SQL Injection Attacks Haunt Retailers

Only about a third of companies have the ability to detect SQL injection attacks, a new Ponemon report finds.

Retail and other industries that accept payment cards for transactions say the infamous SQL injection attack is either intensifying or remaining status quo.
In a new Ponemon Institute report on SQL injection and the recent massive retail breaches at Target, Michaels, and other big-box stores, some 53% of respondents say they believe SQL injection was one element of these high-profile breaches, where sensitive and confidential customer information was stolen.
Nearly half say SQL injection attacks are occurring at the same rate as always, while 38% say these attacks are increasing. Just 13% of the nearly 600 respondents say SQL injection attacks are decreasing.
SQL injection still exists and doesnt seem to be abating, says Larry Ponemon, chairman and founder of the Ponemon Institute, which published the new report today. The report, which was commissioned by DB Networks, follows
an April report by Ponemon
that found SQL injection attacks take two months or more to clean up, and some 65% of organizations of all types have been hit by a SQL injection attack in the past 12 months.
Verizons famed
Data Breach Investigations Report (DBIR), published in April
, showed that SQL injection was used in 80% of the attacks against retailers Web applications.
Even though it has been around for awhile and it seems like youd expect the security world to line up and solve the problem [of SQL injection]... you dont see that happening, Ponemon says.
SQL injection was one of the weapons used in the attack on Target, he says.
In the case of Target, they [the attackers] got PII that was not on any credit card. That was a database breach, says Michael Sabo, vice president of marketing at DB Networks, which sells behavioral analysis software for database security.
And in all cases of major retailers [breached recently], all POS terminals in the organizations were breached with the malware. It would be highly unlikely the attacker went to each POS terminal, he says. Once they stole credentials, the Target attackers set up a POS software distribution system of their own and performed a SQL injection attack from inside Target, Sabo says.
About 34% of the organizations surveyed in the report say they have tools or technologies set to detect a SQL injection attack, and only about 12% scan their third-party software for SQL injection flaws. The general view by many is that they are buying enterprise-grad software, Ponemon says, so scanning isnt needed.
The nirvana would be continuous scanning of databases, he says, but only 20% of the organizations in the report do so. Nearly half dont scan for active databases, or scan irregularly, he says.
That, says Sabo, appears to have been Targets downfall. In the case of Target, the attackers were able to stand up their own servers inside Targets systems and see the data they were stealing. But Target had no visibility into that, he says.
Some 65% of respondents pointed to continuous monitoring of databases as a way to prevent such retail breaches; 56%, advanced database activity monitoring; 49%, database encryption; 45%, chip and pin payment cards; and 39%, data leakage prevention technology.
Nearly 20% of the respondents in the Ponemon report were from the financial services industry; 12% from the public sector; 10% from retail; 9% from health and pharmaceuticals; 8% from services; 7% from industrial; and 6% from consumer products.
Ponemons The SQL Injection Threat & Recent Retail Breaches report is available
here
for download.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SQL Injection Attacks Haunt Retailers