As a business owner, or being the owner of an online ecommerce website, you should be aware (and very wary of) attacks that could be committed against your servers. You should always be aware that there are hackers on the prowl who will always be ready to steal data from you if they catch you unawares; this is not a theory, it is a fact.
If you have been lucky enough to avoid any attacks so far, then you can mark it down to sheer luck or the fact that you do not have data or information that the bad guys have deemed valuable or worth the risk and time – and not because you have managed to completely shut them out.
With that having been said, we will have a look at one of the most efficient and successful ways that hackers can get into your server: using an indirect attack.
What are Indirect Attacks?
First, direct attacks are hacks done by attacking a network using exploits that take advantage of their vulnerabilities. The aim here is to gain access to either integral parts of the network system or to access critical information that can then be used to launch indirect attacks.
A good example would be exploiting a website’s vulnerabilities to gain access to things like usernames, passwords, email addresses, etc. (These help facilitate the next step). In real life, it would be like a thief banging on your door (or using some tools) to gain access to your home.
Now, these attacks are usually followed by indirect attacks which aim at extracting data other than those that can be gleaned from the website (meaning heading deeper into your network and on to your servers). Here combinations of queries and scripts are utilized (usually incorporating the information that was obtained from the first attack) with the intent of overcoming security barriers and fooling your system.
The main difference here is that in the indirect attack the information is received from (or about) the target source without directly attacking it. Another way of putting it would be like when a database is tricked into replying to queries for sensitive information because they (the queries) pose as legitimate ones.
In the real life example that was mentioned earlier, it would be like the thief knocking on your door and asking you if you had any old lamps that you would like to exchange for new ones. You, not knowing the true value of the lamp and thinking he was a true trader – with no ulterior motives regarding the knowledge of the genie it holds within – would hand your old lamp to him.
What Methods are used in Indirect Attacks?
A basic example of how data can be extracted from a database using an indirect method could be through the injection of scripts. An SQL server can be tricked into relinquishing its data using a program that calls on the database. It should be noted here that there is no problem with the database itself but rather with its weak authorization methods.
A program is used to trick the database into performing a task. Let us say your website sells lamps and people can query the types of lamps you have to offer. A typical call to the database would be:
“SELECT * from lampDB where description = ‘lamp’;”
But, if hacker were to query for:
‘lamp’ ; DELETE * from lampDB;”
The query would become:
“SELECT * from lampDB where description = ‘lamp’ ; DELETE * from lampDB”
It would mean your database would be wiped clean of anything that was described as a “lamp”. Note here that the hacker would need to know that your database name is “lampDB” – information they would get using a direct attack.
Similarly, the code could be altered to extract other information – like prices, who purchased what, etc. – if it is stored on the database.
Another method that is often referred to as the “watering hole technique” refers to instigating an attack where the hacker compromises a target website by inserting an exploit that will result in a malware malfunction or a Trojan being planted in the system.
What is even more dangerous is that websites that have been infected using this method can then pass the infection on (or open the doors to) websites that are connected to or visited from or through them. The efficiency of this attack can be proven by the fact that large companies like Facebook, Apple and Twitter have all been hit using this method.
What Can I do to prevent Such Attacks?
As mentioned earlier, indirect attacks are the possible because of weak programming and authentication mechanisms rather than the databases or operating systems themselves. Therefore, the best way to prevent such attacks is to make sure that the code written behind your sites are up to par.
Next, you should always make sure your software and applications are regularly updated.
Finally, you should make sure you use access control mechanisms that authenticate clients that are trying to access your data. Mandatory Access Control (MAC), Discretionary Access Control (DAC) and Role-Based Access Control (RBAC) are all models that let you determine who can come in and access your data. Making use of them will ensure you have a tight grip on the queries coming into your databases.