Database attacks to increase in 2007

gallery

IT managers should focus on securing databases from internal and external threats as spam and phishing are no longer major concerns, according to a database security expert.

Paul Davie, chief executive of data security company Secerno, said that the security sector has now come to terms with the fact that they are dealing with highly financially motivated, technologically advanced and professional database infiltrators.

"The years of spam and simple phishing scams targeted at the naïve PC user are no longer our major concern. Any company that stores data needs to shift its focus inwards," he said.

He said that this year saw many attacks on confidential financial data.

"Emails lured online bankers to provide their logins, passwords and account details, only to become victims of fraudulent activity or a complete loss of funds. Employees were blackmailed or bribed to download data for criminal gangs," said Davie. "Banks' websites were duplicated to provide a false sense of security and even NHS data was delved into, as Tony Blair's medical records hit the headlines."

He said that next year the increased popularity in online banking will continue to attract the criminal fraternity.

"Thankfully, a combination of recent high profile breaches and forthcoming legislative requirements, such as the PCI framework, is driving attention to the implementation of effective data security," he said.

Davie warned that the UK's new Integrated Children's System go live, a data system containing details of all of the nation's vulnerable children, would be a prime target for paedophile hackers.

"Two questions spring to mind: will the first big story be of an external hack into the system or an authorised user abusing their access rights to find their targets? And, who will be hung out to dry: the poor soul responsible for specifying the system's security, or the politician who thought this was a good idea in the first place?"

He also said that SQL injection attacks, where a user input is not checked to see if it is valid, would sharply increase. "SQL injection attacks have been increasing at a rate of more than 250% per year for the last few years. In 2007, SQL injection will be recognized as the number one attack vector on internet-facing systems," said Davie.

But he warned that companies have to be on guard from internal threats. Recent statistics from the Secret Service and CERT show that 86 per cent of computer sabotage is done by knowledgeable IT staff within the organisation.

"Enhanced internal attacks will continue to thrive as organised criminal gangs plant employees inside businesses, he said. "Expert penetration testers see success rates of targeted attacks on databases approach 100 per cent, when initiated from inside the organisation."

Email to a friend

Print this page