The cost of SQL Injection

Last week, Dan Goodin of ArsTechnica published an article exposing a recent incident of a hacking group named “Team Digi7al,” which got shut down after one of their members was caught breaking into the Navy’s “Smart Web Move” web application. The result of this breach was the loss of over 220,000 service members’ personal information from the Navy’s database. The attack vector itself was, surprise surprise – SQL Injection.
A while ago, I wrote an article responding to a Dark Reading post about an IPS statistics report, showing over 10 years of attack mitigation data. In that report there was one big missing data point — application attacks. The report took a look at over 10 years worth of data, and most web application attacks, including SQL Injection (SQLi) and others flew under the radar. Unfortunately, without the proper controls, most still do.
The latest Verizon 2014 data breach investigation report revealed how web application attacks are on the rise, and even went so far as to say “Web applications remain the proverbial punching bag of the Internet.” That was definitely a bold statement, but one that we most certainly agree with them on.
What is the cost of SQL Injection?
With web application attacks on the rise, we can’t help but stop and really think about the cost of a SQLi.
In the ArsTechnica article, Goodin mentions that the Navy spent over $500,000 to deal with this specific incident. While the sum might seem sky-high to some readers, NTT’s 2014 GTIR report reveals the unfortunate truth – “[the] cost for a minor SQL injection attack exceeds $196,000.”
The $500K that the Navy spent to deal with this specific SQLi is certainly a hefty price to pay for an attack vector that was solved by web application security technologies ; however due to lack of awareness and application security – that vector is still a moneymaker for hackers.
State of the game
The truth is, SQLi is far from a problem of the past. It’s still an easy to exploit attack vector to steal information, and often does not require advanced technical skills to perform. In fact, SQLi is so effective that advanced attackers are building automated attack botnets using SQLi automation tools to either break into or onboard new zombies to their botnet.
Via our Community Defense service, we took a closer look at SQLi.  We sampled data from the last 30 days that included 300,000 attack campaigns that occurred globally. The sample showed us that 24.6% of all attacks were in fact SQLi attacks.
We know that SQLi isn’t going anywhere anytime soon, and web application attacks are a real threat that can cost upwards of $200k to manage. Education and deploying the necessary mitigation tactics to prevent an attack should be top of mind for everyone – it’s certainly one step to avoid a breach.
Where can you learn more?

• An article discussing the dynamics of SQL Injection and how to effectively mitigate it, here.
• An article dissecting SQL Injection automation tools used by hackers, here
• Our Hacker Intelligence Initiative Report on the anatomy of SQL Injection attack, here