One of the IOUG survey respondents said, "Our greatest risk is probably that of a rogue employee running amok. We'd know about it soon enough, but it might be too late to avoid serious damage."
This is a common opinion among many administrators; approximately 22 percent of respondents listed internal hackers as their biggest database security risk, and another 12 percent said abuse of privileges was their highest threat.
Yet in spite of this awareness, organizations are doing very little to mitigate these risks. A whopping three-quarters of organizations do not have or aren't sure if they have a means to prevent privileged users from tampering with or compromising database information. Only about 23 percent of organizations have a way to safeguard from accidental changes by privileged users. And within a quarter of organizations, even regular users can bypass applications to gain direct access to data using ad hoc tools.
Perhaps more disconcerting is the fact that many companies also fail to protect audit data from unauthorized access and tampering. About 57 percent of respondents do not consolidate database audit data to a central secure location, making it possible for privileged users to change audit data to cover their tracks after making unauthorized access or changes.
4. Database patches are deployed slowly.
Many of today's nastiest breaches occur at the hands of hackers who take advantage of database and Web application vulnerabilities to break into sensitive data stores. According to the recent Verizon 2010 Data Breach Investigations Report, 90 percent of last year's breaches involved SQL injection attacks.
While enterprises could do a lot to take the edge off the risks from these attacks by keeping their databases patched and configured securely, they are simply not taking advantage of this opportunity to mitigate the threat. The IOUG survey found that 63 percent of administrators admit they are at least a cycle late with their critical patch updates. Of most concern are the 17 percent of administrators who say they don't apply patches at all or are unsure when patches are applied.
5. Encryption practices lag.
Even with regulations such as HIPAA and PCI DSS in place that require organizations to encrypt or deidentify PII within databases, database encryption of PII within the typical organization remains woefully deficient. Less than a third of administrators said they encrypt PII within all of their databases, while 38 percent said they do not encrypt PII or are unsure of whether they do. The numbers for encryption of network traffic to and from the database are about the same, with about 23 percent of organizations reporting they encrypt all database traffic, and 35 percent admitting that they do not encrypt this traffic or are not sure whether such traffic is encrypted.
The real Achilles heel of database encryption is how database backups and copies of databases sent to off-site partners are treated. Fewer than half of organizations can definitively say they do not send unencrypted database information off-site. And just 16 percent of organizations said they encrypt all database backups and exports.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.