If there is one piece of advice that all cybersecurity experts agree on, it is this: patch and update your software at every opportunity!
Outdated software or live software with known vulnerabilities is one of the first things that threat actors look for when planning an attack.
Luckily, it is easy to track Common Vulnerabilities and Exposures (CVEs) via various online databases. We also continuously see new zero-day exposures popup. Once this information becomes public, it is a race between the developers and users of this software to patch or secure affected systems before it is exploited by threat actors in the real world.
While this applies to all types of software, a recent study has found that databases tend to be exceptionally vulnerable in this regard.
The five-year longitudinal study was conducted by Imperva Research Labs with its findings released in early September 2021. The study involved scanning over 27,000 databases from various companies around the globe to determine the incidence of CVEs and their severity. The findings were startling, to say the least:
46% of 46% of On-Prem Databases Globally Contain Vulnerabilities
Of those, more than 56% of the CVEs found were ranked as ‘High’ or ‘Critical’ severity according to NIST (National Institute of Standards and Technology).
According to Elad Erez, Chief Innovation Officer, Imperva, this is not due to a lack of funding or understanding the general importance of updating and patching software.
“While organizations heavily invest in security, our extensive research shows that most have neglected the basics. Security patches of endpoints and applications are usually deployed in a relatively quick and frequent manner, yet too often, organizations tend to delay their database security patches out of concern for application downtime or application business logic failure.”
This is a common thread in the continuous struggle between maintaining the balance between operational efficiency and security. In the super information highway, we are on, instant and always-on access to business data is an imperative for businesses and end-users alike.
It’s understandable that decision-makers may feel it is worth the risk to delay a patch or update to prevent a disruption to their revenue-generating processes.
However, this might stem from the fact that many fail to realize just how significant the risk really is. A separate study by Imperva found that the number of data breaches has grown by 30% annually. According to IBM’s Cost of a Data Breach Report 2021, the average cost of a data breach rose to a 17-year high of $4.24 million.
That’s not calculating indirect costs related to the damage caused to a company’s public image as well as possible legal action if a company was found to be in breach of ever-tightening data protection regulations, such as GDPR, HIPAA, or the CCPA.
In a blog post, Ezra expounded on how incorrect prioritization and mindsets exacerbates this issue:
“For years, organizations have prioritized and invested in perimeter and endpoint-security tools, assuming the protection of the systems or network around the data would be enough. However, that approach is not working, as this is an expansive and global problem. Organizations need to rethink the way they secure data in a way that genuinely protects the data itself.”
The threat of vulnerable databases and overlapping systems is very real, and no organization can just assume they are safe without a thorough audit of their current security measures and practices. A step in the right direction is to realize the critical importance of staying on trend with the latest information regarding CVEs and to create a formal and rigorously followed procedure for verifying and patching your database systems on a regular basis.
Sources:
Data security is broken: What’s next?
Chances Are, Your Data is Not Secure: 46% of On-Prem Databases Globally Contain Vulnerabilities
Lessons Learned from Analyzing 100 Data Breaches
