SQL Injection: A Demonstration and Implications for Accounting Students

As more organizations conduct business over the Internet, cybersecurity threats have become more prevalent. For example, according to the 2014 Internet Security Threat report published by Symantec, mega breaches, those breaches with 10 million or more identities exposed, increased 700% from 2012 to 2013 and the total number of breaches increased 62% from 2012 to 2013.

One popular cybersecurity threat is Structured Query Language Injection (SQLi). According to reports from Imperva and Firehost (Ragan 2012), SQLi has been one of the most common forms of vulnerability in web applications for years (Wood 2012). While many examples of SQLi exist, one of the most prolific hackers who used SQLi was Albert Gonzalez (BBC 2009). Between 2005 and 2007, he and his co-conspirators used SQLi attacks to steal 170 million credit cards. His targets included Dave & Buster's, CardSystems Solutions, and Heartland Payment. It is unknown exactly how much money he made by reselling the cards, but when he was eventually arrested, authorities confiscated 2.7 million dollars in cash, a luxury car, laptops, firearms, a diamond ring, and other luxury items. A more recent case occurred in July of 2012 when a hacker group stole 450,000 user passwords from Yahoo's database using SQLi (Yap 2012). While not as critical as the financial damage done by Gonzalez, it demonstrated a disconcerting lack of security at one of the world's largest web portals. Not only did Yahoo lack countermeasures for SQLi attacks, but they stored user passwords in an unencrypted state.

Cybersecurity threats, such as SQLi, impact compliance and regulatory mandates, such as Sarbanes-Oxley (SOX), that are particularly relevant to accountants. To inform accounting students of the risks and corollary internal controls associated with cybersecurity threats, Accounting Information Systems (AIS) textbooks and AIS pedagogical research frequently address cybersecurity threats. While these textbooks provide a worthwhile overview of cybersecurity threats, our experiences from teaching cybersecurity suggest that students want to know how these threats operate, prompting questions such as: “How do cybersecurity threats work?” and “What specific actions can be taken to mitigate cybersecurity threats?”. Understanding the technical details underlying cybersecurity threats is important, especially for accounting students interested in career opportunities in Information Technology (IT) Auditing. Such knowledge can help these students develop a deeper understanding of the risks associated with cybersecurity threats as well as the countermeasures for mitigating such threats.

Considering the increasing need for accounting students to develop a better understanding of cybersecurity threats, the purpose of this paper is to present a case that explores a popular cybersecurity threat, SQL Injection (SQLi). This case provides relevant background reading on SQLi and offers a tutorial on how to execute SQLi. Students initially answer questions about SQLi from the assigned readings and then execute SQLi attacks within a Microsoft Access database and web-based environment. AIS instructors can use this case when covering cybersecurity threats and/or Information Technology (IT) security topics. By providing hands-on experience executing SQLi, this case will help students develop a solid understanding of the technical aspects and business implications of SQLi, as well as a better understanding of how to mitigate risks from SQLi.

From a technical perspective, SQLi can result in unauthorized access to data, as well as unauthorized inserts, updates, and deletes of data. Naturally, malicious users who employ a SQLi attack to view, insert, delete or update sensitive corporate data could also then disclose such data, thereby negatively impacting compliance with various regulatory mandates (e.g. SOX, HIPAA). Moreover, malicious users could employ SQLi to execute a denial of service attack by shutting down a corporate database.

Since SQLi can result in unauthorized disclosure of sensitive data, such as customer credit card information, organizations may incur significant remediation costs after a SQLi attack (SEC 2011). These may include the costs of repairing system damage caused by a SQLi attack or offering credit reports to customers. SQLi attacks may also result in significant cybersecurity protection costs including purchasing technologies to prevent future attacks, training employees or hiring outside consultants. Due to the potential damage to a firm's reputation following the unauthorized disclosure of sensitive customer data (e.g., credit card information) stemming from a SQLi attack, firms may experience significant difficulty in retaining and attracting customers, thereby negatively affecting future revenues and investor confidence. Since a SQLi attack can result in the unauthorized disclosure of customer data or even deletion or unauthorized updates to customer data, organizations exploited by a SQLi attack may be subject to significant future litigation costs.

