Almost half of all companies have internal databases with known vulnerabilities, with the average vulnerable database having 26 publicly disclosed flaws – more than half of which are critical or high-severity issues, according to data collected over the past five years by Internet security firm Imperva.
While vulnerable on-premises databases gain some protection from being inside the corporate firewall, companies that leave databases with known and unpatched flaws are exposing them to attackers who gain access to a company's network or are able to use public applications to deliver payloads to the back-end systems, the company states in a blog post. Many of the unpatched vulnerabilities are at least 3 years old, and more than half (56%) are considered serious.
This level of vulnerability represents a large attack surface, says Elad Erez, chief innovation officer at Imperva.
"From the attacker's point of view, once they are in the network they can scan for databases, and they will likely find one that is vulnerable with more than 20 vulnerabilities," he says. "And as we know, finding an exploit for a known vulnerability is as easy as Googling it."
Data has always been a primary focus of cybercriminals and nation-state attackers. In the past, attackers have gained access to internal networks and exfiltrated large corpuses of data, leading to massive data breaches. The breach of retail giant Target, the espionage attack against the US Office of Personnel Management, and the more recent exposure of tens of millions of customer records from MGM Hotels all happened after attackers gained access to internal networks.
The shift to cloud-based data storage has shifted attackers' focus, but most organizations continue to rely on on-premises databases, especially for internal business data and other sensitive information, Imperva stresses.
"For years, organizations have prioritized and invested in perimeter and endpoint security tools, assuming the protection of the systems or network around the data would be enough," the company states in its research blog. "However, that approach is not working as this is an expansive and global problem. Organizations need to rethink the way they secure data in a way that genuinely protects the data itself."
The data comes from a database scanning tool that Imperva's Innovation lab released more than four years ago in an attempt to get more insight into internal databases. The tool has scanned more than 29,000 internal databases and provided Imperva with anonymized data.
The tool found that companies fail to regularly patch their database systems, but some companies in certain countries are doing better than others. Firms in France, for example, have the most exposure, with 84% of databases having at least one vulnerability and the average vulnerable database having a whopping 72 security issues. Singapore and Australia came in second and third, with 65% and 64% of databases having a vulnerability, respectively, but the two countries had significantly different levels of vulnerability: The average vulnerable database in Australia only had 20 vulnerabilities, while Singapore's average was 62.
Organizations in the United States did better than average, with 39% of databases having at least one vulnerability and with vulnerable databases having 25 flaws, on average.
Among the most significant issues are authentication bypass vulnerabilities that allow attackers to access the database without logging in, Erez says.
Moving data to the cloud will deliver higher levels of security more consistently, but misconfiguration becomes a significant problem, he says. In the rare cases when a vulnerability is found, it can have dire consequences. Two recent vulnerabilities discovered in Microsoft's Azure public cloud could have led to mass compromises of other companies' cloud infrastructure and data.
"[There are] optimistic conclusions, but some of them are concerning as well," Erez says. "Because cloud databases are way more managed and easily updated, we see a decrease in the number of databases that are exposed."
Companies should scan their databases regularly to gain visibility into their security state, he says. There are a variety of tools for checking the patch level of databases.
"It seems like too many people forgot about data security and basic hygiene," Erez says. "This is a very simple scan. It takes less than two minutes to scan and get results, so you can start with security posture and understand where you are."