According to a new study by Verizon Business’ compuer forensics team, 30% of data security breeches in 2008 were initiated with database exploitation. Furthermore, of all the records breached, 75% were housed in databases. As the reliance on databases grows, particularly on large-scale websites, it is more crucial than ever for them to be secure.
“When you get down to it, a large percentage of the security threats potentially go after the database,” says Rich Mogull, analyst and founder of Securosis, an enterprise security consulting firm. Most information security practitioners grow up on the networking side of IT and know little about database technology, adds Mogull. And a recent Forrester Research study found that database administrators spend less than 5% of their time on database security.
In a recent poll by Oracle Users Group, they found that 26% of organizations take more than six months to patch their Oracle databases, leaving their servers and (more importantly) their information unsecured. SQL injection is a popular method of exploitation among hackers. They enter SQL strings into web applications, finding holes in whatever security a website has in place.
According to IBM’s ISS X-Force security research unit, SQL injection was the most common method of hacker attacks, growing by 134% since 2007. As more sensitive data is placed on the web and more companies rely on dynamic web-based applications, it more critical than ever for website owners to work in collaboration with one another to ensure that not only individual websites are secure, but that the entire web becomes an impenetrable wall.