2010 report data security survey

2010 IOUG DATA SECURITY SURVEY
By Joseph McKendrick, Research Analyst
Produced by Unisphere Research, a division of Information Today, Inc .
September 2010

Sponsored by

Produced by

2

TABLE OF CONTENTS

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Data Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Access Control to Data and Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Database Activity Monitoring and Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Operational Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

2010 IOUG Data Security Survey was produced by Unisphere Research and sponsored by Oracle. Unisphere Research is the market research unit of Unisphere Media, a division of Information
Today, Inc., publishers of Database Trends and Applications magazine and the 5 Minute Briefing newsletters. To review abstracts of our past reports, visit www.dbta.com/research. Unisphere Media,
229 Main Street, Chatham, NJ 07928. Tel: 973-665-1120, Fax: 973-665-1124, Email: Tom@dbta.com, Web: www.dbta.com.
Join the IOUG—If you’re not already an IOUG member and would like to continue receiving key information like this, visit the IOUG at w3.ioug.org/join/today for information on how to join
this dynamic user community for Oracle applications and database professionals.
Data collection and analysis performed with SurveyMethods.

3
EXECUTIVE SUMMARY
Information security is top of mind for all organizations today.
Companies recognize that there are severe repercussions to
ignoring or undervaluing data security, and most are increasing
their investment in security and putting in place measures to
protect their information. But are those measures sufficient? And,
do those measures really provide the safeguards organizations
think they do? According to this year’s survey of 430 members of
the Independent Oracle Users Group (IOUG), the answer to both
of these questions is “no,” leaving organizations more at risk than
they are aware. This study of IOUG members’ information security
practices was first conducted in 2008, and then again in 2009.
This year’s survey,1 conducted in May 2010 by Unisphere
Research, a division of Information Today, Inc., and sponsored by
Oracle Corporation, uncovered the following troubling findings:
■ Fewer than 30 percent of respondents are encrypting
personally identifiable information in all their databases.
Although slightly up from last year, this finding is startling
given the number of existing data privacy and protection
mandates that specifically call for data-at-rest encryption.
■ Close to two out of five of respondents’ organizations ship
live production data out to development teams and outside
parties. However, more than one-third admit that the data is
unprotected, or don’t know if it is protected. In many cases,
the data consists of sensitive or confidential information.
■ Three out of four organizations do not have a means to
prevent privileged database users from reading or tampering
with HR, financial or other business application data in their
databases. Many of those who responded that they could
“prevent” such activity indicated that they did so by relying
on auditing and recovery process, and were reacting rather
than preventing.
■ In fact, two out of three respondents admit that they could
not actually detect or prove that their database administrators

1

and other privileged database users were not abusing their
privileges.
■ However, database administrators and other IT professionals
aren’t the only people that can compromise data security from
the inside. An end user with common desktop tools can also
gain unauthorized direct access to sensitive data in the databases.
Close to half of respondents say that this either could happen in
their organizations, or that they don’t know if it could.
■ Almost 64 percent indicate that they either do not monitor
database activity, do so on an ad hoc basis, or don’t know
if anyone is monitoring. Less than one-third of those
monitoring are watching sensitive data reads and writes.
As a result, 40 percent of respondents indicate that they are
unsure as to how long it would take them to detect and
correct unauthorized changes to their data or their databases.
■ Overall, two-thirds of companies either expect a data security
incident they will have to deal with in the next 12 months, or
simply don’t know what to expect.
What is the greatest risk? “Our greatest risk is probably that
of a rogue employee running amok,” says one respondent.
“We’d know about it soon enough, but it might be too late to
avoid serious damage.” This is a sentiment echoed by many other
respondents.
Some data managers feel that their data is secure mainly
because databases are not connected to the Internet—a false
comfort that may lead to a rude awakening, especially considering
that a majority of organizations admit that they do not apply
Critical Patch Updates intended to address security vulnerabilities
in a timely manner, or take steps to ensure that all their Internetfacing applications are not subject to SQL injection attacks.
On the following pages, the detailed survey results are
presented by key areas: data privacy, access control, activity
monitoring and auditing, and operational security.

The survey consisted of email messages to IOUG members directing them to a
Web-based survey instrument. Respondents were encouraged to provide openended responses to further explore the nature of their data security adoption
strategies.


