High-profile data breaches have plagued retail this year — Target, Neiman Marcus, Michael's and other U.S. retailers have seen headlines about their woes splashed across both digital and print media.
In Target's case, the breach of 40 million credit cards and 70 million personally identifiable information (PII) database records led the CIO and then the CEO to resign. Could retailers be focusing their security efforts in the wrong areas?
According to a study released this month by privacy and security research firm Ponemon Institute and database security specialist DB Networks, a majority of security experts believe that the venerable technique of SQL injection was an important component of these attacks.
SQL injection, which started coming into heavy use around 1998, is an attack that seeks to exploit a weakness in a Web application connected to a database by inserting malicious SQL statements into a form field, URI stem or cookie value for execution. When processed by a vulnerable application, this results in a rogue SQL statement issues to the database, usually to access, modify or delete content that it would not usually be authorized to access. In extreme cases, SQL injection can give an attacker control of the server on which the database resides.
SQL Injection: Alive and Still Kicking Butt
"SQL injection is a likely component of retailer attacks," says Larry Ponemon, founder and chairman of Ponemon Institute. "SQL injection has been around for ages, and some of these vulnerabilities are not because of lacking tools."
For The SQL Injection Threat & Recent Retail Breaches report released in June, Ponemon Institute and DB Networks surveyed 595 IT and IT security professionals, the majority of whom said they were familiar with core intrusion detection system (IDS) technologies that detect rogue SQL statements. Further, 69 percent of those surveyed said their organization must comply with the Payment Card Industry Data Security Standard (PCI DSS).
Sixty-five percent of the organizations represented in the study had experienced a SQK injection attack in the past 12 months that had successfully evaded their perimeter defenses, and 49 percent of respondents said the SQL injection threat facing their company is significant.
The majority of these experts — 65 percent — believe the best way to defend against SQL injection attacks and avoid mega data breaches like the one suffered by Target is through continuous monitoring of the database network followed by advanced database activity monitoring (56 percent) and database encryption (49 percent). And yet, when asked how the IT security budget is allocated in their organizations, these experts said the lion's share (40 percent) is allocated to network security, 23 percent is allocated to Web server security and only 19 percent is allocated to database security.
Sign up for CIO Asia eNewsletters.