2010 report data security survey

Produced by

2010 IOUG DATA SECURITY SURVEYBy Joseph McKendrick, Research Analyst

Produced by Unisphere Research, a division of Information Today, IncSeptember 2010

.

Sponsored by

2

2010 IOUG Data Security Survey was produced by Unisphere Research and sponsored by Oracle. Unisphere Research is the market research unit of Unisphere Media, a division of InformationToday, Inc., publishers of Database Trends and Applications magazine and the 5 Minute Briefing newsletters. To review abstracts of our past reports, visit www.dbta.com/research. Unisphere Media,229 Main Street, Chatham, NJ 07928. Tel: 973-665-1120, Fax: 973-665-1124, Email: [email protected], Web: www.dbta.com.

Join the IOUG—If you’re not already an IOUG member and would like to continue receiving key information like this, visit the IOUG at w3.ioug.org/join/today for information on how to jointhis dynamic user community for Oracle applications and database professionals.

Data collection and analysis performed with SurveyMethods.

TABLE OF CONTENTS

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Data Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Access Control to Data and Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Database Activity Monitoring and Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Operational Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

3




EXECUTIVE SUMMARY

Information security is top of mind for all organizations today.Companies recognize that there are severe repercussions toignoring or undervaluing data security, and most are increasingtheir investment in security and putting in place measures toprotect their information. But are those measures sufficient? And,do those measures really provide the safeguards organizationsthink they do? According to this year’s survey of 430 members ofthe Independent Oracle Users Group (IOUG), the answer to bothof these questions is “no,” leaving organizations more at risk thanthey are aware. This study of IOUG members’ information securitypractices was first conducted in 2008, and then again in 2009.

This year’s survey,1 conducted in May 2010 by UnisphereResearch, a division of Information Today, Inc., and sponsored byOracle Corporation, uncovered the following troubling findings:

Fewer than 30 percent of respondents are encryptingpersonally identifiable information in all their databases.Although slightly up from last year, this finding is startlinggiven the number of existing data privacy and protectionmandates that specifically call for data-at-rest encryption.Close to two out of five of respondents’ organizations shiplive production data out to development teams and outsideparties. However, more than one-third admit that the data isunprotected, or don’t know if it is protected. In many cases,the data consists of sensitive or confidential information.Three out of four organizations do not have a means toprevent privileged database users from reading or tamperingwith HR, financial or other business application data in theirdatabases. Many of those who responded that they could“prevent” such activity indicated that they did so by relyingon auditing and recovery process, and were reacting ratherthan preventing.In fact, two out of three respondents admit that they couldnot actually detect or prove that their database administrators

and other privileged database users were not abusing theirprivileges.However, database administrators and other IT professionalsaren’t the only people that can compromise data security fromthe inside. An end user with common desktop tools can alsogain unauthorized direct access to sensitive data in the databases.Close to half of respondents say that this either could happen intheir organizations, or that they don’t know if it could.Almost 64 percent indicate that they either do not monitordatabase activity, do so on an ad hoc basis, or don’t know if anyone is monitoring. Less than one-third of thosemonitoring are watching sensitive data reads and writes.As a result, 40 percent of respondents indicate that they areunsure as to how long it would take them to detect andcorrect unauthorized changes to their data or their databases.Overall, two-thirds of companies either expect a data securityincident they will have to deal with in the next 12 months, orsimply don’t know what to expect.

What is the greatest risk? “Our greatest risk is probably that of a rogue employee running amok,” says one respondent.“We’d know about it soon enough, but it might be too late toavoid serious damage.” This is a sentiment echoed by many otherrespondents.

Some data managers feel that their data is secure mainlybecause databases are not connected to the Internet—a falsecomfort that may lead to a rude awakening, especially consideringthat a majority of organizations admit that they do not applyCritical Patch Updates intended to address security vulnerabilitiesin a timely manner, or take steps to ensure that all their Internet-facing applications are not subject to SQL injection attacks.

