Unpatched databases still causing compromises: McAfee

Database administrators are ignoring patches at their peril, says vendor

Resistance from database administrators to follow the advice of IT security staff and patch databases because of the time involved is leaving a door open for hackers, according to one security expert.

McAfee Australia enterprise solutions architect, Sean Duca, speaking before his Computer Audit Control Security (CACS) 2011 presentation this week, said that administrators needed to be able to identify where the data was held and protect the information.

“The data needs to be accessible by people within the organisation so it’s not simply a matter of locking down the database. IT managers and security staff need to see who has access to this data and what they are doing to these databases.”

According to Duca, hacktivists Anonymous have targeted a number of organisations using SQL injection attacks, which are "nothing new" and are a common hacking method that involves inputting commands into a Web-based form to see if the backend database storing the data responds. Anonymous used this method to breach San Francisco's public transport site in August which led to the release of 2000 user names.

"It just shows that organisations still aren’t providing protection to their most critical asset, their data. We’ve always said that people should be patching their systems. For example, Oracle comes out with a new list every month for their databases which address approximately 40 new vulnerabilities. This means that everyone constantly needs to go through this process of testing, certifying and rolling out these patches."

He added that database admins should also be providing protection for old databases such as SQL 2000, which has been around for over 10 years. “People are aware that they need to patch databases but what happens is the head of security goes to the database administrator and tells them about the new vulnerabilities. The database administrator will probably be hesitant about rolling out these patches because he will be thinking 'I need to test and certify these patches in a way that is not going to cause any issues that the databases we have now’."

This resistance means that some organisations IT staff are delaying patch rollouts. Database protection could be delayed by months, or even years because of a lack for resources for testing, the time to take databases offline for patching, support from third party application vendors, and database vendor support for old versions of databases.

“The security person is trying to prevent all these attacks and if one vulnerability happens, than the whole database can be compromised," he said.

“Most people are calling it the year of the hack and a lot of organisations have been compromised. If we look at what hackers have gone for, the majority of the time it has been for the crown jewels, their data."

"For example, if you look at the Sony [Playstation Network] hack, there were an estimated 100 million user accounts stolen from their databases," Duca said.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Australian Computer SocietyetworkMcAfee AustraliaOraclePlaystationSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place