You Still Stink At Patching Databases

Only about a fifth of organizations patch their databases within three months, and that number is unlikely to get better anytime soon, experts say

Last weeks quarterly Critical Patch Update from Oracle fixed only one issue in the software giants core database product, which is pretty fortuitous for most enterprises because even after years of warnings about it, database patch cycles still continue to lag. In fact, the numbers show that enterprises may actually be getting worse at patching databases rather than improving.
Organizations still take about nine months to patch their databases, and the hackers need a few days whenever the patch comes out to design their attacks, says Rothacker, director of security research for Application Security Inc., who believes that if enterprises could do one thing to drastically improve their database security, it would be to pick up the pace on patching their databases. The key thing is [to] speed up your patch cycle and whenever patches come out.
According to the most recent Independent Oracle Users Group survey released late last year, just 19 percent of organizations apply Oracle database patches to their systems before the next CPU is released by the firm. That figure is down by 10 percentage points from the previous year.
[How can classifying data help reduce risks in the cloud? See
Its Classified: The Secret To Cloud Risk Management Success
.]
There is a full one-third that either dont apply the patches or are unaware of whether they are applied, wrote report author Joe McKendrick, analyst for Unisphere Research, who broke down the statistics to show that 11 percent of organizations take more than a year to patch or have never applied a patch to their databases, and 27 percent dont even know how long it takes to update their databases.
Its a disconcerting trend for data security experts like John Linkous, chief security and compliance officer at eIQnetworks, who, alongside Rothacker, considers database updates to be one of the most obvious ways to improve security around the database.
Perhaps the easiest and most effective solution for securing databases -- installing vendor patches as quickly as possible -- will help to mitigate threats due to known vulnerabilities, he says.
But some database security pros say patching isnt as easy as it sounds.
If you have thousands or even hundreds of databases, and Oracle releases a patch every quarter, then its almost impossible for you to go each and every quarter, for each and every database that you have, and retest all your applications, actually apply the patch, and absorb that downtime, says Slavik Markovich, vice president and CTO of database security for McAfee.
As he explains, all of those difficulties are rendered even more impossible to surmount by enterprise dependencies on legacy databases.
Its a very hard process, he says, not to mention the fact that a lot of those databases are old, so they dont receive any security patches anymore.
As Markovic surmises, database patch cycles simply arent going to improve in the foreseeable future, which is why he believes organizations need to be more pragmatic about database security.
Patching is still going to be a big problem, so you have a mitigating solution that provides a compensating control to protect your databases even though they are not patched, he says.
In the rush to pick up monitoring for checkbox compliance reasons, these kind of vulnerability and patch mitigation features are sometimes an overlooked facet of database activity monitoring technology. But theyre usually available, so if an organization cant patch, they should be looking for workarounds to still reduce the attackable surface of the database, Rothacker agrees.
Obviously, you cant always patch, he says. So if you cant, make sure your activity monitoring is up to date with the latest signatures. Any of the database security vendors go and produce new signatures as soon as we can. We analyze those patches and try to get [mitigating measures] out as quickly as we can, sometimes even before a patch is released if our researchers were the ones to report the problem to the vendor.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
You Still Stink At Patching Databases