4
OVERVIEW
Data managers and professionals in this survey have a range
of responsibilities, and come from a range of company sizes.
Nine out of 10 respondents have some role to play in
corporate data security, and one-third of respondents categorize
this role as “extensive.” Respondents also run numerous multiple
databases at their sites—one out of five, in fact, runs more than
500 instances of databases. (See Figures 1–5.)
Many organizations move data out to outsourcers for
application development, testing and administration.
In the current environment, the lines between “insiders” and
“outsiders” have blurred. Organizations rely on third-party
organizations and contractors to manage and develop systems
and applications. More than one-third report that they outsource
or offshore their database or application administration
functions to an outside provider. (See Figure 6.)
Even larger numbers of respondents report that their
companies outsource database development and testing. Close to
half of respondents, 47 percent, report that they either extensively
outsource development or test functions, or they do so on a
limited basis. (See Figure 7.)
This poses unique challenges in terms of enforcing
appropriate controls to sensitive and regulated data.
Organizations are increasing investments in data security.
The research shows that data security efforts are recovering
from the recent economic downturn. Forty-three percent of
companies have increased their IT security-related spending, up
from 28 percent in last year’s survey and 41 percent in the 2008

survey. Only nine percent say spending has actually decreased.
(See Figure 8.)
Although funding is improving, most IT security programs
fail to address the threats to databases.
While half of respondents would consider their company’s level
of commitment to be “high,” close to one out of six—17 percent—
represent their company’s commitment to database security as low
or simply aren’t aware of a commitment. Another one-third rank
IT security as a lukewarm “medium.” (See Figure 9.)
Database security often doesn’t receive organizations’ full
attention as an IT security function. In close to half of the
companies surveyed, database security falls outside the
purview of the IT security function.
Typically, the job of database security falls on the database
group, as reported by more than three out of four survey
respondents. Just over half of the organizations in this survey
indicated that they have a dedicated security group that oversees
their database security requirements. (See Figure 10.)
Many of the respondents also indicated that they are in
regulated businesses, which creates greater urgency for
addressing data security.
More than half of the organizations in the survey are charged
with fulfilling requirements associated with Sarbanes-Oxley Act
(SOX), and more than one-third must comply with state-level
data protection laws and HIPAA/HITECH mandates. (See
Figure 11.)

Figures 1–5: Data managers and professionals in this survey have a range of responsibilities, and come from a range of
company sizes.

Figure 1: Respondents’ Roles in Data Security
Extensive role 33%
Limited or
supporting role 58%

No role in data security
at this time 9%


5

Figure 2: Respondents’ Job Roles
Professional/Staff
Database Administrator (DBA)

49%

Programmer/Developer

8%

Analyst/Systems Analyst

6%

Data Architect

4%

Systems Administrator

4%

Applications Administrator

2%

IT Consultant for IT Service/Integration Firm

2%

IT Consultant/Independent Contractor

2%

IT Management/Business Management
Director/Manager of IS/IT

7%

CIO/CTO/Vice President of IT

2%

IT Operations Manager

3%

Project Manager

6%

Executive Management Level for the Business

1%

Other

4%

0

20

40

60

80

100

Figure 3: Respondents’ Companies By Number of Employees
(Includes all locations, branches, and subsidiaries)
1 to 100 employees

11%

101 to 500 employees

15%

501 to 1,000 employees

10%

1,001 to 5,000 employees

19%

5,001 to 10,000 employees

13%

More than 10,000

28%

Decline to answer

4%

0

20

40

60

80

100


6

Figure 4: Respondents’ Primary Industries
IT Services/Consulting/Sys. Integration

21%

Utility/Telecommunications/Transport

11%

Education (all levels)

10%

Government (all levels)

10%

Financial Services

7%

Healthcare/Medical

6%

Manufacturing

6%

Software/Application Development

5%

Business Services

4%

Retail/Distribution

4%

Consumer services

3%

High-Tech manufacturing

3%

Insurance

3%

Other

8%

0

20

40

60

80

100

80

100

Figure 5: By Number of Databases Run Within Respondents’
Companies
<10

16%

11 to 100

35%

101 to 500

19%

501 to 1,000

7%

>1,000

13%

Don’t know/unsure

10%

0

20

40

60


7

Figures 6 & 7: Many organizations move data out to outsourcers for application development, testing and administration.

Figure 6: Outsource or Offshore Database/Application
Administrative Functions?
Yes, but on a limited basis 26%
Yes, extensively 8%
Don’t know/unsure 5%

No 61%

Figure 7: Outsource or Offshore Database/Application
Development or Test Functions?
Yes, but on a limited basis 36%
Yes, extensively 11%


No 48%
Total: 101% due to rounding


8

Figure 8: Organizations are increasing investments in data security.

