Where are the DBAs?
October 7th, 2009
What I really want to know is this: Where are the Database Admins (DBAs) these days?
I cant tell you how many times in the past 18 months that I’ve found real enterprises running vulnerable databases with default passwords, weak passwords and no real permissions management.
It’s bad enough that the stats right now are this (so I guess I can tell you):
- 9 out of 10 organizations have a Microsoft SQL Database with a blank “sa” password (or an sa password of “sa”, “sql” or “password”)
- 9 out of 10 organizations have a Postgres Database with a default password
- 9 out of 10 organizations have a Sybase Database with a default password
- Several default Microsoft SQL Server 2000 Installations–do you remember SQL Slammer/Saphire??? Yup…still out there
- Oracle Listener services not requiring authentication–this means anyone with network access can shutdown the DB server
- Common practice of NOT patching a DB server, or deploying anti-virus…for Microsoft SQL Servers, exploit an unpatched Windows vuln and “poof”–get a terminal services session and you’ve got full control of the database (or fall prey to Slammer 7 years after the fact)
- No defined DBA position–application developers or system admins are the DB admins…no wonder why I see this so often
- Storing passwords unencrypted–I’ve seen this in MAJOR software vendors’ DB implementations
This is just the short list, but with all of the other ways to get access to a database through the applications connected to it, why has the industry at large neglected the baseline security parameters of database administration? Is being a DBA just not sexy enough these days? Is there a shortage of qualified DBAs? Can most organizations even afford a good DBA?
Forget the whole database optimization/normalization value of employing a DBA, but the security implications of leaving DBA tasks in the hands of developers and engineers is massive.
Am I the only one seeing this, or can you relate?
That’s a good list ….. The fact of the matter is that most DBAs don’t care either ….. “It’s too complicated” or “Why do we need to do that?” ….. Can’t count how many times I’ve heard those statements in the last 9 or so years I have been involved with Network Security ….. The best one is a former boss asked me to come up with a DB security policy and it was ignored by the manager of the DBAs ….. until the web server which contained BD (also a violation of the policy I wrote) was hacked ….. Then it was my fault because the firewall did not block it ….. Did not stay at that company long after that …..
Comment by netsec_ct — October 9, 2009 @ 1:37 am
Where did you get those figures/stats from? Own experience? External sources like Gartner et al? Would love to shove those figures down our management throat…
Comment by TKO — October 11, 2009 @ 2:35 pm
@TKO. We got these stats through our own experience in the past 2 years or so. It varies from industry to industry and based on size of the overall network, but the stats I gave in the original article are based on pure stats alone from the DB of vulns we’ve amassed over that time.
Comment by donwalrus — October 11, 2009 @ 7:03 pm
This is a direct result of using cheap contract workers to setup infrastructure. They don’t give a s**t if it gets hacked as long as the paycheck clears the bank.
ALL managers should be held directly accountable for any assets they own. Then they will make sure it is secure.
Comment by Stacksmasher — December 15, 2009 @ 2:53 pm
I really liked your point of view, subscribed to, I’ll wait for new posts.
Comment by Bob — April 12, 2010 @ 3:43 am
Hey thanks for sharing such a nice and informative information.I was searching the web and found your entry. I really like your site and found it worth while reading through the posts.
I read with interest your article titled “DBAs are like air”. Certainly all databases are moving towards self managing and self tuning, although in reality this is far from perfect. Just ask any DBA who works in a mission critical environment.
By the way for more information check this link: http://www.eccouncil.org/certification/ec-council_network_security_administrator.aspx
Comment by smith — May 3, 2010 @ 3:51 am