topleft
topright
Enter the Member Network Zone View the Top 10 Points Leaderboard View Members Who Are Currently Online View Latest Member Activity

Featured Members


Member Network Zone

Expert Blog Entries

Expert Blog Comments

IT Worker Confidence Grows
Our lives revolve around technology and this does not surprise me. Good news!
Is Your Team Working Through Lunch?
Brilliant: this should be ENFORCED in all companies struggling to be social! Great read : bookmarked...
What Makes a Great Team Member?
This is so true! Our project management team, and some other people I know fit this description pe...
Where are the DBAs? Print E-mail
Share This -
Digg
Delicious
Slashdot
Furl it!
Reddit
Spurl
Technorati
YahooMyWeb

What I really want to know is this: Where are the Database Admins (DBAs) these days?

I cant tell you how many times in the past 18 months that I’ve found real enterprises running vulnerable databases with default passwords, weak passwords and no real permissions management.

 

It’s bad enough that the stats right now are this (so I guess I can tell you):

  • 9 out of 10 organizations have a Microsoft SQL Database with a blank “sa” password (or an sa password of “sa”, “sql” or “password”)
  • 9 out of 10 organizations have a Postgres Database with a default password
  • 9 out of 10 organizations have a Sybase Database with a default password
  • Several default Microsoft SQL Server 2000 Installations–do you remember SQL Slammer/Saphire??? Yup…still out there
  • Oracle Listener services not requiring authentication–this means anyone with network access can shutdown the DB server
  • Common practice of NOT patching a DB server, or deploying anti-virus…for Microsoft SQL Servers, exploit an unpatched Windows vuln and “poof”–get a terminal services session and you’ve got full control of the database (or fall prey to Slammer 7 years after the fact)
  • No defined DBA position–application developers or system admins are the DB admins…no wonder why I see this so often
  • Storing passwords unencrypted–I’ve seen this in MAJOR software vendors’ DB implementations

This is just the short list, but with all of the other ways to get access to a database through the applications connected to it, why has the industry at large neglected the baseline security parameters of database administration? Is being a DBA just not sexy enough these days? Is there a shortage of qualified DBAs? Can most organizations even afford a good DBA?

 

Forget the whole database optimization/normalization value of employing a DBA, but the security implications of leaving DBA tasks in the hands of developers and engineers is massive.

 

Am I the only one seeing this, or can you relate?

 

Check out more database security-related posts at https://www.infosecisland.com/homecategory/12/Database+Security.html




Comment on this article
RSS comments

Only registered users can write comments.
Please login or register.
 
Share This -
Digg
Delicious
Slashdot
Furl it!
Reddit
Spurl
Technorati
YahooMyWeb
< Previous   Next >
[ Back ]





Blog Roll


Latest in Blog

VC Funding Resources

News & Noteworthy Archive

Past News Items From Reuters

More CIOZone Links

Sitemap
CIOZone Update Newsletter Archive
CIOZone Daily Newsletter Archive
CIOZone Partners
FAQs
Polls
Survey Result
Expert Bloggers

White Paper Library

CIOZone IT News

CIOZone Survey Results

Privacy Policy  |  Terms of Use  |  Contact Us  |  CIOZone Media Kit  |  White Papers  |  Invite Colleagues
Copyright © 2007-2012 CIOZones. All Rights Reserved. CIOZone is a property of PSN, Inc.