A five-year longitudinal study found that nearly one out of every two on-premises databases globally – 46 percent – is vulnerable to attack, given that it has at least one unpatched vulnerability.
The study, which involved 27,000 scanned databases globally, discovered that more than half – 56 percent – of those CVEs are rated “high” or “critical” in severity, indicating that routine patching is being shrugged off by many organizations.
Conducted by Imperva Research Labs and published on Tuesday, the study – carried out with the company’s database-scanning service – also found that the average database contains 26 unpatched CVEs. Some of those vulnerabilities have left databases open to attack for three or more years – a scandalous length of time, given the sensitivity and value of data.
Something just ain’t right with this picture, said Elad Erez, Imperva’s chief innovation officer and research lead. “This research proves that the way data is being secured today simply isn’t working,” Erez wrote in a Tuesday blog about the study.
“For years, organizations have prioritized and invested in perimeter and endpoint-security tools, assuming the protection of the systems or network around the data would be enough,” he said. “However, that approach is not working, as this is an expansive and global problem. Organizations need to rethink the way they secure data in a way that genuinely protects the data itself.”
Erez popped into the Threatpost podcast to discuss the results of the unprecedented study, which managed to reach into organizations’ shadowy nooks and crannies – on private, local networks – to suss out how their owners manage the security of databases that aren’t (or shouldn’t be) exposed to the internet. He also delved into the strengths and weaknesses of on-prem vs cloud database infrastructures, plus the range of attack methods typically employed against on-prem databases to extract vital information.
Download the podcast here or listen to the episode below. Still to come: a lightly edited transcript that we’ll include below.
It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.