Security Experts:

SQL Injection Breaches Take Months to Uncover and Fix: Survey

SQL injection attacks have been at the center of many data breaches big in small during the past. Yet it continues to plague organizations even today.

According to a new report from Ponemon Institute, 65 percent of the 595 IT practicioners surveyed said they had experienced at least one SQL injection attack that successfully evaded their perimeter defense in the past 12 months. In addition, each SQL injection attack took an average of roughly 140 days to discover and required an average of 68 days to contain.

Almost half said the SQL injection threat facing their organization is very significant. On average, respondents believe 42 percent of all breaches are due at least in part to SQL injections. Still many companies appear to be knowledgeable of the tactics many attackers use. Less than half (46 percent) said they were even aware of the term Web Application Firewall bypass.

"It is commonly accepted that organizations believe they struggle with SQL injection vulnerabilities, and almost half of the respondents said the SQL injection threat facing their organization is very significant, but this study examines much deeper issues," said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute, in a statement. "For example, only a third of those surveyed (34 percent) agreed or strongly agreed that their organization presently had the technology or tools to quickly detect SQL injection attacks.  And more than half (52 percent) of respondents indicated that they don’t test or validate any third party software to ensure it’s not vulnerable to SQL injection."

The bring-your-own-device trend may be further complicating the issue. Fifty-six percent of respondents say determining the root causes of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices (BYOD) in the workplace.

"A couple major risks with BYOD are the loss of the physical device and not disabling specific corporate applications on the device when an employee resigns from the organization," said Michael Sabo, vice president of marketing at DB Networks, which sponsored the study. "The majority of SQL injection countermeasures are designed for the external threat originating typically through a web interface. However BYOD is an insider threat. So there may not be security mechanisms in place in the organization to identify the root cause if an…attacker operating a compromised BYOD dispatches a SQL injection attack."

In many cases, measures to prevent SQL injection attacks appear to be lacking. Some 52 percent said they do not scan third-party applications to make sure they are not vulnerable for SQL injection, and 47 percent either do not scan for active databases regularly (25 percent) or do not scan at all (22 percent). Any forgotten databases may contain sensitive financial, proprietary or customer information, Sabo said.

"Undocumented databases that no one is managing aren’t going to be secure," Sabo said. "Because many of them were brought up for a quick and dirty test, they’ll likely have default passwords and thus are easily exploited. Also they’ll be unpatched and their vulnerabilities will be well known to the hackers."

A copy of the report can be downloaded here.

view counter