Answer the discussion questions please i will give thumb up

Security Guide THEFT BY SOL INJECTION **Warning" You are about to learn a technique for How Does SOL Injection Work? compromising an information system called SQL injection. Do SOL injection, as it sounds is a way of inserting your not try it on existing systems. SQL injection attacks leave log O SOL code into someone else's information system. entries with your IP address attached. Attempting SOL it To understand this consider what happens when you jection on a system without permission is illegal. You can be normally log in to a Web site. You enter your username identified tracked and charged. Felony hacking convictions John Dee001) and a password password 1234) and are not resume builders then press the Enter key SQL Injection is a popular way to steal data because It can be done from anywhere in the world. You don't even need to physically enter the target country. You need some Usemane Lohnboe002 smart people with time to invest and a couple modest com- Password password234 puters. From a criminal's point of view it's a low-risk and high-reward proposition SOL injection is a criminal attack an information system to illegally extract data from a database. It can add or delete data, drop tables and their data, and even shut down an information system. And. because it can be done from anywhere in the world criminals can rob from coun UVERS ORDERS Protus tries that don't strdite criminals such DATABASE as Russia. China North Korea, and others ORDER THEM RID DEP Criminals have caught on to the . PG bySQL injection Imperial, an enterprise Ince CALLED data security firm. listed the following key COD STOCK findings in its 2013 Imperva Web Applica tion Attack Report 1. Retailers suffer two times as many SOL Injection attacks as other industries CAREY 2. Most Web applications receive four TOK or more Web attack campaigns per Pic month and others are constantly under attack (176 out of 180 days). 3. One Web site received 94,057 SOL WED JERVER Injection attack requests in one day. Let these numbers sink in: Your corpo FULL rate Website is likely being attacked on a regular basis Sowcu. Federico Cateriat Tukatoo TO 113111e 224 SECURITY GUIDE Theft by SQL Injection 225 In a site that is vulnerable to SQL injection, the following SOL statement is sent to the Web site's DBMS. SELECT * FROM Users WHERE username-JohnDoe001 AND password='password1234; If the username and password are both correct, you'll be allowed in. The "injection part of SQL injection happens when you enter in unexpected text into that Web form. You enter text into the login form that changes the way the SQL statement is processed. Instead of entering a real username and password, put in a random username in this case, we kept it John Doe001 and a malformed, but tricky, statement into the password field (anything'or 1=1 -- SELECT FRON Users WHERE username John Doe001 AND password anything or 1-1 --> The word "anything will not match the correct pass- word in the database, but because or 1=1" was included the resulting comparison will always be "true. This is be cause 1=1 is true, and only one side of the comparison needs to be true if or is included. This SOE.statement will enable you to bypass the login screen and gain access to the system. Similar malformed SQL statements can be used to extract, add or delete data. There is even software available that largely automates the SQL injection process. SQL injection can be readily presented. The particular techniques are beyond the scope of this text, but they come down to never writing computer programs to append user- entered data to a SOI statement. Instead, the users' data is passed to a program controlled by the DBMS that inspects that user-entered data and then uses it without changing any SOL.code. Unfortunately, not all companies take the time to pro- tect themselves from SQL injection Sony Corp. lost more than 100 million accounts to St. injection attacks in 2011. In 2014. Two S. Navy systems administrators on a nucle- ar aircraft carrier used SQL injection to get the private data of 220.000 sailors. They said they did it out of "boredom. Username: John Doe001 Password anything' or 1-1 Note that the single quote in the password changes the SQL statement by enclosing the word "anything" and allow- ing 1=1 to be included. (The double hyphen indicates the rest of the SOL statement, which is not shown because it's not relevant to this guide.) DISCUSSION QUESTIONS 1. Why is data theft attractive to criminals? 2. How common is SOL injection? 3. How does SQL injection work 4. What can an attacker do to a database using SQL injection? 5. How can organizations prevent SQL injection attacks from being successful? 6. If you were a senior manager at an organization that had serious losses due to SQL injection, what would you do about it? 7. Suppose an organization not only prevents SQL injec- tion from success but also tracks the identity of sites that attempt such attacks. What should the organization do with that attack data