Figure 8: Change in IT Security Spending Over the Past Year
2008

2009

2010
100
80
60
43% 28%

41%

40
20
0

9%

Increased

13%

4%

Decreased

Figure 9: Although funding is improving, most IT security programs fail to address the threats to databases.

Figure 9: Where Database Security Falls in Terms of IT
Security Priorities
Medium 34%

Low 7%

High 50%


9

Figure 10: Database security often doesn’t receive organizations’ full attention as an IT security function. In close to half of
the companies surveyed, database security falls outside the purview of the IT security function.

Figure 10: Who is Responsible for Database Security?
Database Group

77%

Security Group

56%

Systems Management Group

37%

Application Group

24%

Development Group

19%

No one

2%

Don't know/unsure

4%

Other

4%
0

20

40

60

80

100

Figure 11: Many of the respondents also indicated that they are in regulated businesses, which creates greater urgency for
addressing data security.

Figure 11: Mandates Organizations Must Comply With
Sarbanes-Oxley Act (SOX)

52%

Local state data protection laws

35%

HIPAA/HITECH

32%

Payment Card Industry (PCI)

22%

SAS 70

10%

Other

8%
0

20

40

60

80

100


10
DATA PRIVACY
Data encryption is still an elusive strategy for many.
Despite regulatory requirements specifically calling for data
encryption of personally identifiable information (PII) such as
Social Security, credit card, and national identifier numbers,
fewer than 30 percent of respondents say they uniformly encrypt
PII stored in their databases. (See Figure 12.) A similar
percentage of respondents also admit that data in transit to their
database is not uniformly encrypted. (See Figure 13.)
Most organizations are still not encrypting backups even
when those backups are sent offsite.
Despite lost backups containing sensitive data making headlines
on a regular basis over the past decade, more than half of the
survey group, 53 percent, report they either don’t encrypt or don’t
know if data that is being backed up or exported is encrypted. (See
Figure 14.) In addition, close to one-third admit that they send
unencrypted database backups or exports offsite, to storage
facilities, business partners, or other data centers. (See Figure 15.)
Organizations need to only look as far as their development
and test environments for data breaches.
PII and other sensitive production data is often found in
these typically insecure environments. Close to two out of five
organizations ship live production data, often containing
sensitive or confidential information, to development teams.
Thirty-seven percent admit to actually using live production
data within non-production environments, such as staging and
development environments. (See Figure 16.) Close to half still
use old production data, which offers little assurance if that
data contains PII such as Social Security numbers or credit card

numbers. In two out of five cases, it either does contain this
kind of data, or respondents aren’t sure of the data content.
(See Figure 17.)
There is increasing awareness around the risk of these
practices. However, most organizations have a long way to go
in terms of best practices.
As shown in Figure 16, about one-third of respondents
indicate that they employ simulated data, or de-identified
production data in non-production environments, up from past
years. Thirty percent use de-identified data, up from 26 percent
in the previous 2009 and 2008 surveys. The use of simulated data,
at 34 percent, is also up from 24 percent a year ago.
Strategies such as data de-identification are not integrated into
data security processes. When it comes to de-indentifying data,
most respondents indicated they resort to ad hoc efforts on a
case-by-case basis.
Among the 30 percent of respondents that do de-identify their
production data before it is sent out, most employ manual or ad
hoc processes. Thirty-one percent, for example, use custom
scripts, while 15 percent report they de-identify on an ad hoc
basis. These approaches are costly and error-prone. Another
42 percent either do not de-identify data at all, or simply don’t
know if their companies do so. (See Figure 18.)
Tracking all sensitive data is difficult, even for data
managers.
While most respondents report they are in charge of IT and
data security, only about half have a grasp of where all the
sensitive data resides across their enterprises. (See Figure 19.)


11

Figures 12 & 13: Data encryption is still an elusive strategy for many.

Figure 12: Is Personal Identity Information Encrypted?
(e.g., Social Security numbers, credit card, national identifier numbers)
Yes, in all databases 29%
Yes, in some databases 34%

No 22%

Figure 13: Application Data Encrypted on Network to/from
Database?
Yes, all database traffic is encrypted 23%

No, database traffic
is not encrypted 21%

Some database traffic
is encrypted 42%


12

Figures 14 & 15: Most organizations are still not encrypting backups even when those backups are sent offsite.

Figure 14: Encrypt All Online and Offline Database Backups
and Exports?
Yes, all database backups/exports
are encrypted 16%
Some database backups/exports
are encrypted 32%

No, database backups/exports
are not encrypted 34%


Figure 15: Send Unencrypted Database Backups or Exports
Offsite?
(Storage facilities, business partners,
other data centers, etc.)

