Week 11: Reading Summary, InTheNews, Question for class…

Reading: Marezzi@gmail.com (2008), “Full SQL Injection Tutorial”.  The tutorial describes SQL injection as a code insertion technique for attacking poorly implemented data-driven client-server and n-tier applications based on databases that support SQL. Poverty of implementation comes into play when user input is not strongly typed and unexpected code is executed, or user input is incorrectly filtered and literal escape characters embedded in SQL expressions are permitted to execute and run nefarious commands.  Successful SQL injection attacks can be used to probe and exploit any unprotected SQL database or website supported by a SQL database. The result of SQL injection can violate database’s confidentiality, integrity or availability.

InTheNews: Kovacs, E. 2015-09-17, “Russian Hackers Target Industrial Control Systems: US Intel Chief.” Security Week. Russian actors have compromised at least three industrial control systems (ICS) vendor’s product supply chains with malware, and the production lines of many are at risk.  “Supply chains are difficult to secure, they create risk that is hard to identify, complicated to quantify and costly to address. A compromise anywhere in the supply chain can have just as much impact on your organization, and its reputation, as one from within the organization. … There’s a great necessity to track everything that is happening in the supply chain as even the smallest supplier or the slightest hiccup can have dangerous impact on your business.” http://www.securityweek.com/russian-hackers-target-industrial-control-systems-us-intel-chief

Question for Class: What would be a practical/feasible approach to managing the cost implications of the need for ‘cradle to grave’ supply chain security for small high-tech firms integrating industrial controls for clients?