Cybercriminals use SQL injection to target both external websites and internal databases when seeking data for identity theft and other black market activities, GreenSQL said. Public websites are vulnerable to SQL injection attacks, but so are internal collaborative sites as shown by the recent assault on the internal Nokia developer application, the company warned.
David Maman, chief technology officer of GreenSQL, said that SMBs are increasingly the target of SQL injection attacks, while large companies are seeing a decline in attacks, according to the most recent Verizon Data Breach Investigations Report.
“Large organizations can afford advanced solutions that cost a lot of money, while the SMBs are just starting to become aware of how big a threat” SQL injection is, Maman told Infosecurity.
Close to one-third of the SMBs surveyed are most concerned about internal threats to their database, such as unauthorized database access, database administrator errors, and data exposure to nonprivileged users.
While developers, administrators, and customer service representatives all need data access, they should have different access privileges, the company explained. In addition, data protection covers threats from both employee theft and error. Coordinating database access control and command permissions can significantly reduce data loss from errors while lowering the cost to repair any that remain, GreenSQL added.
“Smaller organizations can’t afford an in-house database administrator….So they outsource to maintain their database. Once a database administrator is connected to the network, he can do whatever he wishes with the database”, Maman explained.
Around 18% of SMBs are most concerned about regulatory compliance related to database security, the survey found.