Yes 32%


No 44%


13

Figures 16 & 17: Organizations need to only look as far as their development and test environments for data breaches.

Figure 16: Data Used Within Non-Production Environments
(Such as staging and development environments)
“Old” or outdated production data

48%

“Live” production data

37%

Simulated data

34%

De-identified production data

30%

Sample data provided by the app.
vendor or developer

24%

Don’t know/unsure

6%

Other

0%
0

20

40

60

80

100

Figure 17: Does Live or Old Production Data Used Contain
Sensitive Information?
(Among respondents using production data within non-production environments. Includes credit card
numbers, Social Security numbers, or customer/employee/partner personal identifiable information)
Yes 28%


Not applicable 18%

No 44%



14

Figure 18: There is increasing awareness around the risk of these practices. However, most organizations have a long way
to go in terms of best practices.

Figure 18: Strategies for De-Identifying Data
Using custom scripts

31%

De-identified as part of process

22%

Automated

16%

De-identified on ad hoc basis

15%

Using third-party tools

8%

Ad hoc

7%

We do not de-identify data

20%

Don’t know/unsure

22%

Other

0%
0

20

40

60

80

100

Figure 19: Tracking all sensitive data is difficult, even for data managers.

Figure 19: Aware of all the Databases in Organization that Contain
Sensitive Information?

No 48%

Yes 52%


15
ACCESS CONTROL TO DATA AND DATABASES
There is awareness that “internal” hackers originating
attacks from within the firewall or legitimate users abusing
their privileges represent the greatest risk, threat, or
vulnerability at this time.
Twenty-two percent cite internal hacker threats and another
12 percent see abuse of privileges as high-risk threats, compared
to 13 percent that cite the outside hacker threat. Twelve percent
see the lack of management commitment and lax procedures as
the biggest risk to data in that current issues will not be
addressed. Often, management is concerned about moving
applications and systems as rapidly as possible, with little or no
consideration given to data security. (See Figure 20.)

earlier data on a lack of knowledge of all databases that contain
sensitive data.

Three out of four organizations do not have, or are not
aware of, a means to prevent privileged users from tampering
with or compromising data from the inside. Even more
revealing is that many respondents who believe that they have
such a means are in fact relying on detection and recovery,
rather than prevention and real-time enforcement.
About one out of four respondents say they take measures to
prevent database administrators and other privileged database
users from reading or tampering with sensitive information in
financial, HR, or other business applications. (See Figure 21.)
When asked to provide the strategies or techniques used to
prevent privileged users from tampering with sensitive data,
some respondents indicated they were using integrated database
security solutions such as Oracle Database Vault. However, a
majority indicated that they rely on auditing to detect and
recover or “undo” the damage done from such a data breach.
Although preventing tampering from ultimately being successful,
this approach does not actually provide real-time prevention
against access or tampering of data in the first place.

However, when asked for specific techniques, most cite
after-the-fact measures that would remedy such incidents,
but say they could not actually prevent them in real time.
As one respondent described it, such incidents could be rolled
back within 24 hours (but, again, not prevented): “Our DBA GUI
tool requires confirmation before dropping objects, but this can
be bypassed via SQL Plus. This is somewhat mitigated by nightly
backups. All production changes go through change control
process, which requires that back-out procedures to undo the
changes be specified.”
Another respondent reports that in their organization, the
“drop” command has simply “been banned.”

To complicate matters, most companies don’t protect audit
data from unauthorized access so a privileged user could
tamper with audit data to hide their tracks, making even
detection and recovery impossible.
Overall, 57 percent of respondents say that they do not
consolidate—or know if database audit data is consolidated—to
a central secure location to protect it from unauthorized access
or potential tampering by privileged database users. (See Figure
22.) Although 30 percent indicate that they are protecting audit
data from some of their databases, this is not heartening given

Any database user armed with often very simple tools such
as spreadsheets can also be the source of data breaches.
Database administrators and other IT professionals aren’t the
only people that can compromise data security from the inside.
A database user with common desktop tools can also gain
unauthorized access to sensitive data. Close to half of respondents
say this either could happen in their organizations, or that they
don’t know if it could.
One out of four respondents admitted that database users can
bypass applications and gain access to application data within the

One out of four respondents say there are no safeguards, or
that they aren’t aware of safeguards, to prevent accidental data
breaches.
Not all data breaches are malicious, of course—many are the
result of accidents. In fact, about one out of four respondents
also say that they have safeguards to prevent a database
administrator from accidentally dropping a table or
unintentionally causing harm to critical application databases.
(See Figure 23.)

