Arstechnica has an old story that I thought was interesting:
From 2005 – 2012 there were multiple break -ins thus the hacker “owned” the various company sites.
The overwhelming attack vector sued was SQL -injection.
Her is an excerpt that I want to emphasize:
“NASDAQ is owned,” Aleksandr Kalinin, a 26-year-old resident of St. Petersburg, Russia, allegedly reported in a January 2008 instant message after finally obtaining administrative access to the stock exchange’s network. Like a rock climber slowly scaling a craggy cliff, he spent months methodically escalating his access into the highly sensitive system. In an instant message he sent six months earlier, after initially gaining less-privileged access, he said, “30 SQL servers, and we can run whatever on them, already cracked admin PWS but the network not viewable yet. those dbs are hell big and I think most of info is trading histories.” “PWS” and “dbs” are presumed to be shorthand for passwords and databases respectively.
Notice the methodology and thinking of the hacker they find vulnerabilities by probing networks and database servers with many different methods. Eventually the prosecutors found that they had stolen $160 million. the hackers are very sophisticated and motivated. today this is big business the attack on your database servers is a big business operation.