Sql sql 1 Scholarly Journal 2: The Adam and Eve Paradox: Kraft, Michael; Rohret, David; Vella, Michael; Holston, Jonathan.International Conference on Inf

sql

1

Scholarly Journal 2: The Adam and Eve Paradox:

Kraft, Michael; Rohret, David; Vella, Michael; Holston, Jonathan.International Conference on Information Warfare and Security; Reading : 275-VIII. Reading: Academic Conferences International Limited. (2013)

Abstract: Individuals working in the Information Technology (IT) industry are familiar with Moore’s Law and its guiding principle: exponential improvement every 18-24 months where computer technology is concerned (Brock, 2006). This principle has been proven generally accurate and is routinely used for long term planning by the computer industry, which has led to an explosion in computing power and technologies that have catapulted computing into every aspect of human’s lives in the 21st century. However, while new technologies increase the quality of life for the current generation, they also provide avenues for nefarious individuals to take advantage of others using the same new technologies. To help counter this, the IT industry has made great strides in its efforts to protect users by developing security appliances to include firewalls, intrusion detection systems, encryption, passwords, two-factor authentication methods, and a layered approach to security; to name just a few. It is because of this effort by the IT industry to help protect users, the authors have identified unique cyber attack trends, that could be referred to as a new “Moore’s Law” (as it pertains to cyber security). As computer technologies become more sophisticated and robust, malicious actions have become less sophisticated, and in many instances, cyber exploitation and attacks occur without the use of technology. The authors have penned this concept as the “Adam & Eve Paradox”. The paradox construct being, as technologies improve and network perimeters are hardened preventing direct attacks against systems, users and systems are being exploited at an exponentially increased rate by methods contrary to the technological improvements. Cyber criminals and hackers will always first attempt attacks against the easiest targets, known as the low-hanging forbidden fruit described in the biblical Adam & Eve story. While the IT industry continues to spend billions of dollars (US) annually to create appliances and develop software to protect its resources, data, and users; attackers are increasingly focusing their attention on the lowest hanging fruit, whether it be an unsuspecting user who clicks a link in an email, to a helpful administrator who provides information to a false authority. As the IT industry moves in the direction of complex defensive tactics, attackers are moving towards less complex – softer targets that are more difficult to detect, block, and mitigate. It is the authors’ intention to define and substantiate the “Adam & Eve Paradox”.

Security Professionals: As hackers increase their capability through automated tools and technologies network security personnel have become more sophisticated. In the early days of information technology (IT), the system administrator was usually responsible for maintaining computers, network resources, and to also ensure the security of each device. In today’s IT realm, companies hire security experts who are solely responsible for the security of computers and networking devices. Network compartmentalization has become a necessity to combat a hacking community comprised of novice to expert practitioners.

The lowest hanging fruit as it pertains to web servers is SQL injection. SQL injection defined: “It is the vulnerability that results when you give an attacker the ability to influence the Structured Query Language (SQL) gueries that an application passes to a back-end database. By being able to influence what is passed to the database, the attacker can leverage the syntax and capabilities of SQL itself, as well as the power and flexibility of supporting database functionality and operating system functionality available to the database. SQL injection is not a vulnerability that exclusively affects Web applications; any code that accepts input from an untrusted source and then uses that input to form dynamic SQL statements could be vulnerable (Clarke, et ai., 2012).

As reported by the Web Hacking Incident Database 2007 annual report (Shezaf & Teams, 2007), SQL injection accounts for 20% of all attacks against web servers. Figure 5 below shows the top 10% attacks recorded on this report.

According to this same annual report done in 2008 (Barnett, 2008), SQL jumped to 30% as depicted in figure 6 below.

This is significant because most web sites that offer services usually have some kind of input field linking the front end user interface to a backend database server. The backend database server is more secure and often unreachable from external communications, however, there is a trusted relationship that allows for communications to occur between the front end web site input fields and the database. This is also significant because if organizations are to make a profit or provide some sort of service to the public, they will need to have these resources available on the internet. Attackers know this and will always target these resources versus trying to get inside the perimeter, as discussed earlier.

To further demonstrate the widespread use of SQL injection, an InformationWeek report breakdowns web site attacks and also highlights SQL injection as the most used attack type. Figure 7 from this report demonstrates this fact (Prince, 2012).

5. Why attackers choose the low hanging fruit:

The low hanging fruit identified in this paper will always be the path of least resistance. Attackers will not often waste time, energy, or resources taking on the expensive, highly technical appliances being put in place by organizations. It is human nature to find the path of least resistance in order for one to reach their goals. Advanced security appliances are being used to deter and reject direct attacks against an organizations critical infrastructure, but the attackers do not face these appliances when less secure-focused employees are freely opening malware filled e-mails, clicking on malicious links on random web pages, and downloading third party software without approval.

6. Summary:

As organizations fight to protect their cyber assets, they continue to spend a large portion of their IT budget on security appliances, out-sourced security professionals, and liabilities. The process of defending network assets and the data they contain has led the IT market to produce highly specialized and capable appliances that have made it difficult for attackers to remotely exploit and compromise networks. These appliances and the resources required to maintain an experienced IT security work force are a necessary component of the layered security approach. Organizations must continue to invest in emerging security technologies to remain protected against future waves of innovative attacks by cyber criminals and hackers.