Since cybersecurity threats such as SQLi can result in unauthorized access, unauthorized deletion of data, and unauthorized updates of data, they have the potential to impact important compliance issues such as SOX. SOX section 404 requires management to establish, assess, and monitor the effectiveness of internal controls over financial reporting (ITGI 2006; Richards et al. 2005). In an e-business environment, the integrity of the financial reporting process is reliant on the adequacy of internal controls, including IT-based internal controls (COSO 2011a; Klamm and Watson 2009, 2011). As such, in order to comply with SOX section 404 requirements, organizations must assess the effectiveness of internal controls, including IT-based internal controls that significantly impact financial reporting (Merhout and Havelka 2006). Organizations must validate the effectiveness of IT controls in order to certify the integrity of financial reporting for SOX compliance (ITGI 2006; Rozek 2008; Walters 2007). Consequently, assessing and mitigating IT risks has become more important for audit committees (Scharf 2007). Reflecting this importance, compliance and regulatory mandates have started to address IT risks on a deeper level. For example, the revised COSO Internal Control framework (COSO 2011a, 2011b) emphasizes the importance of IT-based risks and controls.

Cybersecurity threats may also expose an organization to further compliance risks (Annaswamy 2009; Klamm and Watson 2011). The most important of these compliance issues for accounting professionals center on the security of information systems resources and the privacy and protection of sensitive data. The Health Insurance Portability and Accountability Act (HIPAA) (relating to privacy of patient information within the health services industry), Gramm-Leach-Bliley Act (GLBA) (relating to privacy and protection of sensitive consumer data within the financial services industry), and Payment Card Industry Data Security Standards (PCI DSS) (relating to security of credit card and other personally identifiable information within the PCI industry) are salient examples. SQLi is important to consider when complying with HIPAA, GLBA, and PCI DSS because it can be used to steal, update or delete sensitive customer or patient data. To assess and mitigate cybersecurity threats, accounting students need to understand how these threats operate. Such understanding will help students identify, assess, and mitigate risks from cybersecurity threats.

The risks associated with cybersecurity threats have prompted the SEC to offer guidance regarding the disclosure of the risks associated with cybersecurity and cyber threats. According to the SEC, registrants should periodically reexamine their disclosures concerning cybersecurity risks and cyber incidents and revise them as deemed appropriate. If cyber incidents pose a significant investment risk in the company then registrants are advised to provide this disclosure. Additionally, cybersecurity risks and cyber incidents should be addressed in the Management Discussion and Analysis (MD&A) if these risks can severely impact the financial condition of the organization.

Researchers have noted the prevalence of communication problems between financial and IT auditors which have the potential to impair the overall financial audit effectiveness (Brazel 2008; Carmichael 2004; Curtis et al. 2009). Educating accounting students about cybersecurity threats can help alleviate this communication gap in several ways. First, training accounting students in cybersecurity can help accounting students understand technical terms and concepts and to speak the technical language of IT auditors. Second, understanding the technical details behind cybersecurity threats can also help accounting students connect technical issues to business implications—an important skill especially on an integrated audit. Overall, training accounting students in cybersecurity threats may help these students, many of whom will become financial auditors, to better work together with IT auditors to identify, assess and mitigate e-business risks.

The purpose of this case is to provide an overview of SQL Injection (SQLi), a cybersecurity threat. This case demonstrates how one specific cybersecurity threat, SQLi, operates as well as the appropriate technical countermeasures for mitigating SQLi.

As shown in Appendix A, the learning objectives for the SQLi case are to develop students' abilities to:

1. Identify and understand the risks of SQL injection and how cybersecurity threats, such as SQLi, impact the financial reporting process.

2. Understand SEC guidance for addressing the impact of cybersecurity threats on the financial reporting process.

3. Understand the technical inner-workings of SQLi.

4. Identify and understand countermeasures for controlling risks from SQLi.

The student case, teaching notes with suggested solutions and PowerPoints are available for downloaded from the journal website.

The questions in Appendix A provide AIS instructors a way to indirectly assess student learning. These questions are derived from the learning objectives and employ 5-point Likert Type scale response items. Collectively these questions provide a set of self-reported measures which gauge student reactions to the case. Instructors may distribute these questions during the class period upon completion of the case. Instructors may also choose to allow students to insert additional comments relating to the case at the end of the survey.

Tables 1 and 2 display a summary of student survey results collected from two implementations of this case. Data from these student surveys were collected from a small public liberal arts university in the southeastern United States from Spring 2013 to Spring 2014. Responses were coded from 1 (strongly disagree) to 5 (strongly agree), with 3 representing the neutral choice.

Instructor 1 reviewed the case and questionnaire within a senior-level undergraduate course in AIS, while instructor 2 reviewed the case and questionnaire within a graduate-level course in Management Information Systems (MIS). As such, questions 5, 8, and 9 were specific to accounting concerns and not applicable for instructor 2's course.

In addition to reporting the means and standard deviations, we also tested the hypothesis that average student response was above the neutral element (neutral = 3) for each question using a single-mean t-test. For all applicable questions, each of the corresponding p-values indicated significance (p < 0.05). Since all questions were positively worded, the significance of these results indicates that students perceived this case to be beneficial across each of these measures. This held true for both undergraduate students in AIS as well graduate students in MIS.