On the following pages, the detailed survey results arepresented by key areas: data privacy, access control, activitymonitoring and auditing, and operational security.

■

■

■

■

■

■

■

1 The survey consisted of email messages to IOUG members directing them to aWeb-based survey instrument. Respondents were encouraged to provide open-ended responses to further explore the nature of their data security adoptionstrategies.

4




OVERVIEW

Data managers and professionals in this survey have a rangeof responsibilities, and come from a range of company sizes.

Nine out of 10 respondents have some role to play incorporate data security, and one-third of respondents categorizethis role as “extensive.” Respondents also run numerous multipledatabases at their sites—one out of five, in fact, runs more than500 instances of databases. (See Figures 1–5.)

Many organizations move data out to outsourcers forapplication development, testing and administration.

In the current environment, the lines between “insiders” and“outsiders” have blurred. Organizations rely on third-partyorganizations and contractors to manage and develop systemsand applications. More than one-third report that they outsourceor offshore their database or application administrationfunctions to an outside provider. (See Figure 6.)

Even larger numbers of respondents report that theircompanies outsource database development and testing. Close tohalf of respondents, 47 percent, report that they either extensivelyoutsource development or test functions, or they do so on alimited basis. (See Figure 7.)

This poses unique challenges in terms of enforcingappropriate controls to sensitive and regulated data.

Organizations are increasing investments in data security.The research shows that data security efforts are recovering

from the recent economic downturn. Forty-three percent ofcompanies have increased their IT security-related spending, upfrom 28 percent in last year’s survey and 41 percent in the 2008

survey. Only nine percent say spending has actually decreased.(See Figure 8.)

Although funding is improving, most IT security programsfail to address the threats to databases.

While half of respondents would consider their company’s levelof commitment to be “high,” close to one out of six—17 percent—represent their company’s commitment to database security as lowor simply aren’t aware of a commitment. Another one-third rankIT security as a lukewarm “medium.” (See Figure 9.)

Database security often doesn’t receive organizations’ fullattention as an IT security function. In close to half of thecompanies surveyed, database security falls outside thepurview of the IT security function.

Typically, the job of database security falls on the databasegroup, as reported by more than three out of four surveyrespondents. Just over half of the organizations in this surveyindicated that they have a dedicated security group that overseestheir database security requirements. (See Figure 10.)

Many of the respondents also indicated that they are inregulated businesses, which creates greater urgency foraddressing data security.

More than half of the organizations in the survey are chargedwith fulfilling requirements associated with Sarbanes-Oxley Act(SOX), and more than one-third must comply with state-leveldata protection laws and HIPAA/HITECH mandates. (SeeFigure 11.)

Figure 1: Respondents’ Roles in Data Security

Limited or supporting role 58%

Extensive role 33%

No role in data securityat this time 9%

Figures 1–5: Data managers and professionals in this survey have a range of responsibilities, and come from a range ofcompany sizes.

5




Figure 2: Respondents’ Job Roles

Professional/StaffDatabase Administrator (DBA) 49%

Programmer/Developer 8%

Analyst/Systems Analyst 6%

Data Architect 4%

Systems Administrator 4%

Applications Administrator 2%

IT Consultant for IT Service/Integration Firm 2%

IT Consultant/Independent Contractor 2%

IT Management/Business ManagementDirector/Manager of IS/IT 7%

CIO/CTO/Vice President of IT 2%

IT Operations Manager 3%

Project Manager 6%

Executive Management Level for the Business 1%

Other 4%

0 20 40 60 80 100

Figure 3: Respondents’ Companies By Number of Employees

1 to 100 employees 11%

101 to 500 employees 15%

501 to 1,000 employees 10%

1,001 to 5,000 employees 19%

5,001 to 10,000 employees 13%

More than 10,000 28%

Decline to answer 4%

0 20 40 60 80 100

(Includes all locations, branches, and subsidiaries)

