Database security software maker Sentrogi Inc., has revealed the results of a conducted, from which it can be concluded that most Oracle database administrators do not apply the Critical Patch Updates (CPUs) that Oracle issues on a quarterly basis. The CPU program had been developed by Oracle to assist users to guard databases and other products against newly found security flaws. But sadly, the security patching is highly neglected, leaving databases prone to exploits. Even though there are other valid obstacles to CPU installation, the results show that several businesses have not internalized the high risk presented by not securing their databases with the latest patches.
Sentrogo’s findings include the following:
When asked: “Have you installed the latest Oracle CPU?”– Just 31 people, or ten percent of the 305 respondents reported that they applied the most recently issued Oracle CPU.
When asked: “Have you ever installed an Oracle CPU?” – 206 out of 305 OUG attendees surveyed, or 67.5 percent of the respondents said they had never applied any Oracle CPU.
Mike Rothman, president and principal analyst, Security Incite said, “This survey scares the heck out of me.” Adding, “The database is where most of an organization’s critical and regulated data resides and if it’s not patched in a timely fashion, organizations are asking for trouble.”
Sentrigo formed Hedgehog, a host-based database activity monitoring and protection software solution, to identify and prevent unauthorized database use by hackers and company insiders. Hedgehog includes an exclusive virtual patching capability that instantaneously guards databases against vulnerabilities that have been noticed but not yet patched, as well as against zero-day exploits of certain types.
Slavik Markovich, CTO at Sentrigo maintained, “While we encourage all organizations to install the Oracle CPUs in a timely fashion, Hedgehog’s virtual patching appeals to businesses because it offers a security layer that doesn’t require database downtime and is transparent to applications accessing the database. Hedgehog gives organizations such as these a fast, unobtrusive way to virtually patch until they can take time to install the latest CPU. Additionally, many companies are running older, unsupported database versions and have no protection against new exploits – for them, virtual patching is pretty much the only way to address vulnerabilities.”
The survey had been carried out by Sentrigo at Oracle Users Group (OUG) meetings in the US from August 2007 onwards, at the Capital Area OUG in Reston, Va., and continuing in cities such as Chicago, Portland, Salt Lake City, Charlottesville and Cincinnati. There were 305 professionals who participated in the survey, out of which most of them were database administrators, consultants and developers.