Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/18/2011
10:08 PM
50%
50%

Survey: Database Administrators, IT Security Still Not On The Same Page

DBAs lack understanding of change control, patch management, ISUG study says

Database administrators still don't get security, according to a study published Wednesday.

Many DBAs and general IT decision makers admit they know little about critical database security issues, such as change control, patch management, and auditing, the survey says.

Conducted by Unisphere Research on behalf of Application Security Inc., the survey questioned 214 Sybase administrators belonging to the International Sybase User Group (ISUG) about their database security practices. The prevalent theme running throughout the survey was that most organizations lacked controls to keep database information protected across the enterprise.

"A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information," the survey report stated. "Only one out of five take proactive measures to mask or shield this data from prying eyes."

According to the report's author, Unisphere Research analyst Joe McKendrick, the ISUG survey is one in a series of similar database security surveys being conducted across numerous database user groups, including those that run other platforms, such as Oracle and SQL Server.

"This [ISUG survey] pretty much follows the same script as the survey responses in the other database environments," McKendrick said. "It's very consistent -- with a very common theme across all of these different user groups and technology bases -- that there is a disconnect between management and security."

One of the biggest problems is a lack of understanding of change management and patch management, according to the research. The survey found that 37 percent of respondents didn't know or weren't sure how long it takes to detect and correct unauthorized changes to the database.

About 35 percent of those surveyed said that they rarely apply security patches across their database portfolio or didn't know how often patches were applied. Just less than two-thirds of organizations do not have any kind of automated database configuration management or patch management tools employed.

Yet, well more than half of respondents said they don't think they are likely to experience a breach in the next year.

According to Rich Mogull, founder of analyst firm Securosis, the results from this ISUG survey aren't very surprising.

"We still see very much a split between the database and security worlds -- and not nearly the level of communication between the two of them that we'd like," Mogull says.

Mogull believes that the lack of knowledge about change management isn't strictly a security issue. "That's something that the database guys themselves should be keeping track of for performance reasons, if nothing else."

Many security experts believe that organizations need to do a better job increasing the visibility of data assets across the enterprise -- to both DBAs and security professionals. This visibily starts with data classification, says Alex Hutton, principal in research and risk intelligence for Verizon Business.

"We need to ask ourselves, 'Where are these pieces of classified information and bank account numbers and sensitive organizational data being stored in the databases? Can we identify all the databases they're in?'" Hutton explains. "And then we can figure out how to create a control structure that prevents, detects, and responds to incidents against that database."

And this is is only the first step, experts say. A lot of organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16 percent of organizations perform regular database audits once a month. Another 32 percent say they don't know how often audits are performed -- or never do them at all.

"There's either no auditing at all, or else it is auditing after the fact -- you know, checking the barn doors after all of your horses have been stolen," McKendrick says. "These audits take place may be quarterly, so you could have a major data breach take place in early January -- and it's late March when you're finding out about it."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...