Survey: Database Administrators, IT Security Still Not On The Same Page

  /     /     /  
Publicated : 22/11/2024   Category : security


Survey: Database Administrators, IT Security Still Not On The Same Page


DBAs lack understanding of change control, patch management, ISUG study says



Database administrators still dont get security, according to a study published Wednesday.
Many DBAs and general IT decision makers admit they know little about critical database security issues, such as change control, patch management, and auditing, the survey says.
Conducted by Unisphere Research on behalf of Application Security Inc., the survey questioned 214 Sybase administrators belonging to the International Sybase User Group (ISUG) about their database security practices. The prevalent theme running throughout the survey was that most organizations lacked controls to keep database information protected across the enterprise.
A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information, the survey report stated. Only one out of five take proactive measures to mask or shield this data from prying eyes.
According to the reports author, Unisphere Research analyst Joe McKendrick, the ISUG survey is one in a series of similar database security surveys being conducted across numerous database user groups, including those that run other platforms, such as Oracle and SQL Server.
This [ISUG survey] pretty much follows the same script as the survey responses in the other database environments, McKendrick said. Its very consistent -- with a very common theme across all of these different user groups and technology bases -- that there is a disconnect between management and security.
One of the biggest problems is a lack of understanding of change management and patch management, according to the research. The survey found that 37 percent of respondents didnt know or werent sure how long it takes to detect and correct unauthorized changes to the database.
About 35 percent of those surveyed said that they rarely apply security patches across their database portfolio or didnt know how often patches were applied. Just less than two-thirds of organizations do not have any kind of automated database configuration management or patch management tools employed.
Yet, well more than half of respondents said they dont think they are likely to experience a breach in the next year.
According to Rich Mogull, founder of analyst firm Securosis, the results from this ISUG survey arent very surprising.
We still see very much a split between the database and security worlds -- and not nearly the level of communication between the two of them that wed like, Mogull says.
Mogull believes that the lack of knowledge about change management isnt strictly a security issue. Thats something that the database guys themselves should be keeping track of for performance reasons, if nothing else.
Many security experts believe that organizations need to do a better job increasing the visibility of data assets across the enterprise -- to both DBAs and security professionals. This visibily starts with data classification, says Alex Hutton, principal in research and risk intelligence for Verizon Business.
We need to ask ourselves, Where are these pieces of classified information and bank account numbers and sensitive organizational data being stored in the databases? Can we identify all the databases theyre in? Hutton explains. And then we can figure out how to create a control structure that prevents, detects, and responds to incidents against that database.
And this is is only the first step, experts say. A lot of organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16 percent of organizations perform regular database audits once a month. Another 32 percent say they dont know how often audits are performed -- or never do them at all.
Theres either no auditing at all, or else it is auditing after the fact -- you know, checking the barn doors after all of your horses have been stolen, McKendrick says. These audits take place may be quarterly, so you could have a major data breach take place in early January -- and its late March when youre finding out about it.
Have a comment on this story? Please click Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Survey: Database Administrators, IT Security Still Not On The Same Page