Unpatched Bugs Plague Databases; Your Data Is Probably Not Secure – Podcast

Imperva’s Elad Erez discusses findings that 46 percent of on-prem databases are sitting ducks, unpatched and vulnerable to attack, each with an average of 26 flaws.

A five-year longitudinal study found that nearly one out of every two on-premises databases globally – 46 percent – is vulnerable to attack, given that it has at least one unpatched vulnerability.

The study, which involved 27,000 scanned databases globally, discovered that more than half – 56 percent – of those CVEs are rated “high” or “critical” in severity, indicating that routine patching is being shrugged off by many organizations.

Conducted by Imperva Research Labs and published on Tuesday, the study – carried out with the company’s database-scanning service – also found that the average database contains 26 unpatched CVEs. Some of those vulnerabilities have left databases open to attack for three or more years – a scandalous length of time, given the sensitivity and value of data.

Infosec Insiders Newsletter

Something just ain’t right with this picture, said Elad Erez, Imperva’s chief innovation officer and research lead. “This research proves that the way data is being secured today simply isn’t working,” Erez wrote in a Tuesday blog about the study.

“For years, organizations have prioritized and invested in perimeter and endpoint-security tools, assuming the protection of the systems or network around the data would be enough,” he said. “However, that approach is not working, as this is an expansive and global problem. Organizations need to rethink the way they secure data in a way that genuinely protects the data itself.”

Erez popped into the Threatpost podcast to discuss the results of the unprecedented study, which managed to reach into organizations’ shadowy nooks and crannies – on private, local networks – to suss out how their owners manage the security of databases that aren’t (or shouldn’t be) exposed to the internet. He also delved into the strengths and weaknesses of on-prem vs cloud database infrastructures, plus the range of attack methods typically employed against on-prem databases to extract vital information.

Download the podcast here or listen to the episode below. Still to come: a lightly edited transcript that we’ll include below.

It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.

Suggested articles


  • Jeremy on

    Any DBA who is worth anything can tell you if you are not patched or are on an unsupported version. If they can't then go find yourself better DBAs. Management simply doesn't want to or can't take the time to constantly go through regression testing of their applications to constantly apply patches. The same is true of down time (which you did not fully address). None of this will be addressed by going to the cloud. Some vendors will force you to apply patches even if you haven't tested. The cloud is not a magic bullet to solve your security issues. It is just another layer that comes with its own security and management issues.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.