Unpatched databases still causing compromises: McAfee

Database administrators are ignoring patches at their peril, says vendor

Resistance from database administrators to follow the advice of IT security staff and patch databases because of the time involved is leaving a door open for hackers, according to one security expert.

McAfee Australia enterprise solutions architect, Sean Duca, speaking before his Computer Audit Control Security (CACS) 2011 presentation this week, said that administrators needed to be able to identify where the data was held and protect the information.

“The data needs to be accessible by people within the organisation so it’s not simply a matter of locking down the database. IT managers and security staff need to see who has access to this data and what they are doing to these databases.”

According to Duca, hacktivists Anonymous have targeted a number of organisations using SQL injection attacks, which are "nothing new" and are a common hacking method that involves inputting commands into a Web-based form to see if the backend database storing the data responds. Anonymous used this method to breach San Francisco's public transport site in August which led to the release of 2000 user names.

"It just shows that organisations still aren’t providing protection to their most critical asset, their data. We’ve always said that people should be patching their systems. For example, Oracle comes out with a new list every month for their databases which address approximately 40 new vulnerabilities. This means that everyone constantly needs to go through this process of testing, certifying and rolling out these patches."

He added that database admins should also be providing protection for old databases such as SQL 2000, which has been around for over 10 years. “People are aware that they need to patch databases but what happens is the head of security goes to the database administrator and tells them about the new vulnerabilities. The database administrator will probably be hesitant about rolling out these patches because he will be thinking 'I need to test and certify these patches in a way that is not going to cause any issues that the databases we have now’."

This resistance means that some organisations IT staff are delaying patch rollouts. Database protection could be delayed by months, or even years because of a lack for resources for testing, the time to take databases offline for patching, support from third party application vendors, and database vendor support for old versions of databases.

“The security person is trying to prevent all these attacks and if one vulnerability happens, than the whole database can be compromised," he said.

“Most people are calling it the year of the hack and a lot of organisations have been compromised. If we look at what hackers have gone for, the majority of the time it has been for the crown jewels, their data."

"For example, if you look at the Sony [Playstation Network] hack, there were an estimated 100 million user accounts stolen from their databases," Duca said.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Show Comments