout all systems in the enterprise in 2014 were more than two years old; and almost 9% of them were over 10 years old.

According to the report, 74% of organisations had no incident response plan in place in 2014, while incident response engagements involving malware threats increased 9% from 2013 to 52%.

While 52% of incidents were the result of malware, NTT Com Security found only 46% of new malware is detected by antivirus software; and 85% of vulnerabilities resided in users' systems, not on servers.

Finance continues to represent the number-one targeted sector, with 18% of all detected attacks, the report said. The business and professional services sector followed with 15%, retail (14%), manufacturing (12%) and healthcare (7%).

Read more on Hackers and cybercrime prevention