The second DB Networks sponsored Ponemon Institute report on the SQL injection threat has been released.
The report explores what IT security professionals think about the likely attack chain of recent data breaches involving major retailers such as Target, Michaels and Neiman Marcus. The first report focused on how organizations respond to the SQL injection threat and their awareness about different approaches to managing this risk.
The study surveyed 595 individuals who work in IT and IT security. The majority of respondents are familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database.
69% of respondents say their organization must comply with Payment Card Industry Data Security Standard (PCI DSS). As such, a majority of the respondents are very familiar with and required to comply with the security requirements for retailers who accept payment cards.
SQL injections have been defined as being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways.
Background on retail breaches
Details of the recent retailer network intrusion and data breach haven’t been readily forth coming from either the retailers who were breached or the U.S. Secret Service in charge of the breach investigations. As a result, security professionals are left to piece together the attack chain details based on the nascent amount of information that has been shared thus far.
Target, for example, has revealed the credentials from an HVAC contractor were compromised. Those compromised credentials they claim initiated the attack chain that ultimately resulted in two major breaches. While certainly an interesting factoid, that information actually offers little insight into the events that ultimately resulted in the breach of 40 million credit cards and another 70 million database records containing personally identifiable information (PII).
The HVAC vendor credentials only provided access to Target’s vendor billing and invoicing system. It’s a rather long leap from those systems into Target’s POS systems. How that feat was accomplished hasn’t been made public. Further, a report by BusinessWeek revealed that Target’s IT security systems were able to identify the hacker’s suspicious activity multiple times during the attack. But unfortunately those alerts were not agreed upon by Target’s IT security staff.
Some of the key takeaways from this study include:
- 50% of respondents believe cyber syndicates are to blame for the large retail data breaches. Only 16% believe an individual perpetrated the attack.
- Many respondents believe notification of victims is better later than sooner. 36% of respondents would prefer to wait to notify victims until a thorough investigation was conducted.
- SQL injection threat was one of the components of these retail breaches. 53% of respondents say SQL injections were used to steal sensitive and confidential information.
- 65% of respondents say continuous monitoring of the database network followed by advanced database activity monitoring are the best approaches to avoiding a mega data breach
- 33% of respondents say they either scan continuously or daily for active databases. However, 25% scan irregularly and 22% do not scan at all
- SQL injection was considered by respondents to be one of the components of these attacks. 57% (36% + 21%) of respondents believe the likelihood that the attacks against the U.S. retailers involved SQL injection was 51% or greater
- 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
- 49% say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
- Many organizations are not familiar with the techniques used by cyber criminals.
- 46% are familiar with the term Web Application Firewalls (WAF) bypass
- 39% of respondents are very familiar or familiar with the techniques cybercriminal use to get around WAF perimeter security devices
- BYOD makes understanding the root causes of an SQL injection threat more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of employees’ use of personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers
- Expertise and the right technologies are critical to preventing the SQL injection threat. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect SQL injection threats and 34% agree that they have the technologies or tools to quickly detect a SQL injection threat
Find the report here.