Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/10/2014
06:06 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

SQL Injection Attacks Haunt Retailers

Only about a third of companies have the ability to detect SQL injection attacks, a new Ponemon report finds.

Retail and other industries that accept payment cards for transactions say the infamous SQL injection attack is either intensifying or remaining status quo.

In a new Ponemon Institute report on SQL injection and the recent massive retail breaches at Target, Michaels, and other big-box stores, some 53% of respondents say they believe SQL injection was one element of these high-profile breaches, where sensitive and confidential customer information was stolen.

Nearly half say SQL injection attacks are occurring at the same rate as always, while 38% say these attacks are increasing. Just 13% of the nearly 600 respondents say SQL injection attacks are decreasing.

"SQL injection still exists and doesn't seem to be" abating, says Larry Ponemon, chairman and founder of the Ponemon Institute, which published the new report today. The report, which was commissioned by DB Networks, follows an April report by Ponemon that found SQL injection attacks take two months or more to clean up, and some 65% of organizations of all types have been hit by a SQL injection attack in the past 12 months.

Verizon's famed Data Breach Investigations Report (DBIR), published in April, showed that SQL injection was used in 80% of the attacks against retailers' Web applications.

"Even though it has been around for awhile and it seems like you'd expect the security world to line up and solve the problem [of SQL injection]... you don't see that happening," Ponemon says.

SQL injection was one of the weapons used in the attack on Target, he says.

"In the case of Target, they [the attackers] got PII that was not on any credit card. That was a database breach," says Michael Sabo, vice president of marketing at DB Networks, which sells behavioral analysis software for database security.

"And in all cases of major retailers [breached recently], all POS terminals in the organizations were breached with the malware. It would be highly unlikely the attacker went to each POS terminal," he says. Once they stole credentials, the Target attackers set up a POS software distribution system of their own and performed a SQL injection attack from inside Target, Sabo says.

About 34% of the organizations surveyed in the report say they have tools or technologies set to detect a SQL injection attack, and only about 12% scan their third-party software for SQL injection flaws. "The general view by many is that they are buying enterprise-grad software," Ponemon says, so scanning isn't needed.

"The nirvana would be continuous scanning" of databases, he says, but only 20% of the organizations in the report do so. "Nearly half don't scan for active databases, or scan irregularly," he says.

That, says Sabo, appears to have been Target's downfall. "In the case of Target, the attackers were able to stand up their own servers inside Target's systems and see the data they were stealing. But Target had no visibility into that," he says.

Some 65% of respondents pointed to continuous monitoring of databases as a way to prevent such retail breaches; 56%, advanced database activity monitoring; 49%, database encryption; 45%, chip and pin payment cards; and 39%, data leakage prevention technology.

Nearly 20% of the respondents in the Ponemon report were from the financial services industry; 12% from the public sector; 10% from retail; 9% from health and pharmaceuticals; 8% from services; 7% from industrial; and 6% from consumer products.

Ponemon's "The SQL Injection Threat & Recent Retail Breaches" report is available here for download. 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
100%
0%
Randy Naramore,
User Rank: Ninja
6/11/2014 | 4:38:46 PM
Re: Colleges not teaching security
True statement, secure coding needs to be first and foremost on everyone's mind. 
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/11/2014 | 1:15:11 PM
Re: Colleges not teaching security
@Robert McDougal

Absolutely agree.  Anecdote:  Worked for a company where the developers were old-school C coders.  Started incorporating C++ libraries and a shift was made to code in C++ - not the first language of these guys.  Our test team had a talented hacker on it who tore through every release that had C++ code and punch holed in every possible place, returning the apps back daily with exploit notes.  The coders were dumbfounded but thankful.  They sat with this tester (who was not a programmer, just a great researchers and hacker) and took notes, experimented, and hardened the code.  Bottom line, if you get good at breaking your own code, your own apps, you can identify where you need to adjust your development approach to produce more secure programs.

 
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
6/11/2014 | 10:33:51 AM
Colleges not teaching security
In my experience, it appears that colleges are not teaching secure coding techniques to developers.  Instead it appears the focus is on how to create applications quickly rather than securely.

Many developers do not fully understand the full nature of SQL injection attacks.  Perfect example that I see often is that after I discover a SQL injection vulnerability I am told that I must be mistaken because they use input validation.  What they are missing is that a black list is not true input validation.  Why?  For example, If a program black lists the tick character (') that doesn't mean I can't still use it.  Sure this statement wouldn't work (' or '1'='1' --) but if I encoded the tick like this it would work just fine (%27%20%6F%72%20%27%31%27%3D%27%31%27%20%2D%2D).  In this case a better way to handle input validation is to use a white list, meaning only accept characters on the list rather than having to specify every character not allowed.

This is only one small example of SQL injection developer shortcomings, I have seen dozens of other trends.  Bottom line is that we need our colleges to put a priority on teaching secure coding practices.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...