SQL injections can be a nightmare for any DBA. Not only is SQL injection a common method for exploiting vulnerabilities in application software, but it's particularly nasty because it can be used to attack SQL databases in several different ways.
In a study recently conducted by the Poneman Institute on behalf of DB Networks, research findings showed that SQL injection remains a pervasive threat, where 65 percent of respondents stated that they had experienced one or more SQL injection attacks that invaded their perimeter defenses in the last 12 months.
The empirical study included 595 respondents across 16 verticals in the United States, where all respondents were IT or IT practitioners. The purpose of this study is to better understand how organizations respond to SQL injection attacks, as well as awareness around different approaches to managing the risk.
Lack of Real-Time Detection
Notably, the study also determined that there was a lack of real-time detection for SQL injection attacks, where it takes approximately 140 days for an organization to detect an attack on average. The study also noted that 40 percent of respondents stated that it took six months or longer to detect an attack. Furthermore, the study found that it took an additional 68 days on average to actually remediate the attack.
Related: SQL Injection - Beyond the Basics
To help explain why the majority of respondents were dealing with a SQL injection attack, the study revealed that these organizations often are not familiar with techniques used for these attacks. Less than half of the respondents at 46 percent were familiar with the term Web Application Firewalls (WAF) bypass. Additionally, a low, 39 percent of respondents were familiar or very familiar with different techniques that are used to get around WAF perimeter security devices.
Lack of Resources to Defend Against SQL Injection Attacks
When it comes to attack presentation, the study also provided insight into this, where 31 percent of respondents stated that their organization's IT security possess the skills, knowledge, and expertise to quickly detect an attack. Furthermore, 34 percent agreed that they have the necessary tools to detect an attack. Stated differently, these statistics show that many organizations aren't properly equipped to defend against these type of attacks.
The study also revealed that tactics used by the organization to thwart SQL injection attacks were also lacking. Although the majority of respondents were concerned about SQL injection attacks, 52 percent did not take testing or validation of third-party software as a precaution to ensure the organization wouldn't be vulnerable to an attack. Additionally, one-third of respondents stated that they scanned contiously or daily for active databases. However, 25 percent said that scanned irregularly, and 22 percent stated that they do not scan at all.
Behavioral Analysis Solution Urged
Based on these research findings, DB Networks urged organizations to move toward a behavioral analysis solution to combat the SQL threat. With this type of solution, DBAs can secure database transactions as a technology that automatically creates a model of proper SQL behavior, where every SQL statement that's attempting to access the database is tested against the model. If you have activity that deviates from the established behavioral model, then it's likely that you've got a security event. According to DB Networks, behavioral analysis provides immediate protection against zero-day threats.
Notably, the study showed that many organizations are already thinking about moving to this type of solution, where 88 percent of respondents viewed behavioral analysis as very favorably or favorably. Furthermore, 60 percent of respondents said their organizations have or will move to a behavioral analysis system within the next two years, where most systems will be used on client systems (64 percent of respondents), followed by on the perimeter network (56 percent of respondents).