One result of this aggressive defense is that cyber criminals and hackers are resorting to less technical avenues and using the human factor or low-risk web-based attacks (lowest hanging fruit), in order to accomplish their goals. These vectors of attack include social engineering, social network manipulation, phishing/spear phishing, self-propagating malware, and web server SQL attacks. As computer technologies become more sophisticated, malicious actions become less technical, and in many instances, cyber exploitation occurs using only social engineering methods. Therefore, as network security expenditures on security appliances and out-sourced consulting requirements increase, the cost of a network attack has decreased, creating what the authors have coined as, “the Adam and Eve Paradox”.

References:

Barnett, R., 2008. The Web Application Security Consortium / Web Hacking Incident Database 2008 Annual Report. [Online] Available at: http://proiects.webappsec.org/w/page/27087349/Web%20Hacking%20lncident%20Database%202008%20Annual%2 OReport [Accessed 30 September 2012].

Brock, D., 2006. Understanding Moore’s Law: Four Decades of Innovation. 1st ed. Philadelphia: Chemical Heritage Foundation.

Clarke, J. et al., 2012. SQL Injection Attacks and Defense, Second Edition. 2nd ed. Waltham: Syngress Publishing.

Cross, T., 2012. IBM X-Force Trend & Risk Report Shows Progress Against Security Threats But Attackers Adapt. [Online] Available at: http://asmarterplanet.eom/blog/2012/03/ibm-x-force-trend-risk-report-shows-progress-againstsecuritv-threats-but-attackers-adapt.html [Accessed 26 October 2012],

Dinan, M., 14 April 2009. Taxpayers Beware: Cyber-Criminals Seek to Intercept 1RS Filings. [Online] Available at: http://siptrunking.tmcnet.com/topics/securitv/articles/54168-taxpayers-beware-cvber-criminals-seek-intercept-irs-filings.htm [Accessed 15 November 2012],

Hadnagy, C., 2011. Social Engineering: The Art of Human Hacking. 1st ed. Indianapolis: Wiley Publishing Inc..

Harper, A. et al., 2011. Gray Hat Hacking: The Ethical Hacker’s Handbook, Third Edition. 3rd ed. s.l.:McGraw-Hill Companies. Howard, D. & Prince, K., 2011. Security 2020-Reduce Security Risks This Decade. Indianapolis: Wiley Publishing, Inc..

Krasnow, M. J. & Dorsey & Whitney LLP, 2012. IRMI.com: Cyber Threats Contributing to Breaches. [Online] Available at: http://www.irmi.com/expert/articles/2012/krasnow01-cvber-privacv-risk-insurance.aspx [Accessed 30 September 2012],

Lindberg, C. A., 2010. New Oxford American Dictionary. 3rd ed. USA: Oxford University Press.

Osisecurity.com.au, 2012. Web Application Security Testing / OSI Security. [Online] Available at: http://www.osisecuritv.com.au/solutions/web-app-securitv-testing [Accessed November 2012].

Prince, B., 2012. InformationWeek Reports -.-.Strategy: How Attackers Find and Exploit Database Vulnerabilities. [Online] Available at: http://reports.informationweek.com/abstract/21/8851/Securitv/strategv-how-attackers-find-and-exploit-database-vulnerabilities.html [Accessed 30 September 2012],

Research, D., 2011. Social Engineering Survey. [Online]Available at: http://www.checkpoint.com/press/downloads/social-engineering-survev.pdf [Accessed 2012 September 2012].

Sadeh, N. M. a. P., 2012. Why Phish Should Not Be Treated as Spam / Dr Dobb’s. [Online] Available at: http://www.drdobbs.com/securitv/why-phish-should-not-be-treated-as-spam/240001777 [Accessed 30 September 2012],

Schneier, B., 2008. Schneier on Security. Indianapolis: Wiley Publishing Inc..

Shezaf, 0. & Teams, B. S. L, 2007. The Web Hacking Incidents Database Annual Report 2007. [Online] Available at: http://proiects.webappsec.org/w/page/13246990/Web%20Hacking%20lncident%20Database%202007%20Annual%2 OReport [Accessed 30 September 2012].

AuthorAffiliation:

Michael Kraft, David Rohret, Michael Vella and Jonathan Holston

Computer Sciences Corporation, Inc., San Antonio, USA

mkraft5@csc.com

drohret@ieee.org

mvella3@csc.com

iholston@csc.com

AuthorAffiliation:

Jonathan L. Holston, CSC, Inc. Joint Information Operations Warfare Center (JIOWC). Mr. Holston served in the US Air Force as a vulnerability analyst assigned to the National Security Agency. His research interests include identifying third-world adversarial attack methodologies on communication networks and satellite communications and their associated vulnerabilities.

Michael E. Kraft, CSC, Inc. Joint Information Operations Warfare Center (JIOWC) For more than ten years Mr. Kraft has been deeply involved with Information Assurance and network security. He holds a Master of Science in Information Assurance degree from Capitol College of Maryland. Mr. Kraft is a Certified Information Systems Security Professional (CISSP).

Word count: 4530

Copyright Academic Conferences International Limited 2013

Looking for this or a Similar Assignment? Click below to Place your Order