This morning, database security company Sentrigo released some results from in informal survey they performed at a series of Oracle User Group meetings.
Results highlight that most organizations are not taking advantage of Oracle CPUs in a timely manner, if at all. Findings include: – When asked: “Have you installed the latest Oracle CPU?” — Just 31 people, or ten percent of the 305 respondents, reported that they applied the most recently issued Oracle CPU. – When asked: “Have you ever installed an Oracle CPU?” — 206 out of 305 OUG attendees surveyed, or 67.5 percent of the respondents said they had never applied any Oracle CPU.
These findings support my experiences in talking with database administrators and performing informal surveys (hand raising) during conference presentations. Most people seem to patch once a year.
I honestly believe we’ve been dodging database-security bullets for too long. I fully understand how hard it is to test and install a patch to a critical database, but these are also (often) the most important digital assets we own. Oracle will be releasing their quarterly Critical Patch Update, and your security and database teams should be preparing to evaluate the patches, perform a risk assessment, prioritize, and install. While I’ve been critical of how much information they release on updates, I’m a big fan of the quarterly update cycle. It gives enterprises time to prepare for the release and install it in a timely manner, and a quarterly cycle is much more reasonable for databases.
When I ask clients why they don’t patch in a timely fashion, it usually goes like this:
Me: So why haven’t you patched yet?
Them: Our databases are behind a firewall. There’s no Internet access so we only worry about it once a year.
Me: Is the database server firewalled from internal users?
Security Guy In Back Of The Room: No, not really.
Me: What would happen if someone wrote a virus that infected a sales guy’s laptop at Starbucks, then scanned and attacked database servers when he came back to work?
Them: Oh. Um. Well, we have antivirus.
Me: Oh. Well, you’ve got that going for you. Which is nice. You using any database security tools? Maybe an activity monitor, inline protection, or an agent?
[insert crickets here]