informa
/
Application Security
News

SQL Injection Attacks Haunt Retailers

Only about a third of companies have the ability to detect SQL injection attacks, a new Ponemon report finds.

Retail and other industries that accept payment cards for transactions say the infamous SQL injection attack is either intensifying or remaining status quo.

In a new Ponemon Institute report on SQL injection and the recent massive retail breaches at Target, Michaels, and other big-box stores, some 53% of respondents say they believe SQL injection was one element of these high-profile breaches, where sensitive and confidential customer information was stolen.

Nearly half say SQL injection attacks are occurring at the same rate as always, while 38% say these attacks are increasing. Just 13% of the nearly 600 respondents say SQL injection attacks are decreasing.

"SQL injection still exists and doesn't seem to be" abating, says Larry Ponemon, chairman and founder of the Ponemon Institute, which published the new report today. The report, which was commissioned by DB Networks, follows an April report by Ponemon that found SQL injection attacks take two months or more to clean up, and some 65% of organizations of all types have been hit by a SQL injection attack in the past 12 months.

Verizon's famed Data Breach Investigations Report (DBIR), published in April, showed that SQL injection was used in 80% of the attacks against retailers' Web applications.

"Even though it has been around for awhile and it seems like you'd expect the security world to line up and solve the problem [of SQL injection]... you don't see that happening," Ponemon says.

SQL injection was one of the weapons used in the attack on Target, he says.

"In the case of Target, they [the attackers] got PII that was not on any credit card. That was a database breach," says Michael Sabo, vice president of marketing at DB Networks, which sells behavioral analysis software for database security.

"And in all cases of major retailers [breached recently], all POS terminals in the organizations were breached with the malware. It would be highly unlikely the attacker went to each POS terminal," he says. Once they stole credentials, the Target attackers set up a POS software distribution system of their own and performed a SQL injection attack from inside Target, Sabo says.

About 34% of the organizations surveyed in the report say they have tools or technologies set to detect a SQL injection attack, and only about 12% scan their third-party software for SQL injection flaws. "The general view by many is that they are buying enterprise-grad software," Ponemon says, so scanning isn't needed.

"The nirvana would be continuous scanning" of databases, he says, but only 20% of the organizations in the report do so. "Nearly half don't scan for active databases, or scan irregularly," he says.

That, says Sabo, appears to have been Target's downfall. "In the case of Target, the attackers were able to stand up their own servers inside Target's systems and see the data they were stealing. But Target had no visibility into that," he says.

Some 65% of respondents pointed to continuous monitoring of databases as a way to prevent such retail breaches; 56%, advanced database activity monitoring; 49%, database encryption; 45%, chip and pin payment cards; and 39%, data leakage prevention technology.

Nearly 20% of the respondents in the Ponemon report were from the financial services industry; 12% from the public sector; 10% from retail; 9% from health and pharmaceuticals; 8% from services; 7% from industrial; and 6% from consumer products.

Ponemon's "The SQL Injection Threat & Recent Retail Breaches" report is available here for download. 

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5