Tuesday, September 7, 2004

SQL Injection Signature Evasion

SecuriTeam has a paper discussing how to structure your SQL injection to evade IDSs. Of course, if you're doing things properly, your network only allows a few specific IPs to connect to your SQL server and you should closely watch those (HIDS, NIDS, malicious code scanners, etc.). You CGI or PHP code should also limit acceptable input to certain characters and prevent direct user input.

Just keep in mind the general rules of thumb for security:

  • It's not "if" someone is going to break in, it's "when"...
  • in the real world the best you can hope for is fifteen minutes of fame, in the virtual world, the best you can hope for is fifteen minutes of obscurity... (quote mine)
  • there's no such thing as a secure online system...
  • and adding technology rarely adds security.

The general rules of thumb for countering attacks:

  • Log as much as practical
  • review your logs automatically AND manually
  • employ a consistent backup schedule
  • use your metrics, be able to recognize what's normal and what isn't
  • the most expensive investment in security is also the one you'll get the best return on: knowledge

Regardless of what personnel and what cool toys you have guarding your network, someone, somewhere, sometime will break into your network.

Apologies for turning it into a rant.

No comments:

Post a Comment