What is SQL and SQL Injection?

Some news items the other day mentioned SQL Injection being a possible cause of the TalkTalk attack, they could be right so don’t let it happen to you!

Today’s article is just about “What is SQL” and “What is SQL Injection”, we’ll investigate how to mitigate SQL Injection attacks in my next article in this series.

SQL (Structured Query Language) is a programming language for managing data in a database such as SQL Server, MySQL, Sybase and the likes.

I’ll show you an example SQL command which is coded in a programming language such as PHP or ASP.NET, and others.
SELECT * FROM Customers WHERE email = ‘me@pfi-security.co.uk’;
1 record is returned, the asterisk signifies that all fields are to be returned from that one record, just like one row in Excel.

SQL Injection is when malicious code is inserted into a form on your website; in reality the form would not be used but a script written which simulates the form being submitted, perhaps using the Tor network for anonymity.
Sign-in to a service usually requires an email address, in my case me@pfi-security.co.uk would be entered on the web page, let’s assume that me@pfi-security.co.uk is passed to a variable called $email, in PHP $ signifies a variable, in our case it is named email and looks like $email.

This $email variable is now passed to the SQL statement which is where the trouble begins.

SELECT * FROM Customers WHERE email = ‘$email’ which is read as,
SELECT * FROM Customers WHERE email = ‘me@pfi-security.co.uk’;

The first step for an attacker is an information gathering exercise, this might be in the form of a simple SQL string so imagine this.

If sometext’ OR ‘x’=’x is entered as the email address then the SQL statement becomes.
SELECT * FROM Customers WHERE email = ‘sometext’ OR ‘x’=’x’;

I’ve ran a similar query on a country database table to show you the logic really does work.

The attacker may next run scripts from the lost password web page, their main aim is in getting the database field names, table names, querying for weak passwords, getting access to existing accounts or force database errors to get more implicit database information to help them on their way to being richer.

What can be done to prevent attackers getting richer?

In my next article we’ll look at methods to mitigate the risk of SQL injection breaches.

How to Choose a Cloud Provider

This is the final part of the cloud security series, my idea with this article “how to choose a cloud provider” is to offer everyone some useful advice to help pick the right cloud provider for your business.

Cloud assurance framework

Let’s start with the cloud’s assurance framework from which the questions in this article are derived. It’s self explanatory so I’ll say no more.

Cloud Assurance Framework

CIA

The three main principles of information security is easy to remember because of the well-known acronym CIA.

In the world of information security, CIA means:

Confidentiality – hiding information from those not authorised to see it.

Integrity – the ability to ensure the information is accurate and unchanged from the most recently published version.

Availability – ensuring the information is available for those authorised to view it.

I believe CIA is even more important when using the cloud, simply because you have lost control of your information. Reassurance is needed from the cloud provider that the risks associated with the CIA of your data are applied to the relevant security controls and the risks are mitigated to an acceptable level for your business.

Ask Questions

A questionnaire is a great way of assessing whether a cloud provider is right for your business, the questions which follow are only a sample but should help smaller companies to make a calculated decision. If your data is hyper sensitive or if you are part of a larger organisation and need support please contact me to find out more.

If you are a cloud provider it will be well worth investing in Cyber Essentials Plus to reassure your customers that some important security controls have been certified, contact me and I can arrange to get your infrastructure Cyber Essentials hardened and certified.

Legal and Regulatory

These key questions are also useful for individuals or very small companies wishing to use cloud services.

  • In which country is the cloud provider’s registered office?
  • In which countries is the cloud provider’s infrastructure physically located?
  • Are any of the cloud provider’s services subcontracted or outsourced?
  • In which countries is the cloud provider’s subcontractors’ and outsourcers’ infrastructure located?
  • Where will our data be physically located?
  • Which country or countries will the contractual jurisdiction lie?
  • How is our data and our customers’ data collected, processed and transferred?
  • How is our data managed when the contract terminates?

It is also an important consideration that data exported to countries outside the EU could fall under export regulations.

Data and service portability. Customer lock-in

These are also key questions for companies of all sizes, it is important to get this right from the start to ensure you have control of your data and you are able to change provider at any time within the terms of your contract.

  • Does the cloud provider have documented procedures and database structures or APIs to be able to export data from the cloud?
  • Does the cloud provider have documented procedures and database structures or APIs to be able to import data to the cloud?
  • Do these procedures allow for the data export to be transferred in encrypted form and then deleted from the cloud provider’s infrastructure?
  • Is the exported data in a relational format where it can be migrated to another cloud provider?
  • Can the client perform their own import and export of the data?
  • Can user created applications be exported in a ready to deploy format?

Personnel security

  • What pre-employment policies and procedures do you have in place?
  • What recruitment policies and procedures do you have in place?
  • What leaving policies and procedures do you have in place?
  • Are there different policies in place for staff who manage sensitive and confidential data?
  • Is there a security awareness training programme in place for all staff?

Operational security

  • What is your remote access policy?
  • What controls do you have in place do prevent malicious code?
  • What are your data backup and recovery procedures?
  • What audit logs are available to be used in the event of a security incident?
  • Do you carry out penetration tests pending a new release of your software?

Identity and access management

For this article there are too many questions which need to be asked, it is better to contact me for further advice on how to manage identity and access management.

The questions are related to account authorisation, account de-provisioning, checking the identity of accounts at registration, protecting the user account directories, key management, encryption, authentication and security monitoring.

Cloud Provider supply-chain assurance

  • What services are outsourced or subcontracted that are key to the security of your operations?
  • What are your procedures for your third party suppliers to access your infrastructure?
  • Do you perform supplier audits?
  • Are there any SLAs in place with your providers which offer less then you offer your customers?
  • Does your security policy apply to third party providers?

Lots more questions!

There are many questions to be asked in these areas of the framework, for small companies I recommend you ask one question:

  • Are you ISO27001 certified? If yes, please send me a copy of your certificate.

You need to ask for the certificate because the certificate includes the scope of the certification and the cloud provider may have limited scope which is not applicable to the service they provide to you.

ISO27001 control references for these parts of the framework.

  • Physical and environmental security – ISO27001 A.11
  • Asset management – ISO27001 A.8
  • Business Continuity Management – ISO27001 A.17

If you are a cloud provider of any size without ISO27001 certification please contact me to arrange an appointment to discuss the scope of the project and how our ISO team can help.

A security tip for your WordPress website

If your WordPress website for some reason has not updated to the latest version of WordPress you could be vulnerable to being breached.

WordPress security tip

WordPress is very happy to show to the world it’s version information which at the time of writing is 4.3.1. This version information can be seen by showing the HTML source in your browser.

Unfortunately since you can see the version info, so can unwanted web crawlers. If the version is not the most recent then this makes your website vulnerable since the potential hacker now knows two things:

Your WordPress version is not up to date
The exact vulnerabilities, because these are advertised in the new version’s release notes.

Your site could now be a target for malicious attack!

It would be useful if the WordPress version on your site was not advertised to the world and indeed there are plugins which help solve this issue. One such plugin is Meta Generator and Version Info Remover, if after activation your web pages still show the version, a little extra work is needed with the plugin to identify the offending script to remove the version from view.