6




Figure 4: Respondents’ Primary Industries

IT Services/Consulting/Sys. Integration 21%

Utility/Telecommunications/Transport 11%

Education (all levels) 10%

Government (all levels) 10%

Financial Services 7%

Healthcare/Medical 6%

Manufacturing 6%

Software/Application Development 5%

Business Services 4%

Retail/Distribution 4%

Consumer services 3%

High-Tech manufacturing 3%

Insurance 3%

Other 8%

0 20 40 60 80 100

Figure 5: By Number of Databases Run Within Respondents’Companies

<10 16%

11 to 100 35%

101 to 500 19%

501 to 1,000 7%

>1,000 13%

Don’t know/unsure 10%

0 20 40 60 80 100

7




Figures 6 & 7: Many organizations move data out to outsourcers for application development, testing and administration.

Figure 6: Outsource or Offshore Database/ApplicationAdministrative Functions?


Yes, extensively 8%

Yes, but on a limited basis 26%

No 61%

Figure 7: Outsource or Offshore Database/ApplicationDevelopment or Test Functions?


Yes, extensively 11%

Yes, but on a limited basis 36%

No 48%

Total: 101% due to rounding

8




Figure 8: Organizations are increasing investments in data security.

Figure 8: Change in IT Security Spending Over the Past Year

Increased

2010

43% 28% 41%

2008 2009

Decreased

100

80

60

40

20

0

9% 13% 4%

Figure 9: Where Database Security Falls in Terms of IT Security Priorities

Low 7%

Medium 34%

High 50%

Figure 9: Although funding is improving, most IT security programs fail to address the threats to databases.


9




Figure 10: Who is Responsible for Database Security?

Database Group 77%

Security Group 56%

Systems Management Group 37%

Application Group 24%

Development Group 19%

No one 2%

Don't know/unsure 4%

Other 4%

0 20 40 60 80 100

Figure 10: Database security often doesn’t receive organizations’ full attention as an IT security function. In close to half ofthe companies surveyed, database security falls outside the purview of the IT security function.

Figure 11: Mandates Organizations Must Comply With

Sarbanes-Oxley Act (SOX) 52%

Local state data protection laws 35%

HIPAA/HITECH 32%

Payment Card Industry (PCI) 22%

SAS 70 10%

Other 8%

0 20 40 60 80 100

Figure 11: Many of the respondents also indicated that they are in regulated businesses, which creates greater urgency for addressing data security.

10




DATA PRIVACY

Data encryption is still an elusive strategy for many.Despite regulatory requirements specifically calling for data

encryption of personally identifiable information (PII) such asSocial Security, credit card, and national identifier numbers,fewer than 30 percent of respondents say they uniformly encryptPII stored in their databases. (See Figure 12.) A similarpercentage of respondents also admit that data in transit to theirdatabase is not uniformly encrypted. (See Figure 13.)

Most organizations are still not encrypting backups evenwhen those backups are sent offsite.

Despite lost backups containing sensitive data making headlineson a regular basis over the past decade, more than half of thesurvey group, 53 percent, report they either don’t encrypt or don’tknow if data that is being backed up or exported is encrypted. (SeeFigure 14.) In addition, close to one-third admit that they sendunencrypted database backups or exports offsite, to storagefacilities, business partners, or other data centers. (See Figure 15.)

Organizations need to only look as far as their developmentand test environments for data breaches.

PII and other sensitive production data is often found in these typically insecure environments. Close to two out of fiveorganizations ship live production data, often containingsensitive or confidential information, to development teams.Thirty-seven percent admit to actually using live production data within non-production environments, such as staging anddevelopment environments. (See Figure 16.) Close to half still use old production data, which offers little assurance if thatdata contains PII such as Social Security numbers or credit card

numbers. In two out of five cases, it either does contain thiskind of data, or respondents aren’t sure of the data content.(See Figure 17.)

