According to this article from Information Week, “only 35% of Oracle users continuously monitor for suspicious activity.”
Ouchtown, population YOU, bro. Well 65% of you.
Let’s assume that this study is accurate (based on the installations of Oracle that I have seen, I would guess it is pretty close if not optimistic). This means that there are databases out there, probably with sensitive data in them, that are compromised and the DBAs or security teams don’t even know it. Many DBAs simply give up on patching these installations thanks to a rather messy process, so the problem could even be worse.
The study specifically states that continuous monitoring (minus a definition on what that means) is performed by 35% of the respondents. Another 32% monitor once per day, 23% once per week, and 9% once per month. Apparently, a couple of respondents also chose to say they monitor once per YEAR (1%).
Daily monitoring COULD be useful, but it is not nearly as useful as real-time monitoring. It really depends on what the respondents are doing. If continuous monitoring means that they are pinging the database every few seconds to make sure it responds, that’s not the kind of monitoring that I’m talking about here. I’m talking about real-time monitoring that could help a DBA or security analyst determine if a breach has occurred, or is occurring. Ideally, seeing the attack in progress would help stem the amount of data lost.
Most Oracle installations after version 10 can support some kind of minimal audit logging without a major performance hit. I don’t know of any Oracle DBA that would turn on audit logging for every table in their database, but there are key schemas that should be monitored. This will require someone do some analysis though, and with most of us continually being asked to do more with less, I bet this task quickly is tossed by the wayside.
Application vulnerabilities make matters worse by exposing these databases to compromise more and more every day. Companies driving major e-Commerce installations from databases are an obvious first target, but don’t forget Extranet sites for vendors, or poor network segmentation that exposes databases to a relatively large population of employees (that we all hope are on the straight and narrow).
I would be interested to see this survey expanded beyond the scope of Oracle. I bet that the numbers are pretty similar in the Microsoft SQL world as well as in any of the Open Source databases (PostgreSQL, MySQL). My guess is that two databases that would buck this trend would be DB2 and Informix, but that’s just a crazy guess by a crazy blogger.
Possibly Related Posts:
- Equifax is only half the problem, your SSN needs a redesign!
- Orfei Steps Down
- Two reports, many questions
- The Beginning of the End, No PCI DSS 4.0 in 2016
- We Should Question Bold Claims that PCI Is “Highly Effective”