Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SQL Injection Breaches Take Months to Uncover and Fix: Survey

SQL injection attacks have been at the center of many data breaches big in small during the past. Yet it continues to plague organizations even today.

SQL injection attacks have been at the center of many data breaches big in small during the past. Yet it continues to plague organizations even today.

According to a new report from Ponemon Institute, 65 percent of the 595 IT practicioners surveyed said they had experienced at least one SQL injection attack that successfully evaded their perimeter defense in the past 12 months. In addition, each SQL injection attack took an average of roughly 140 days to discover and required an average of 68 days to contain.

Almost half said the SQL injection threat facing their organization is very significant. On average, respondents believe 42 percent of all breaches are due at least in part to SQL injections. Still many companies appear to be knowledgeable of the tactics many attackers use. Less than half (46 percent) said they were even aware of the term Web Application Firewall bypass.

“It is commonly accepted that organizations believe they struggle with SQL injection vulnerabilities, and almost half of the respondents said the SQL injection threat facing their organization is very significant, but this study examines much deeper issues,” said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute, in a statement. “For example, only a third of those surveyed (34 percent) agreed or strongly agreed that their organization presently had the technology or tools to quickly detect SQL injection attacks.  And more than half (52 percent) of respondents indicated that they don’t test or validate any third party software to ensure it’s not vulnerable to SQL injection.”

The bring-your-own-device trend may be further complicating the issue. Fifty-six percent of respondents say determining the root causes of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices (BYOD) in the workplace.

“A couple major risks with BYOD are the loss of the physical device and not disabling specific corporate applications on the device when an employee resigns from the organization,” said Michael Sabo, vice president of marketing at DB Networks, which sponsored the study. “The majority of SQL injection countermeasures are designed for the external threat originating typically through a web interface. However BYOD is an insider threat. So there may not be security mechanisms in place in the organization to identify the root cause if an…attacker operating a compromised BYOD dispatches a SQL injection attack.”

In many cases, measures to prevent SQL injection attacks appear to be lacking. Some 52 percent said they do not scan third-party applications to make sure they are not vulnerable for SQL injection, and 47 percent either do not scan for active databases regularly (25 percent) or do not scan at all (22 percent). Any forgotten databases may contain sensitive financial, proprietary or customer information, Sabo said.

“Undocumented databases that no one is managing aren’t going to be secure,” Sabo said. “Because many of them were brought up for a quick and dirty test, they’ll likely have default passwords and thus are easily exploited. Also they’ll be unpatched and their vulnerabilities will be well known to the hackers.”

Advertisement. Scroll to continue reading.

A copy of the report can be downloaded here.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.