There is increasing awareness around the risk of thesepractices. However, most organizations have a long way to go in terms of best practices.

As shown in Figure 16, about one-third of respondentsindicate that they employ simulated data, or de-identifiedproduction data in non-production environments, up from pastyears. Thirty percent use de-identified data, up from 26 percentin the previous 2009 and 2008 surveys. The use of simulated data,at 34 percent, is also up from 24 percent a year ago.

Strategies such as data de-identification are not integrated intodata security processes. When it comes to de-indentifying data,most respondents indicated they resort to ad hoc efforts on acase-by-case basis.

Among the 30 percent of respondents that do de-identify theirproduction data before it is sent out, most employ manual or adhoc processes. Thirty-one percent, for example, use customscripts, while 15 percent report they de-identify on an ad hocbasis. These approaches are costly and error-prone. Another 42 percent either do not de-identify data at all, or simply don’tknow if their companies do so. (See Figure 18.)

Tracking all sensitive data is difficult, even for datamanagers.

While most respondents report they are in charge of IT anddata security, only about half have a grasp of where all thesensitive data resides across their enterprises. (See Figure 19.)

11




Figure 12: Is Personal Identity Information Encrypted?

Figures 12 & 13: Data encryption is still an elusive strategy for many.

(e.g., Social Security numbers, credit card, national identifier numbers)

Figure 13: Application Data Encrypted on Network to/fromDatabase?

Yes, all database traffic is encrypted 23%

No 22%Don’t know/unsure 16%

Yes, in all databases 29%Yes, in some databases 34%



No, database traffic is not encrypted 21%

Some database traffic is encrypted 42%

12




Figure 14: Encrypt All Online and Offline Database Backups and Exports?

Figures 14 & 15: Most organizations are still not encrypting backups even when those backups are sent offsite.

Figure 15: Send Unencrypted Database Backups or ExportsOffsite?

Yes 32%

No 44%

(Storage facilities, business partners, other data centers, etc.)

Yes, all database backups/exports are encrypted 16%


No, database backups/exports are not encrypted 34%

Some database backups/exportsare encrypted 32%



13




Figure 16: Data Used Within Non-Production Environments

“Old” or outdated production data 48%

“Live” production data 37%

Simulated data 34%

De-identified production data 30%

Sample data provided by the app. 24%vendor or developer


Other 0%

0 20 40 60 80 100

(Such as staging and development environments)

Figures 16 & 17: Organizations need to only look as far as their development and test environments for data breaches.

Figure 17: Does Live or Old Production Data Used ContainSensitive Information?

Yes 28%

No 44%

(Among respondents using production data within non-production environments. Includes credit card numbers, Social Security numbers, or customer/employee/partner personal identifiable information)



Not applicable 18%

14




Figure 18: Strategies for De-Identifying Data

Using custom scripts 31%

De-identified as part of process 22%

Automated 16%

De-identified on ad hoc basis 15%

Using third-party tools 8%

Ad hoc 7%

We do not de-identify data 20%


Other 0%

0 20 40 60 80 100

Figure 18: There is increasing awareness around the risk of these practices. However, most organizations have a long wayto go in terms of best practices.

Figure 19: Aware of all the Databases in Organization that ContainSensitive Information?

Yes 52%No 48%

Figure 19: Tracking all sensitive data is difficult, even for data managers.

15




ACCESS CONTROL TO DATA AND DATABASES

There is awareness that “internal” hackers originatingattacks from within the firewall or legitimate users abusingtheir privileges represent the greatest risk, threat, orvulnerability at this time.

Twenty-two percent cite internal hacker threats and another12 percent see abuse of privileges as high-risk threats, comparedto 13 percent that cite the outside hacker threat. Twelve percentsee the lack of management commitment and lax procedures asthe biggest risk to data in that current issues will not beaddressed. Often, management is concerned about movingapplications and systems as rapidly as possible, with little or noconsideration given to data security. (See Figure 20.)

