Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/18/2011
10:08 PM
50%
50%

Survey: Database Administrators, IT Security Still Not On The Same Page

DBAs lack understanding of change control, patch management, ISUG study says

Database administrators still don't get security, according to a study published Wednesday.

Many DBAs and general IT decision makers admit they know little about critical database security issues, such as change control, patch management, and auditing, the survey says.

Conducted by Unisphere Research on behalf of Application Security Inc., the survey questioned 214 Sybase administrators belonging to the International Sybase User Group (ISUG) about their database security practices. The prevalent theme running throughout the survey was that most organizations lacked controls to keep database information protected across the enterprise.

"A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information," the survey report stated. "Only one out of five take proactive measures to mask or shield this data from prying eyes."

According to the report's author, Unisphere Research analyst Joe McKendrick, the ISUG survey is one in a series of similar database security surveys being conducted across numerous database user groups, including those that run other platforms, such as Oracle and SQL Server.

"This [ISUG survey] pretty much follows the same script as the survey responses in the other database environments," McKendrick said. "It's very consistent -- with a very common theme across all of these different user groups and technology bases -- that there is a disconnect between management and security."

One of the biggest problems is a lack of understanding of change management and patch management, according to the research. The survey found that 37 percent of respondents didn't know or weren't sure how long it takes to detect and correct unauthorized changes to the database.

About 35 percent of those surveyed said that they rarely apply security patches across their database portfolio or didn't know how often patches were applied. Just less than two-thirds of organizations do not have any kind of automated database configuration management or patch management tools employed.

Yet, well more than half of respondents said they don't think they are likely to experience a breach in the next year.

According to Rich Mogull, founder of analyst firm Securosis, the results from this ISUG survey aren't very surprising.

"We still see very much a split between the database and security worlds -- and not nearly the level of communication between the two of them that we'd like," Mogull says.

Mogull believes that the lack of knowledge about change management isn't strictly a security issue. "That's something that the database guys themselves should be keeping track of for performance reasons, if nothing else."

Many security experts believe that organizations need to do a better job increasing the visibility of data assets across the enterprise -- to both DBAs and security professionals. This visibily starts with data classification, says Alex Hutton, principal in research and risk intelligence for Verizon Business.

"We need to ask ourselves, 'Where are these pieces of classified information and bank account numbers and sensitive organizational data being stored in the databases? Can we identify all the databases they're in?'" Hutton explains. "And then we can figure out how to create a control structure that prevents, detects, and responds to incidents against that database."

And this is is only the first step, experts say. A lot of organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16 percent of organizations perform regular database audits once a month. Another 32 percent say they don't know how often audits are performed -- or never do them at all.

"There's either no auditing at all, or else it is auditing after the fact -- you know, checking the barn doors after all of your horses have been stolen," McKendrick says. "These audits take place may be quarterly, so you could have a major data breach take place in early January -- and it's late March when you're finding out about it."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28048
PUBLISHED: 2021-04-14
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-28157
PUBLISHED: 2021-04-14
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
CVE-2021-26030
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
CVE-2021-26031
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
CVE-2021-27710
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...