Threat Management

Report: SQL injection a pervasive threat, behavioral analysis needed

SQL Injection attacks remain a pervasive threat to most organizations with 65 percent of respondents in a Ponemon Institute study report indicating that they had experienced one or more attacks that evaded their perimeter defense.

And, 49 percent characterized the SQL injection threat that their organization faced as “very significant," according to findings in “The SQL Injection Threat Study.” Another 23 percent rate threat significance at 7 or 8 on a scale of 1-10.

“[This] threat has been around for ages,” Dr. Larry Ponemon, chairman and founder of the Ponemon Institute said. “You would think by now this is one thing we could have cured.”

Noting that the method led to some high profile data breaches, including Heartland, Ponemon said  “companies are not coping with it all that well.”

The time lag between an SQL injection attack and its detection contributes greatly to companies' inability to respond effectively. It takes an average 140 days for an organization to detect an attack, though 40 percent of survey respondents say that detection takes six months or longer. Once the attack is discovered, it takes 68 days to remediate.

“That's nine months from discovery to resolution,” Ponemon said.

The study found that the bulk of organizations either weren't familiar (44 percent) or had no knowledge (17 percent) of the perimeter bypass techniques that criminals use — only 46 percent said they were familiar with the term WAF Bypass.

That puts companies at a distinct disadvantage — they can't guard against attacks if they're “not familiar with the technology the bad guys are using,” Ponemon said.

And, many organizations leave themselves more vulnerable to SQL injection attacks because they do not test third-party software for the vulnerability. In the study, only 12 percent claimed to check most third party software and 30 percent said they checked some.

Less than half — 47 percent — either don't scan databases or scan irregularly, according to the report.

The study cites a reliance on traditional, signature-based methods to combat the threat. But Michael Sabo, the vice president of marketing at DB Networks, which sponsored the study, notes that the rise of automated hacking tools have made “obfuscation easier. That's how they get around the perimeter.”

“You used to have to handcraft them and it took a long time,” he said. “Today even a 12-year-old can do it in a half an hour.”

But, it should become more difficult for a SQL injection attack to wreak havoc as companies began to replace or augment traditional approaches with behavioral analysis. The study found that companies are clearly heading in that direction with 88 percent of those surveyed viewing behavior analysis favorably or very favorably and 60 percent claiming that in the next 24 months, they will implement behavioral analysis-based IT security systems.

The study's findings are based on responses from 595 IT or IT security practitioners across 16 verticals.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.