Three out of four organizations do not have, or are notaware of, a means to prevent privileged users from tamperingwith or compromising data from the inside. Even morerevealing is that many respondents who believe that they havesuch a means are in fact relying on detection and recovery,rather than prevention and real-time enforcement.

About one out of four respondents say they take measures toprevent database administrators and other privileged databaseusers from reading or tampering with sensitive information infinancial, HR, or other business applications. (See Figure 21.)

When asked to provide the strategies or techniques used toprevent privileged users from tampering with sensitive data,some respondents indicated they were using integrated databasesecurity solutions such as Oracle Database Vault. However, amajority indicated that they rely on auditing to detect andrecover or “undo” the damage done from such a data breach.Although preventing tampering from ultimately being successful,this approach does not actually provide real-time preventionagainst access or tampering of data in the first place.

To complicate matters, most companies don’t protect auditdata from unauthorized access so a privileged user couldtamper with audit data to hide their tracks, making evendetection and recovery impossible.

Overall, 57 percent of respondents say that they do notconsolidate—or know if database audit data is consolidated—toa central secure location to protect it from unauthorized accessor potential tampering by privileged database users. (See Figure22.) Although 30 percent indicate that they are protecting auditdata from some of their databases, this is not heartening given

earlier data on a lack of knowledge of all databases that containsensitive data.

One out of four respondents say there are no safeguards, orthat they aren’t aware of safeguards, to prevent accidental databreaches.

Not all data breaches are malicious, of course—many are theresult of accidents. In fact, about one out of four respondentsalso say that they have safeguards to prevent a databaseadministrator from accidentally dropping a table orunintentionally causing harm to critical application databases.(See Figure 23.)

However, when asked for specific techniques, most cite after-the-fact measures that would remedy such incidents,but say they could not actually prevent them in real time.

As one respondent described it, such incidents could be rolledback within 24 hours (but, again, not prevented): “Our DBA GUItool requires confirmation before dropping objects, but this canbe bypassed via SQL Plus. This is somewhat mitigated by nightlybackups. All production changes go through change controlprocess, which requires that back-out procedures to undo thechanges be specified.”

Another respondent reports that in their organization, the“drop” command has simply “been banned.”

In fact, two out of three respondents cannot prove ordocument that super-users are not abusing their privileges.

Only about one-third of respondents say that they have themeans of proving that database administrators and otherprivileged database users at their companies are not abusing their super-user privileges. (See Figure 24.)

Any database user armed with often very simple tools suchas spreadsheets can also be the source of data breaches.

Database administrators and other IT professionals aren’t theonly people that can compromise data security from the inside.A database user with common desktop tools can also gainunauthorized access to sensitive data. Close to half of respondentssay this either could happen in their organizations, or that theydon’t know if it could.

One out of four respondents admitted that database users canbypass applications and gain access to application data within the

▲▲

16




database directly using ad hoc tools. Another 20 percent simplydon’t know if such access is possible in their organizations. (SeeFigure 25.)

A number of respondents admitted that such ad hoc toolswere common within their organizations, especially in desktopapplications such as Microsoft Access or Microsoft Excelspreadsheets which can be used to access databases. Onerespondent observed that such access is permitted for non-sensitive data but cannot be enforced effectively allowing accessto both sensitive and non-sensitive data. As another respondent

reported: “We have some application administrators who havesome limited SQL skills from report writing who couldconceivably access the databases without going through theapplication.”

Another respondent reported the problem discussed in theprevious section: that data made available to development teamsbecomes vulnerable. “In staging and development environments,developers have full access to the data during development. Inimportant environments like production, they don’t have accessto anything.”

