Retailers should look to continuous monitoring to tackle cyber attacks, according to a Ponemon Institute survey of almost 600 IT security professionals in the US.
More than half of the respondents also believed that SQL injection was a key component of the recent spate of high-profile cyber attacks on US retailers.
Those polled came from a wide range of industries in 16 vertical markets, with nearly 70% from organisations required to comply with the Payment Card Industry Data Security Standard (PCI DSS).
The independent research was sponsored by behavioural analysis and database security firm DB Networks to gain a deeper understanding of cyber attacks on retail organisations.
“While the details of these breaches have not been fully disclosed, this study offers some interesting insight from IT security professionals familiar with PCI DSS,” said Larry Ponemon, founder and chairman of the Ponemon Institute, which focuses on research on privacy, data protection and cyber security.
Suspicion falls on crime syndicates
Read more about retail breaches
- Target data breach: Why UK business needs to pay attention
- Retail easy pickings for hackers, says Verizon
- UK shoe retailer Office hit by data breach
- Michaels breach: Retailer says up to three million cards affected
- Sears confirms data breach investigation amid retailer data breaches
- Target breach details: Was the retailer PCI DSS compliant?
- Major retail breaches highlight point-of-sale security weaknesses
Despite initial reports that a Russian teenager was the behind the Target breach, half the respondents believe cyber criminal syndicates are the most likely culprits, while 23% nominated hacktivists.
Lone wolf hackers (15%), nation states (11%) and other attackers (1%) were identified as the least likely to be responsible for the cyber onslaught against the retail sector.
“Most respondents recognised that the recent attacks are too sophisticated to be the work of lone wolf hackers,” Ponemon told Computer Weekly.
In the absence of any detailed knowledge, around 53% of respondents said that, in their experience, SQL injection was likely to be one of the attack vectors used against the retail firms.
“While it has not been widely reported, it is obvious that these attacks were database attacks,” said Michael Sabo, vice-president of marketing at DB Networks.
“The fact Target lost 70 million customer records not related to credit card information, for example, indicates that the attackers must have accessed a database containing those records that was separate from the point of sale system supposedly compromised using stolen contractor credentials.”
The database aspects of these attacks are key to understanding the data breaches, said Sabo.
Escalating SQL injection threat
While most respondents believed the database attacks involved SQL injection, almost half of the respondents said the SQL injection threat facing their own organisation is very significant
Most respondents said they believe SQL injection attacks are increasing (38%) or staying the same (45%); while only 13% think they are decreasing and 4% said it was impossible to say.
“Considering SQL injection has been a problem for a number of years, you would expect to see most organisations resolving or attempting to resolve this threat,” said Ponemon.
But nearly two-thirds of respondents felt their organisation did not currently have the technology or tools to detect SQL injection database attacks quickly.
Lack of preparation
“The reality is that many organisations are not necessarily prepared to deal with SQL injection in terms of technology and personnel,” said Ponemon.
Less than half (48%) said they test third-party software to ensure it is not vulnerable to SQL injection, but only 12% said they check all third-party software and 6% were unsure if they did any checking.
And while 44% said they use professional penetration testers to check their IT systems, 65% of these tests do not look for SQL injection vulnerabilities.
“Many organisations believe if they simply write code that is not vulnerable to SQL injection they are safe, but that is not true because so much of their application environment is based on third-party software, frameworks and databases” said Sabo.
“Two years ago, a major SQL injection vulnerability was found in Oracle’s database management system itself, which was a big problem,” he said.
PCI DSS vulnerabilities
Sabo believes PCI DSS is weak when it comes to database attacks, particularly in the case of SQL injection, which can be used by attackers to exploit internal as well as public-facing web apps to compromise databases.
“PCI DSS says you can do one of two things as a countermeasure to SQL injection: Install a web application firewall (WAF) or scan code, but neither addresses third-party vulnerabilities,” he said.
“It is also widely known that it is relatively easy to bypass a WAF, so only installing a WAF is almost like doing nothing at all, because it is no longer an effective defence.”
When asked what they thought was the best approach to sort out retail data breaches, the majority (65%) said continuous database monitoring, followed by advanced database activity monitoring (56%).
However, while 53% said they scanned regularly for active databases, only a third scanned on a continuous (20%) or daily basis (13%).
The rest said they scanned only weekly (5%), monthly (3%), quarterly (4%), six-monthly (2%) and annually (6%), while a quarter revealed they scan irregularly and 22% said they do not scan at all.
The issue here, said Sabo, is that application developers often set up test databases that contain real data, but these databases are typically not well protected or patched and are often forgotten about.
“Also, if attackers are able to set up their own databases in the environment, the risk is that other databases on the same network will trust them and grant them access,” he said.
Continuous monitoring essential
Failure to scan for databases, said Sabo, could also result in failure to identify improper segmentation of networks in contravention of PCI DSS.
“Continuous monitoring at the database tier is essential because the perimeter can no longer be trusted and organisations need to know what is going on in their core networks,” he said.
Database encryption was recommended by 49% of respondents, while chip and pin technology for payment cards was supported by 45% and data leak prevention technology by 39%, only 18% mentioned IT staff education.
Despite these insights and changes in technology and threats, organisations continue to allocate the bulk of their budget (40%) to network security.
Consequently only 23% is allocated to web server security, 19% to database security, 14% to client security and 4% to other areas.
“The bulk of the investment continues to be in network security, even though most of the unresolved threats seem to be in software and applications,” said Ponemon.
“This is often because organisations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.”