One out of every two on-premises databases globally has at least one vulnerability, finds a new study from Imperva Research Labs spanning 27,000 on-prem databases, based on insights from a proprietary database scanning service introduced by Imperva Innovation five years ago.
Imperva released the results of the study this week, which found, in total, 46% of on-premises databases worldwide, accounted for in the scan, contained known vulnerabilities.
Cyber experts weighed-in on this latest report from Imperva.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify:
It comes as no surprise that many organizations still struggle to patch systems and reduce critical vulnerabilities, especially on databases. The balance between productivity and security is always a fine line. When databases are offline, it typically means the business productivity is impacted. Databases can contain sensitive information such as employee data, personal identifiable information, health data, financial details, intellectual property and much more so it is vital that organizations protect and secure databases with the highest priority. While the report does include some concerning numbers, it does not tell the complete picture as while the number of vulnerabilities is high it does not detail other security controls used to protect those databases. Patching systems is critical but it is also important to have strong access controls using privileged access security along with detailed auditing and MFA.
Tim Wade, Technical Director, CTO Team at Vectra:
In some respects, for those of us who’ve managed the chaos that exists inside an enterprise, these numbers aren’t surprising. Certainly the presence of neglect and a lack of IT hygiene are an important part of this finding, but it’s equally important to contextualize these findings against the reality that databases are disproportionately a part of essential business systems relative to other infrastructure. This reality creates tension between the risks of disruption via exploitation from failing to patch and the inevitable cases where patches aren’t fully baked, and themselves cause disruption. This tension exposes how the notion that enterprises will simply dig their way out of security holes with vulnerability management is a work of speculative fiction – known and unknown vulnerabilities will always exist in some noteworthy quantity, exploitation will occur as a byproduct of this, and i