Figure 20: Greatest Risks, Threats, Vulnerabilities

Internal hackers or unauthorized users 22%

Malicious code/viruses 10%

Outside hackers 13%

Abuse of privileges by IT staff 12%

Lack of management commitment/ 12% lax procedures

Lack of auditability of access and changes 11%

Loss of hardware or media—e.g., disks, 10%tapes, laptops

Abuse by outside partners/suppliers 4%

Fines/lawsuits resulting from inadequate 4%data or security procedures

0 20 40 60 80 100

Figure 20: There is awareness that “internal” hackers originating attacks from within the firewall or legitimate users abusing their privileges represent the greatest risk, threat, or vulnerability at this time.

(Respondents rating vulnerability as “high”)

17




Figure 21: Can Respondents Prevent DBAs/Privileged DatabaseUsers from Reading/Tampering With Sensitive Data inFinancial, HR, or Other Business Applications?

Figure 21: Three out of four organizations do not have a means to prevent privileged users from tampering with or compromising data from the inside. Even more revealing is that many respondents who believe that they have such ameans are in fact relying on detection and recovery, rather than prevention and real-time enforcement.

Figure 22: Consolidate Database Audit Data to Central SecureLocation?

Yes 24%

No 44%

Figure 22: To complicate matters, most companies don’t protect audit data from unauthorized access so a privileged usercould tamper with audit data to hide their tracks, making even detection and recovery impossible.


No 36%


Yes, for all databases 13%

For some databases 30%

18




Figure 23: Have Safeguards to Prevent Unintentional Changes orBreaches by Privileged Users?

Yes 23%

No 54%

Figure 23: Close to four out of five respondents say there are no safeguards, or that they aren’t aware of safeguards, toprevent accidental data breaches. However, when asked for specific techniques, most cite after-the-fact measures thatwould remedy such incidents, but say they could not actually prevent them in real time.

Figure 24: Can Respondents Prove Super-User Privilege NotAbusing Privileges?

Yes 32%

No 39%

Figure 24: In fact, two out of three respondents cannot prove or document that super-users are not abusing their privileges.



19




Figure 25: Can Users Bypass Applications and Gain Direct Accessto Data Using Ad Hoc Tools?

Yes 25%

No 56%

Figure 25: Any database user armed with often very simple tools such as spreadsheets can also be the source of databreaches.



20




DATABASE ACTIVITY MONITORING AND AUDITING

Seventy percent of respondents rely on native auditingcapabilities—however, no one is really looking at the data.

A majority report they are using native database auditingsolutions to monitor database activity on at least some of theirdatabases. (See Figure 26.)

Only one out of four have automated tools to monitordatabases for security issues on a regular basis.

At this time, only 25 percent have automated database securitymonitoring capabilities. This has not changed since the firstsurvey was conducted in 2008. (See Figure 27.)

Even among companies monitoring for data security issues,not enough is being done. Most don’t monitor who is looking atsensitive data, or who is updating sensitive data.

For those respondents that are monitoring productiondatabases in some capacity, only about one-third are trackingwho is reading or updating sensitive data stored in theirdatabases. Close to half of respondents aren’t monitoring allprivileged user activities, even new account creation or structuraldatabase changes despite numerous regulations that specificallyrequire such controls. (See Figure 28.)

In one out of four organizations, no one would know if anunauthorized database change occurred.

In 24 percent of companies in this survey, respondents reportthey would not know at all if someone made an unauthorized

database change to their system. Only 30 percent can trackunauthorized changes across their entire portfolio. (See Figure 29.)

For a majority, it may take some time to detect and correctan unauthorized database change.

Two out of five say they simply don’t know how long it would take, while 16 percent say it would take more than a day. Only 12 percent could catch such incidents with the hour,presumably before a lot of damage could be done. (See Figure 30.)

Likewise, database audits are not something mostorganizations are prepared to do.

More than one-third of respondents simply do not know howlong it would take to prepare for a database audit, while anotherthird say it would take more than a day to prepare all thenecessary reports. Only a handful could audit their databaseswithin an hour, if needed. (See Figure 31.)

