Powered By InformationWeek Business Technology Network
 
Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Despite High Value Of Information, Many Companies Lag On Database Security

Administrators often fail to patch promptly, configure securely

Jun 16, 2009 | 09:10 AM

By Ericka Chickowski
DarkReading

A Special Analysis For Dark Reading

Excerpted from "Why Your Databases Are Vulnerable To Attack -- And What You Can Do About It," a new, downloadable report posted today on Dark Reading's new Database Security Tech Center.

Which application serves your company's most sensitive data? If you said databases, you're in the majority. Yet while most enterprises have spent a great deal of time and money on defending their network perimeters, experts say, surprisingly few of them have spent much time securing their databases.

"Last year at our security summit, I did a presentation on database security best practices ,and we did an informal poll of the audience made up of a couple of questions," says Jeffrey Wheatman, research director of information security and privacy at IT consulting giant Gartner. "The first question was, 'How many of you in the audience have a component of your security program around database security?' Only about 10 percent of the people said, 'Yes.'"

In a more formal study, Forrester Research corroborated Wheatman's observations. In fact, the firm's November 2008 Global Database Management Online Survey found that, on average, database administrators spend less than 5 percent of their time on security.

Yet in a February study, the Verizon Business RISK team -- a forensics service that investigates the causes of corporate security breaches -- found that databases accounted for a whopping 75 percent of all records breached in Verizon's investigations last year. These figures help to prove what most IT managers (and hackers) intuitively know -- a single database breach can lead to amazing compromises.

So why don't companies do a better job of protecting their databases? At the core of the problem is a fundamental disconnect between the IT security world and the database world, experts say.

"You've got a lot of people in security who don't know much about databases or their worries, and a lot of [database administrators] who don't know much about security -- or if they do know about security, they tend to rely on the native [security capabilities of] database products," says Rich Mogull, founder and principal analyst at Securosis, a security consulting firm.

The result of this disconnect often is a lack of attention paid to security, experts say.

"Production databases don't get patched nearly often enough, because they're busy database servers and people will say, 'If it isn't broken, don't fix it,'" says Adam Muntner, partner at QuietMove, a Phoenix-based vulnerability assessment firm. A poll conducted by the Independent Oracle Users Group in 2008 confirmed Muntner's assessment: 26 percent of organizations in the study said they take more than six months to patch their Oracle databases; 11% have never patched them.

So what can companies do to improve their database security? One strategy is to keep your configurations lean, says Sidnie Feit, an analyst for The Standish Group International. "A system security lesson that database administrators should take to heart is to strip everything that is not essential from the database server," Feit writes in a report called "The Other Side of Database Security." "That includes documentation shipped with the product, sample configuration and code files and, if possible, unused built-in stored procedures. Then disable anything else that is unused but cannot be deleted."

Organizations could also do a better job hardening their database systems by using the features offered by their database vendors. Even as database management systems are improving their stock of native security tools, database managers are falling behind in their efforts to implement them, observers say.

Mogull says that if organizations could simply address the basics of configuration and patch management, their database systems would be eminently more secure. Muntner concurs. "It's not rocket science," he says.

To read more about the causes of database security breaches -- and more detailed recommendations on how to prevent them -- download the free report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contactDark Reading's editors directly, send us a message.


Subscribe to RSS



Database Security Reports

report Database Activity Monitoring: Emerging Technology Keeps Tabs on Assets
You can read about the consequences of not protecting critical data in the daily headlines. In response, security-conscious organizations are tackling the complexities involved in effectively monitoring their databases for potential leaks and compromises. Fortunately, an emerging class of software is stepping up to help. Here’s what enterprises need to know about selecting, deploying, and managing DAM technology.

report SQL Injection: A Major Threat to Data Security
Of all the attacks taking place on Web sites across the Internet today, SQL injection is the most popular for cybercriminals trying to hack their way into corporate data stores. But for such a pervasive threat, there is still little understanding within the development and database communities about what constitutes a SQL injection vulnerability, how attacks against a SQL injection bug work, and how to mitigate the risk. We examine how these exploits work and what you can do to stop them.

report Protecting Your Databases From Careless End Users
While much attention is paid to outside attackers' efforts to crack enterprise databases, IT organizations often overlook an even greater threat: end users. Ignorance and disregard of company security policies may lead employees to expose their organizations' databases to compromise, often without even knowing that they’re doing so. In this report, we offer advice on how to educate users on database security, and some common-sense recommendations on how to limit the damage.

report A Database Administrator's Guide to Security
While most security pros have become painfully aware of the threats posed to their organizations' databases, many of those who create and maintain the databases still don't fully understand the danger.  This "security primer" is designed to open the eyes of the DBA to the risks posed by poor database security – and to current "best practices" that can help prevent those risks from becoming reality.

report Why Your Databases Are Vulnerable To Attack - And What You Can Do About It
Most of an enterprise’s most sensitive and valuable information resides in databases. Yet, in many organizations, database security is often neglected, misunderstood, or even ignored. In this report, we discover why databases have become one of the most popular targets for hackers - and how everyday mistakes in database administration contribute to these attacks. We also offer some advice on what your organization can do to protect your most critical data - and to stop hackers in their tracks.

Related Content

HOWTO Secure and Audit Oracle 10g and 11g
Read the "Hardening Your Database" chapter from the 454-page book "HOWTO Secure and Audit Oracle 10g and 11g" and learn how to navigate the many security options within Oracle (authored by database security expert and Guardium CTO, Ron Ben Natan, Ph.D.)

HOWTO Monitor Database Activity
Read the "Database Activity Monitoring (DAM)" chapter from "HOWTO Secure and Audit Oracle 10g and 11g" (CRC Press, 2009) and learn how to leverage DAM to prevent cyberattacks, monitor privileged users and track access to sensitive data.

8 Steps to Holistic Database Security
Get the 8 essential best practices for a holistic approach to both safeguarding databases and achieving compliance with key regulations such as SOX, PCI-DSS, NIST 800-53 and data protection laws.

Essential Steps to Implementing Database Security and Auditing
Learn best practices and specific tips for effectively securing Oracle, SQL Server, DB2, MySQL and Sybase environments, including tracking security vulnerabilities, the anatomy of buffer overflow vulnerabilities and database auditing.

Databases at Risk: Current State of Database Security (ESG Research)
This recently published ESG report analyzes the current state of database security -- concluding it depends upon too many manual processes -- and also offers concrete steps to improve database security across the enterprise.