Previous posts have defined SQL Injection attacks and shown how these attacks work against web applications. SQL Injections are nothing to take lightly. They are part of the number one threat defined by OWASP and rank number two on the CWE/SANS Top 25 list.
Unfortunately, research has shown that businesses just don’t take web application security seriously enough. For those who continue to ignore vulnerabilities that face web applications, the end result can often be costly. Just ask Montana-based broker-dealer D.A. Davidson & Co. who was ordered to pay $375,000 after the Financial Industry Regulatory Agency (FINRA) found them to be neglectful in protecting the personal data of 192,000 of its clients. The data, which resided in a database on a Web server, was compromised as the result of a SQL Injection attack launched by Latvian cyber criminals.
The events that unfolded in this case model what happens when no action is taken. The attack, which occurred on December 25, 2007 was preceded by an audit 18 months earlier that suggested the firm upgrade their computer security. D.A. Davidson & Co. did make some upgrades to their security, their web facing applications were left wide open to the point that the database was never encrypted nor was the default password changed leaving it blank.
I am sure they paid quite a bit of money for the security audit. Code reviews, audits, and penetration tests are quite pricey. As to why they would put out even a minimal amount of money and then ignore all of the suggestions is beyond comprehension, but it is something that happens every day.
The D.A. Davidson & Co. situation, and the many others like it, amaze me. In a society where data is considered a commodity, the warehouses for this high-priced treasure are under constant attack. Yet even knowing this, as D.A. Davidson & Co. clearly did, companies still neglect to do anything to protect their customers’ personal and financial information.
Times are tight right now. Companies find themselves steering clear of projects that have little or no Return on Investment. Unfortunately, they aren’t spending enough to even protect their investments and that is costing them heavily. Sure security solutions may seem costly but to pay over $300,000 to be told you’re vulnerable a second time, well that just doesn’t seem to make much business sense.