While respondents indicated that they rely heavily on auditsto detect and remedy database security breaches, such auditsare few and far between.

Close to one-third, in fact, only do a database audit once ayear. Almost two out of five say that they either never audit theirdatabases, or simply don’t know when or if such audits happen.

Only 16 percent say they are done at least once a month. Asone respondent put it: “Every few years we bring in a consultingcompany to audit us.” (See Figure 32.)

21




Figure 26: Use Native Database Auditing to Monitor DatabaseActivity?

Figure 26: Seventy percent of respondents rely on native auditing capabilities—however, no one is really looking at the data.

Figure 27: Monitor All Production Databases for Security Issues?

Manually monitor on ad hoc basis 15%

Run tools on an ad hoc basis 15%

Manually monitor on regular basis 11%

Run tools on a regular basis 25%

No 17%


0 20 40 60 80 100

Figure 27: Only one out of four have automated tools to monitor databases for security issues on a regular basis.

No 13%

Don’t know/unsure 14%On some databases 35%

Yes, on most databases 37%


22




Figure 28: Production Database Activities Monitored

All privileged user activities 54%

Failed logins 50%

Login/logout 41%

New account creation 40%

Database definition changes 39%(new tables, etc.)

Writes to sensitive tables/columns 37%

Read of sensitive tables/columns 28%


Other 2%

0 20 40 60 80 100

Figure 28: Even among companies monitoring for data security issues, not enough is being done. Most don’t monitor who islooking at sensitive data, or who is updating sensitive data.

Figure 29: Would Unauthorized Database Change be Detected?

Yes, on most databases 30%

No 24%

Figure 29: In one out of four organizations, no one would know if an unauthorized database change occurred.

On some databases 46%

23




Figure 30: Length of Time to Detect Unauthorized Database Change

< 1 hour 12%

1 to 24 hours 33%

1 to 5 days 10%

> 5 days 6%


0 20 40 60 80 100

Figure 30: For a majority, it may take some time to detect and correct an unauthorized database change.

Figure 31: Length of Time to Prepare for Database SecurityAssessment/Audit

< 1 hour: 7%

1 to 24 hours 22%

1 to 5 days 22%

> 5 days 14%


0 20 40 60 80 100

Figure 31: Likewise, database audits are not something most organizations are prepared to do.

24




Figure 32: Number of Database Security Assessments/Audits Per Year

A few times a month 4%

At least once a month 12%

Quarterly 16%

Annually 30%

Never 8%


Other 2%

0 20 40 60 80 100

Figure 32: While respondents indicated that they rely heavily on audits to detect and remedy database security breaches,such audits are few and far between.

25




OPERATIONAL SECURITY

The primary modus operandi employed by hackers is SQLinjection attacks via Web applications. Two out of three datamanagers in this survey report they are not prepared or don’tknow if they are prepared to fend off such attacks.

The Verizon 2010 Data Breach Investigations Report2 notes that more than 90 percent of all breached records are due to Webapplications involving SQL injection attacks. While this represents a major risk for most organizations, only about one-third ofrespondents say their organizations have taken steps to ensure theirapplications are not subject to SQL injection attacks. (See Figure 33.)

To make matter worse, many organizations are not applyingCritical Patch Updates (CPUs) in timely fashion, increasing therisk that an attacker will get a foothold.

An important way to mitigate the threat of security breaches isby applying security patches—or Critical Patch Updates—as soonas they become available. However, a majority of respondents donot apply such patches right away—63 percent report they are atleast a cycle late with CPUs, with 17 percent stating they eitherdon’t apply patches at all or are unsure when they are applied.(See Figure 34.)

2 2010 Data Breach Investigations Report, Wade Baker, Mark Goude, et al., VerizonCorp., 2010. http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

Figure 33: Taken Steps to Prevent SQL Injection Attacks?

