A new study conducted by the Ponemon Institute, titled The SQL Injection Threat & Recent Retail Breaches, asserts that continuous monitoring of database networks is the key to avoiding mega-breaches in the retail sector, such as those that recently plagued Target, Neiman Marcus, and Michaels Stores.
As the report’s title suggests, the study also found that the majority of the 595 IT security experts surveyed, who work in a wide variety of industries and governments, believe that the major attacks against retailers most often involve some fashion of SQL injection as one of the primary components in successful attacks.
“While details of the recent retailers breach haven’t yet been fully disclosed by the retailers who were breached or the U.S. Secret Service in charge of breach investigations, this study offers some interesting industry insight into these events from IT security professionals and experts familiar with PCI DSS,” said Dr. Larry Ponemon.
Key findings in the report include:
- Fifty-three percent of respondents in total indicated that breach notification should occur within a month
- Initial reports were that a Russian teenager was the perpetrator of the Target breach, however half the respondents felt that it was actually the work of a cyber criminal syndicate. Only 15 percent responded that a lone wolf hacker was the likely culprit, while 11 percent responded that nation-state actors were likely responsible
- While most respondents believed that the attacks against the retailers databases involved SQL injection, almost half of the respondents said the SQL injection threat also facing their own organization is very significant
- Nearly two-thirds of respondents (64 percent) felt that their organization presently does not have the technology or tools to quickly detect SQL injection database attacks
- Only one-third of respondents either scan continuously or daily for active databases. However, 25 percent reported they scan irregularly and 22 percent do not scan at all
- Only 48 percent of respondents indicated that they test or validate third party software to ensure it’s not vulnerable to SQL injection
- Forty-four percent utilize professional penetration testers to identify vulnerabilities in their IT systems; but 65 percent of those penetration tests do not include testing for SQL injection vulnerabilities
“It’s well known that database breaches, including these high-profile attacks against the retailers, are devastating to merchants in terms of lost sales and damage to their reputation,” said Brett Helm, Chairman and CEO of DB Networks, which commissioned the study.
“This study sheds additional light on the likely attack chain so that all retailers can now be more prepared in the future.”
Full Report Here (Form Required)…