Interesting, but not surprising:
Conducted by Unisphere Research on behalf of Application Security Inc., the survey questioned 214 Sybase administrators belonging to the International Sybase User Group (ISUG) about their database security practices. The prevalent theme running throughout the survey was that most organizations lacked controls to keep database information protected across the enterprise.
“A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information,” the survey report stated. “Only one out of five take proactive measures to mask or shield this data from prying eyes.”
There have been a number of high-profile incidents where production data wound up where the public could access it, without anyone in the organization realizing it. Make sure you know where your data goes!
One of the biggest problems is a lack of understanding of change management and patch management, according to the research. The survey found that 37 percent of respondents didn’t know or weren’t sure how long it takes to detect and correct unauthorized changes to the database.
About 35 percent of those surveyed said that they rarely apply security patches across their database portfolio or didn’t know how often patches were applied. Just under two-thirds of organizations do not have any kind of automated database configuration management or patch management tools employed.
PCI DSS requires patching of production systems monthly — what are these guys doing?
And this is is only the first step, experts say. A lot of organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16 percent of organizations perform regular database audits once a month. Another 32 percent say they don’t know how often audits are performed — or never do them at all.