Yes 35%

No 22% Don’t know/unsure 44%


26




Figure 34: How Quickly are Critical Patch Updates Applied to All Systems?

Typically before the next CPU released 37%(within 1–3 months)

One cycle late (3–6 months) 17%

Two cycles late (6–9 months) 9%

Three cycles late (9–12 months) 3%

Four or more cycles late (more than 1 year) 7%

Within 1 year 4%

We have never applied a CPU 1%


Other 5%

0 20 40 60 80 100

Figure 34: To make matter worse, many organizations are not applying Critical Patch Updates (CPUs) in timely fashion,increasing the risk that an attacker will get a foothold.

27




CONCLUSION

Many enterprises are not addressing data securityproactively and are unable to prevent unauthorized access todata in real-time. They are taking measures, often on an ad hocbasis, to detect suspicious database activity in the hope of beingable to remedy a security problem after the fact. Unfortunately,that approach is often too little, too late—the data has left thebuilding!

This survey of 430 members of the Independent Oracle UsersGroup finds awareness of internal threats to data, but little beingdone to mitigate the risks.

Most organizations in this survey do not effectively trackor monitor the activities of their privileged database users, let aloneprevent data breaches by these insiders. There is a false sense ofsecurity that unauthorized database activity can be “prevented” byauditing and recovery processes. However, database audits are adhoc—and recovery is not always possible or comes at a steep cost.

Many are aware that their organizations have been lucky so far, but that luck has its limits.

Close to two-thirds of companies either expect to have a datasecurity incident that they will have to deal with in the next 12months, or simply don’t know what to expect.

Respondents are aware that there’s a good chance the data willbe compromised, breached, or tampered with. Close to one-third,31 percent, of the respondents to this survey say that they are likely to experience a data breach over the coming year. Another

34 percent simply don’t know what the likelihood of a securityincident will be in their organizations. (See Figure 35.)

A number of respondents say that their information is “safe”because it is not of interest to hackers.

That leaves more than one-third of the respondents, 36percent, who say they do not expect to experience securityincidents within their data environments. Why not? In commentsrelated to this question, respondents seemed to rely on the factthat their databases are not accessible directly from the Internet.This is a false comfort that may lead to a rude awakening giventhe increasing rate of database attacks originating from within thefirewall through SQL injections, malware, and stolen credentials.

But even seemingly uninteresting data may have value in thewrong hands. As one respondent admitted: “We think we havethoroughly investigated our outside support providers as well as our internal support folks. However, one place we see as avulnerability is the ability of various people to see what is paidfor different items. If they were to develop a cozy relationshipwith a supplier, we feel that the pricing info might be passed on,thereby weakening our ability to negotiate a lower price on thegoods we purchase.”

In most cases, respondents have either been lucky or have notbeen made aware of any data breaches that may have occurredwithin their organizations over the past year. (See Figure 36.) But how long can their luck hold out?

Figure 35: Likelihood of a Data Breach Over the Next 12 Months

Highly unlikely 13%

Somewhat unlikely 23%

Somewhat likely 26%

Inevitable 5%


0 20 40 60 80 100

28

Figure 36: Enterprise Data Breached, Compromised or TamperedWith Over the Past Year?

Yes 6%

Not aware of any incidents in past year 79%



Join the IOUG—If you're not already an IOUG member and would like to continue receiving key information like this, visit the IOUG at w3.ioug.org/join/today for information on how to jointhis dynamic user community for Oracle applications and database professionals.


The information in this report has been gathered through Web-based surveys of member and prospective member lists provided by the IOUG, through interviews with knowledgeable participants in the computer industry and through secondary research of generally available documents, reports and other published media, as well as from earlier studies conducted byUnisphere Research. Unisphere Research has relied on the accuracy and validity of all information so obtained. Unisphere Research assumes no liability for inaccurate or omitted information


Technology

2010 report data security survey