Small business protection for ASP.NET websites

Are you being attacked? Find out.

Free Notifications Forever!

You may not know it, but you are under attack!

Hackers around the world unleash hundreds of thousands of web robots that relentlessly attack small and large websites alike. These bots don't sleep, and they won't stop until they either succeed or get blocked.

Most businesses, small and large alike, discover this fact only after their data has been hacked.

SQL Injection is the most common attack vector for hackers attempting to steal sensitive data from database enabled websites and/or the individual visitors of such websites.

OWASP rates Injection as the #1 top web application security risk for 2013.

Below are summaries of some of the top data breaches that occurred during 2011 and 2012 as reported by TeamSHATTER, the leading database threat resource.

You may be shocked by some of the prominent victims. The damage can be very costly.

Sony – "Over 100M records were stolen across more than 20 separate incidents. Persistent and ongoing attacks, with systems compromised via SQL Injection. Made it seem like the attackers would stop at nothing to get in."

Value's stream Network – "The Steam Network attack was one of biggest and resulted in the loss of their entire customer database. That database contained usernames, passwords (hashed), billing history, billing addresses and encrypted credit card numbers from all 35,000,000 of their customers."

Liza Moon – "Liza Moon was a successful mass SQL Injection attack against ASP and ASP.NET Web servers. Attackers used SQL Injection to inject malware (in this case fake AV) into databases serving up a Web site's content. The attack successfully embedded redirect scripts into more than 1M Web pages across tens of thousands of different sites."

Epsilon – "Hackers were able to obtain information on at least 50 of Epsilon's customers' (companies like Target, JP Morgan, Tivo, and customers like you and me) with a total number of people affected well into the 10s of millions."

Citibank – "Even the most technologically sophisticated organization can suffer from process deficiencies that can create a false sense of security and expose systems to attacks. Citi disclosed in 2011 that about 1% of their account holder's names, addresses and contact info had been stolen. In plain numbers, that's the sensitive data of 200,000 people."

Stratfor – "Databases at intelligence and forecasting company Stratfor were penetrated and summarily cleaned out. The customer list alone was valuable and interesting information that one might have expected a company like Stratfor to be capable of protecting."

Global Payments – "In March 2012, electronic transaction processing provider, Global Payments, disclosed a data breach of 1.5 million credit cards."

Zappos – "In January, the online retailer, owned by Amazon, disclosed the largest breach of 2012 with 24 million customer records compromised. Customer records included names, shipping and billing addresses, email addresses, phone numbers, and passwords, last 4 digits of credit card numbers, and other information. The specific attack vector was never disclosed, but the attack was perpetrated by an outside attacker who gained access through a Zappos server in Kentucky, where the retailer's warehouse is located. More than likely, Zappos was running a web application that was vulnerable to SQL Injection."

Yahoo – "In 2012 an attacker claimed to have used simple UNION-based SQL Injection to steal 450,000 user records."

Nationwide Insurance – "One of the ten largest US insurance companies recently disclosed a Dec 2012 breach of 1.1 million records. Compromised data included names, social security numbers, driver license numbers, birth dates, marital status, gender and employer name/address. Ponemon Research estimates the cost of a data breach to be around $300 per record when hacking is involved. According to this formula the breach cost Nationwide $330 million."

The Threat is Pervasive!

  • According to published reports, analysis of the Web Hacking Incidents Database (WHID) shows SQL injections as the top attack vector of all security breaches examined by WHID.
  • Similarly, in the "Breach Report" released by 7Safe®, a whopping 60 percent of all breach incidents examined involved SQL injections.

Reuters, Aug 7, 2012 –

Imperva, Inc. (NYSE: IMPV), a pioneer and leader of a new category of data security solutions for high-value business data in the data center, released today the results of the third Imperva Web Application Attack Report (WAAR), which reveals that the median annual attack incidents on the 50 Web applications observed was 274 times a year, with one target experiencing more than 2,700 attack incidents.

According to the report, the average attack incident for the observed Web applications lasted seven minutes and 42 seconds, but the longest attack incident lasted an hour and 19 minutes. SQL Injection remains the most popular attack vector.

During 2012, we saw an increase of 45% over 2011 in the number of breaches disclosed!

Ubiquitous Exposure

Because of the open nature of the web, users are exposed to hacking of all types. Hundreds of millions of personal computer users protect themselves against viruses, spyware, and other malicious software by using popular products, such as Norton™, McAfee®, Trend Micro™ and others. These products put up a barrier of defense with firewalls, virus scanning patterns, and spyware detection, but do not protect your business applications from SQL Injection attacks.

Business applications, including eCommerce and CRM sites, have a different problem. The very act of conducting business over the internet in order to sell to customers, service customers, and interact with customers exposes the database to the internet! Simply put, by its very exposure, the database is vulnerable.

Data driven business applications, regardless of type, are ever-increasingly coming under attack. And because of the high target value of database content, databases are subjected to more and more sophisticated attacks by hackers and criminals alike. Unfortunately, security products commonly used for protection, such as firewalls, IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) are completely ineffective against an attack on the Database because the attacks are embedded within HTTP and simply pass through IDS/IPS, undetected through the industry standard HTTP access ports to the internet.

An Ounce of Prevention is Worth Ten Pounds of Cure!

You will be attacked; it's nearly a statistical certainty. Don't be caught unprepared, forced to search for shelter during the storm. Protect your small business from the unthinkable, now.

Install SQL Injection Shield™ today. Our free monitoring license will alert you to real-time attacks, allowing you to take immediate action. Better yet, our affordable Shield license can take immediate action for you and block the threat before it has the opportunity to create havoc.