SQL injection attacks are far from new, and the consequences of being vulnerable to them are hardly unknown.
However, a survey of 595 IT security experts indicates that many organizations may not be doing enough to address them. According to a survey by the Ponemon Institute, only 33 percent said their organizations were scanning their active databases either continuously or daily. Forty-seven percent said they did it irregularly or not at all. Despite those numbers, continuous monitoring of databases was cited by 65 percent of respondents as the best way to avoid a breach of databases.
“While details of the recent retailers breach haven’t yet been fully disclosed by the retailers who were breached or the U.S. Secret Service in charge of breach investigations, this study offers some interesting industry insight into these events from IT security professionals and experts familiar with PCI DSS,” said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute, in a statement.
For the most part, the respondents felt that criminal cyber-syndicates are to blame for the large retail breaches, whereas just 16 percent believe a lone wolf perpetrated the attack. Twenty-three percent blamed hacktivists, while 11 percent pointed the finger at nation states.
“A contentious topic among retail customers is the time required for the notification of a breach of payment card data and/or personal information,” according to the report. “IT security professionals understand what’s a reasonable time frame given their understanding of the process required to identify the scope of a particular data breach and precisely whose information has actually been breached.”
“Thirty-six percent of respondents believe there should be no specific timeframe and notification should occur only after a thorough investigation has concluded,” the report states. “However, 53 percent say response time should be faster… 34 percent say notification should take place in less than a month, 17 percent say it should be less than a week and 2 percent say less than three days.”
According to the report, 65 percent of the respondents said they were hit with a SQL injection attack that successfully evaded their perimeter defenses in the last 12 months.
“It’s well known that database breaches, including these high-profile attacks against the retailers, are devastating to merchants in terms of lost sales and damage to their reputation,” Brett Helm, chairman and CEO of DB Networks, which sponsored the survey, said in a statement. “This study sheds additional light on the likely attack chain so that all retailers can now be more prepared in the future.”