Database Security Still Failing

I may have to rename this blog to DarkReading Coles Notes or something.  They’ve got all the good content!

According to an article contributed by Ericka Chickowski, a survey conducted by Unisphere Research on behalf of Application Security Inc, questioned 214 Sybase administrators from the International Sybase User Group (ISUG) about their database security practices.  Most organizations lacked controls to keep database information protected across the enterprise.

“Many DBAs and general IT decision-makers admit they know little about critical database security issues such as change control, patch management, and auditing.”

The survey found that 37% of respondents weren’t sure how long it takes to detect and correct unauthorized changes to a database.  About 35% said that they rarely apply security patches or didn’t know how often they were applied.  Just under two-thirds do not have automated database configuration management or patch management tools.  And yet, well over half of respondents said they don’t think they are likely to experience a breach in the next year.  What The….??  Hello, is this thing on?

The results of this survey echo the findings of previous surveys of Oracle DBAs, and to me are indicative of a major vulnerability just waiting to be exploited.  Oh pardon me, it probably IS being exploited…

In my opinion, I can’t blame the DBAs, it is an executive decision to accept risks.  There really is no excuse.  Yes, patching databases is difficult.  Yes, patching may interrupt business for a period of time.  Yes, it may cause some breakage, but come on, if this is truly critical or sensitive information it is being served up by a redundant cluster, and there simply is no acceptable excuse for bringing this much risk into an organization.  I’ll bet the big boss doesn’t know, or doesn’t understand those risks.  Yet.  If he does, well, tsk, tsk, tsk.  He or she will find out soon enough what the impacts of not patching are.

The risk of doing nothing far outweighs the risk of doing the right thing.  PATCH!!!  And if you really can’t patch quickly, PLAN!!!  Otherwise it will only get worse.