Thursday, March 12, 2009

SQL Injection #1 attack vector

The new WHID report notes that SQL Injection was the #1 attack vector in 2008. One interesting snippet from the report is shown below, it shows that the #2 attack vector is "unknown". What does it tell us? The organizations that reported the incident had no clue how the incident happened and the number one reason for that could be that there is no instrumentation to look at the attack traffic and malicious behavior. Monitoring is the key here, good logging and understanding the normal behavior of business related traffic goes long way in understanding the threats and identifying incidents. Another reason for this could be the inability of the internal staff to identify attack vectors and decode malicious traffic.

Attack / Vulnerability Used %
SQL Injection 30%
Unknown 29%
Cross-Site Scripting (XSS) 8%

The full report is available here