Are Digital Retailers Focusing Their Security in the Wrong Place?

High-profile data breaches have plagued retail this year -- Target, Neiman Marcus, Michael's and other U.S. retailers have seen headlines about their woes splashed across both digital and print media.

In Target's case, the breach of 40 million credit cards and 70 million personally identifiable information (PII) database records led the CIO and then the CEO to resign. Could retailers be focusing their security efforts in the wrong areas?

According to a study released this month by privacy and security research firm Ponemon Institute and database security specialist DB Networks, a majority of security experts believe that the venerable technique of SQL injection was an important component of these attacks.

SQL injection, which started coming into heavy use around 1998, is an attack that seeks to exploit a weakness in a Web application connected to a database by inserting malicious SQL statements into a form field, URI stem or cookie value for execution. When processed by a vulnerable application, this results in a rogue SQL statement issues to the database, usually to access, modify or delete content that it would not usually be authorized to access. In extreme cases, SQL injection can give an attacker control of the server on which the database resides.

SQL Injection: Alive and Still Kicking Butt

"SQL injection is a likely component of retailer attacks," says Larry Ponemon, founder and chairman of Ponemon Institute. "SQL injection has been around for ages, and some of these vulnerabilities are not because of lacking tools."

[Related: Target CIO Resignation Puts Retail CIOs on Alert]

For The SQL Injection Threat & Recent Retail Breaches report released in June, Ponemon Institute and DB Networks surveyed 595 IT and IT security professionals, the majority of whom said they were familiar with core intrusion detection system (IDS) technologies that detect rogue SQL statements. Further, 69 percent of those surveyed said their organization must comply with the Payment Card Industry Data Security Standard (PCI DSS).

Sixty-five percent of the organizations represented in the study had experienced a SQK injection attack in the past 12 months that had successfully evaded their perimeter defenses, and 49 percent of respondents said the SQL injection threat facing their company is significant.

The majority of these experts -- 65 percent -- believe the best way to defend against SQL injection attacks and avoid mega data breaches like the one suffered by Target is through continuous monitoring of the database network followed by advanced database activity monitoring (56 percent) and database encryption (49 percent). And yet, when asked how the IT security budget is allocated in their organizations, these experts said the lion's share (40 percent) is allocated to network security, 23 percent is allocated to Web server security and only 19 percent is allocated to database security.

[Slideshow: Top 12 Retailers for Security and Privacy Practices ]

Ponemon notes that this misalignment in the allocation of security budget may be a result of old-think in the security profession.

"Older security professionals have done most of their training around network security and the perimeter," Ponemon says. "That's what they know."

More Than IT Is to Blame

Steve Durbin, global vice president of the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues on behalf of its members, says the business and the board of directors must bear some of the responsibility.

"We have always been concerned about the perimeter," Durbin says. "It's an easier message for the board or the risk management committee to understand. Increasingly, we are seeing the question being asked around cybersecurity: 'How protected are we?' The easy answer is that our perimeter is secure."

"The pursuit of 100 percent security is just folly," Durbin says. "It's a fool's goal. You have to assume that even though you're doing your best, you're going to be breached at some point in time. That is not a palatable message to deliver to the board."

[Related: Target, The Gap and Others Form Group to Share Cyberthreat Data]

And that often leads security professionals to focus on initiatives that appeal to the board rather efforts to mitigate the damage when breaches do occur.

Simple Advice: Follow the Database

Only one-third of respondents in the survey said they monitor for active databases continuously or daily. Many scan for active databases irregularly (25 percent) or don't bother scanning at all (22 percent). Only 48 percent of respondents said they test or validate third-party software to make sure it's not vulnerable to SQL injection. And while 44 percent of respondents said they do use professional penetration testers to identify vulnerabilities in their IT systems, 65 percent of that group said the penetration tests do not include testing for SQL injection vulnerabilities.

"It's well-known that database breaches, including these high-profile attacks against retailers, are devastating to merchants in terms of lost sales and damage to their reputation," says Brett Helm, chairman and CEO of DB Networks. "This study sheds additional light on the likely attack chain so that all retailers can now be more prepared in the future."

Follow Thor on Google+

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.