Distributed Denial of Service (DDoS) attacks have been at the forefront of security conversations lately, largely due to the number of hits against the banking industry. In his blog at CircleID, Rodney Joffe pointed out a number of reasons why DDoS attacks are becoming more dangerous, including this observation:
DDoS attacks have entered a dangerous new phase. A combination of size and intelligence marked these attacks. While they peaked at between 60 and 150 Gbps (most DDoS attacks are smaller than 1 Gbps), the assaults on banks involved only 2,000 — 3,000 computers, not the tens or hundreds of thousands we’ve seen in botnets before. The difference: most of the compromised systems were powerful business machines, rather than traditional home computers, with access to significantly more bandwidth to help flood connections. First, the attackers hit web resources with large numbers of HTTP (web) traffic and then moved on to DNS servers, which tend to be more vulnerable. The result was a curious hybrid: a highly strategic, brute-force attack that left its victims reeling. Clearly, the attackers were well acquainted with how the Internet works.
Joffe also pointed out that traditional methods for fighting DDoS attacks aren’t working anymore, so we need to find new methods. I’d like to add, while we are trying to protect from DDoS, we also need to take a closer look at how we are protecting our systems from SQL attacks. Why pay more attention to SQL attacks? Because, according to a new report from Imperva, that’s what the hackers are talking about.
In its Hacker Intelligence Initiative report, the Imperva research team looked at one of the best-known and one of the largest hacker forums, as well as smaller hacker forums, to see what they were talking about. According to the report, they discovered:
SQL injection is now tied with DDoS as the most discussed topic. Both topics got 19% of discussion volume. Last year, SQL injection was second with 19%, and DDoS came in first place with 22%. Ironically, of the $25 billion spent on software security, and we believe this means less than 5 percent of security budgets is allocated to products that cannot even recognize SQL injection attacks – let alone stop them. We believe this imbalance encourages hackers to continue to learn and deploy this attack method.
In fact, companies like Symantec and ImageShack are some of the most recent (and visible) victims of a SQL injection — and the attack was not the work of Anonymous but another hacking group called Hack the Planet. (PayPal was also rumored to have been hit, but the company has said it was not.)
And yet, Imperva found, only 5 percent of the average enterprise security budget is going to protect SQL injection attacks.
One of the most difficult tricks to data security is staying one step ahead of the bad guys. Now that we know that nearly 40 percent of discussion among hackers involves DDoS attacks and SQL injections, isn’t it time to be looking at how enterprise security is approaching those methods?