informa
2 min read
article

Litchfield: 500,000 Database Servers Have No Firewall

UK security guru set to expose vulnerabilities in DB servers across the Web

Despite all the hype surrounding data security and breaches, many enterprises still don't even have a firewall protecting their database servers, according to a forthcoming study.

Renowned security expert David Litchfield Monday will release the results of his latest vulnerability study, which features some surprising numbers about database threats, according to a report in a British trade publication that got a sneak peek at the study.

Litchfield pinged over 1 million randomly generated IP addresses, checking see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database, according to the report.

He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion: "There are approximately 368,000 Microsoft SQl Servers... and about 124,000 Oracle database servers directly accessible on the Internet," he says in the study.

In an interview, Litchfield said that given the publicity surrounding corporate data breaches over the past two years, he is amazed that he found more exposed database servers in 2007 than he did in his 2005 study.

"It's terrible," he said in an interview. "We all run around like headless chickens following these data breach headlines... Organizations out there really don't care. Why are all these sites hanging out there without the protection of a firewall?"

A summary of Litchfield's findings is scheduled to be published Monday on his Website, DatabaseSecurity.com.

— Tim Wilson, Site Editor, Dark Reading