Delivering the keynote speech at the (ISC)2 conference on 'who's looking at your vulnerabilities – protecting your organisation from current and future threats', IBM ISS technical manager James Rendell, claimed that there had been an 'absolute explosion' in SQL injections. He also said it was interesting that the conference was focussing on vulnerabilities at a time when zero-day attacks were so prevalent.
Rendell asked the delegates to consider what it was that the attacker wanted? He said: “The attacker wants an attack to work on as many systems as possible, for them to not be patched and to be simple to exploit.”
He claimed that as an attack technique, SQL or cross-site-scripting are simple and are relatively likely to work without much regard to OS or buffer overload protection.
“With tools and platforms available it is perfect from an economic point of view, and as we are in the middle of a stampede to web-ify things, there are plenty of targets and the value of an exploitation is probably quite high so it provides the ideal balance for an attacker of a vertical service while being quite cheap to do,” said Rendell.