'Super Users' Could Threaten Database Security, Study Says'Super Users' Could Threaten Database Security, Study Says
Survey by Independent Oracle Users Group says most database administrators haven't implemented proper defenses
October 1, 2008
Usually, the database administrator (DBA) is your organization's staunchest defender of your sensitive data. But what if that DBA -- or another privileged user -- becomes disgruntled and decides to do some damage?
That possibility is one of the things that keeps Oracle administrators up at night, according to a newly published study conducted by the Independent Oracle Users Group (IOUG). In a survey of more than 300 IT and database administrators, the group found that the greatest risks to corporate data comes from internal access, either by unauthorized users or by "super users" with special access privileges.
Most organizations don't have mechanisms in place to prevent DBAs and super users from reading or tampering with sensitive information in financial, human resources, or other business applications, the survey says. Most of the respondents said they are unable to even detect such breaches.
One out of five respondents expects a data breach or incident during the coming year. Only one out of four said that all of their databases are locked down against attacks. One out of four sites covered in the survey said they do not encrypt the data within their databases, and nearly one in five is not even sure whether such encryption takes place, according to the IOUG.
"The problems are both organizational and technical," says Ron Bennatan, CTO of database security company Guardium Inc. . "DBAs have traditionally focused on performance and availability as their key priorities, while IT security has primarily focused on perimeter and end-point security. Now the two groups need to work together, usually in conjunction with risk and compliance people, to close these gaping holes.
"On a technical level, there are a number of well known limitations with native database logging and auditing utilities, such as their complexity and impact on database performance," Bennatan says. "That means that most DBAs are very reluctant to turn them on, because it just creates more headaches for them and doesn’t really address the core problems."
— Tim Wilson, Site Editor, Dark Reading
About the Author(s)
Tricks to Boost Your Threat Hunting GameNov 06, 2023
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
How to Deploy Zero Trust for Remote Workforce Security
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment