Yesterday we posted an item that suggested people are ignorant and/or lazy when it comes to security. This InfoWorld story -- which covers a researcher's claims that there are tons of database servers on the Internet not protected by firewalls, and that many of these aren't even patched -- suggests that we were optimists.
The story discusses soon-to-be released research by David Litchfield, who runs Databasesecurity.com. His method was simple: He tried to access the Microsoft SQL Server and Oracle database ports at more than 1 million randomly generated addresses. He found 157 SQL servers and 53 Oracle servers, which means that these machines have no firewall protection. He extrapolated using standard procedures and came up with estimates that 368,000 SQL servers and 124,000 Oracle databases are not protected. His conclusion is fairly straightforward:
People aren't protecting themselves with firewalls and the patch levels are atrocious.
Though there are a lot of laggards out there, good tools are being released on a regular basis. At this week's Oracle OpenWorld 2007 in San Francisco, Application Security Inc. said DbProtect now supports Oracle Database 11g. The porting was done in the wake of the database's general availability on Windows platforms. DbProtect, the release says, will detect 11g databases and make sure they are deployed and maintained securely.
SoftTree Technologies on Wednesday released DB Audit Expert 4.0, which introduces discovery, security-management and behavior-analysis features for SQL servers. The release adds autodiscovery of various classes of information, security administration, behavioral-anomaly detection, auditing and compliance reporting, according to the press release. The product offers monitoring of regular and back-door access; auditing and continuous compliance; centralization of auditing control of multiple database layers; real-time performance monitoring and diagnostics; real-time e-mail alerting and regulatory compliance reporting.
Database security company Sentrigo late last month updated Hedgehog, a product that protects Oracle databases. Hedgehog is designed to follow predetermined rules to protect the databases before patches released by Critical Patch Updates are deployed (if they ever are).
This release of Hedgehog, the story says, includes new action scripts. Scripts determine an action, such as shutting down the machine or sending an alarm if certain conditions are reached. These features allow users to write their own scripts and to categorize their activities in a more granular fashion, which can be useful for compliance reasons. Such automation may take pressure of the database administrators who, perhaps against their wishes, are front and center on the database security issue.
After a joke about the acronym, this Securosis blogger lays out the case for database-activity monitoring (DAM). The piece dives into details pretty quickly, but the top line is important: DAM -- which, as the name implies, watches how people use the databases -- is rivaling the more often-discussed data-loss-prevention market. Though no source is given, the blogger says DAM generated $40 million last year and is slated to reach $60 million to $80 million in 2007. It is a young discipline useful in both compliance and security efforts, the writer says. The post includes a precise, multi-part definition of DAM and a description of its market drivers.
Clearly, there are great tools available from database vendors and security and compliance companies for those who want to protect their databases. Perhaps it shouldn't qualify as a surprise any longer, but it seems that there simply are too many people in positions of authority who just don't care.