Database Security - Facts are stubborn things, but statistics are more pliable

Quite how David Litchfield of NGS Software can survey a million IP addresses, find 200 vulnerable databases, and then conclude that this means there are half a million others similarly vulnerable and “putting corporate data at risk” strikes me as the same logic Tommy Cooper used to deduce that..”Apparently, 1 in 5 people in the world are Chinese. And there are 5 people in my family, so it must be one of them. It’s either my mum or my dad. Or my older brother Colin Or my younger brother Ho-Cha-Chu. But I think it’s Colin. ”

But let’s not undermine the premise that there probably are a number of insecure databases out there for one reason or another. It’s reasonable to assume that some of them will contain private data. How do you know if it’s one of yours? Of course, you could employ a company such as NGS to find out for you. In fact, that’s not a bad idea and here’s why. Even if you’ve hardened the server, configured and locked down the firewall, implemented an IPS, ensured that access is IP strapped, and done everything else the manual on “teach yourself database security in 24 hours” says to do, it’s still likely that one day soon, somebody within the organisation will change something, or a new found vulnerability will go unpatched and you’ll end up with your kimono open slightly more than you’d like to have. And when that happens, others notice but generally are too polite to tell you about it until it’s too late….

An external test, looking at your IP range in the same way as a targeted attack would, will identify any exposures.

Of course, what testing wont help you identify is instances such as the security breach suffered by Certegy in the USA where a database administrator “misappropriated and sold consumer information to a data broker who, in turn, sold a subset of that data to a limited number of direct marketing organizations.” You’ll need decent internal management processes to avoid that scenario. But that’s another blog.

For now, here’s some more Tommy Cooper…”So I was getting into my car, and this bloke says to me ‘Can you give me a lift?’ I said ‘Sure, you look great, the world’s your oyster, go for it.’ ”