Most IT security professionals surveyed in a recent study agree that the best way to fend off the kind of data breaches that struck Target and Michaels is through continuous monitoring of database networks, yet only one-third say they do just that.
In analyzing the input from more 595 IT security pros for “The SQL Injection Threat & Recent Retail Breaches” study, The Ponemon Institute found that 25 percent scan irregularly and another 22 percent don't scan at all.
“The Nirvana state is to scan continuously,” Dr. Larry Ponemon, chairman and founder of the Ponemon Institute told SCMagazine.com on Tuesday. “But we'd settle for once a day or week at this point.”
The report, commissioned by DB Networks, revealed that 50 percent of participants believed that recent attacks on U.S. retailers were the handiwork of crime syndicates. Pointing out that early reports tried to pin the Target breach on a 17-year-old Russian hacker, Michael Sabo, vice president at DB Networks, told SCMagazine.com that “respondents didn't believe in the lone wolf.”
In fact, only 16 percent of study respondents said an individual orchestrated the breaches while a mere 11 percent laid the blame on nation-state actors.
More than half — 57 percent — believe that the recent U.S. retail data breaches involved SQL injections, with 53 percent saying the threat was used to steal sensitive information. Despite the perceived prevalence of SQL injection threats, 52 percent don't even take basic precautions such as testing and validating third party software to guard against them.
The pros surveyed differed on how to handle victim notification after a breach with 36 percent saying they'd rather wait until they've completed a thorough investigation. Breach victims have admonished retailers for lagging notification.
And while 53 percent of those surveyed do agree that companies should respond quicker, only two percent say notification should occur within three days and 17 percent said the notification timeframe should span less than a week. The remaining 34 percent favored notification within a month.