In fact, two out of three respondents cannot prove or
document that super-users are not abusing their privileges.
Only about one-third of respondents say that they have the
means of proving that database administrators and other
privileged database users at their companies are not abusing
their super-user privileges. (See Figure 24.)

▲
▲

16
database directly using ad hoc tools. Another 20 percent simply
don’t know if such access is possible in their organizations. (See
Figure 25.)
A number of respondents admitted that such ad hoc tools
were common within their organizations, especially in desktop
applications such as Microsoft Access or Microsoft Excel
spreadsheets which can be used to access databases. One
respondent observed that such access is permitted for nonsensitive data but cannot be enforced effectively allowing access
to both sensitive and non-sensitive data. As another respondent

reported: “We have some application administrators who have
some limited SQL skills from report writing who could
conceivably access the databases without going through the
application.”
Another respondent reported the problem discussed in the
previous section: that data made available to development teams
becomes vulnerable. “In staging and development environments,
developers have full access to the data during development. In
important environments like production, they don’t have access
to anything.”

Figure 20: There is awareness that “internal” hackers originating attacks from within the firewall or legitimate users
abusing their privileges represent the greatest risk, threat, or vulnerability at this time.

Figure 20: Greatest Risks, Threats, Vulnerabilities
(Respondents rating vulnerability as “high”)
Internal hackers or unauthorized users

22%

Malicious code/viruses

10%

Outside hackers

13%

Abuse of privileges by IT staff

12%

Lack of management commitment/
lax procedures

12%

Lack of auditability of access and changes

11%

Loss of hardware or media—e.g., disks,
tapes, laptops

10%

Abuse by outside partners/suppliers

4%

Fines/lawsuits resulting from inadequate
data or security procedures

4%
0

20

40

60

80

100


17

Figure 21: Three out of four organizations do not have a means to prevent privileged users from tampering with or
compromising data from the inside. Even more revealing is that many respondents who believe that they have such a
means are in fact relying on detection and recovery, rather than prevention and real-time enforcement.

Figure 21: Can Respondents Prevent DBAs/Privileged Database
Users from Reading/Tampering With Sensitive Data in
Financial, HR, or Other Business Applications?
Yes 24%
No 44%


Figure 22: To complicate matters, most companies don’t protect audit data from unauthorized access so a privileged user
could tamper with audit data to hide their tracks, making even detection and recovery impossible.

Figure 22: Consolidate Database Audit Data to Central Secure
Location?
For some databases 30%

Yes, for all databases 13%

No 36%



18

Figure 23: Close to four out of five respondents say there are no safeguards, or that they aren’t aware of safeguards, to
prevent accidental data breaches. However, when asked for specific techniques, most cite after-the-fact measures that
would remedy such incidents, but say they could not actually prevent them in real time.

Figure 23: Have Safeguards to Prevent Unintentional Changes or
Breaches by Privileged Users?

No 54%

Yes 23%

Figure 24: In fact, two out of three respondents cannot prove or document that super-users are not abusing their privileges.

Figure 24: Can Respondents Prove Super-User Privilege Not
Abusing Privileges?
Yes 32%
No 39%



19

Figure 25: Any database user armed with often very simple tools such as spreadsheets can also be the source of data
breaches.

Figure 25: Can Users Bypass Applications and Gain Direct Access
to Data Using Ad Hoc Tools?
Yes 25%
No 56%



20
DATABASE ACTIVITY MONITORING AND AUDITING
Seventy percent of respondents rely on native auditing
capabilities—however, no one is really looking at the data.
A majority report they are using native database auditing
solutions to monitor database activity on at least some of their
databases. (See Figure 26.)
Only one out of four have automated tools to monitor
databases for security issues on a regular basis.
At this time, only 25 percent have automated database security
monitoring capabilities. This has not changed since the first
survey was conducted in 2008. (See Figure 27.)
Even among companies monitoring for data security issues,
not enough is being done. Most don’t monitor who is looking at
sensitive data, or who is updating sensitive data.
For those respondents that are monitoring production
databases in some capacity, only about one-third are tracking
who is reading or updating sensitive data stored in their
databases. Close to half of respondents aren’t monitoring all
privileged user activities, even new account creation or structural
database changes despite numerous regulations that specifically
require such controls. (See Figure 28.)
In one out of four organizations, no one would know if an
unauthorized database change occurred.
In 24 percent of companies in this survey, respondents report
they would not know at all if someone made an unauthorized

database change to their system. Only 30 percent can track
unauthorized changes across their entire portfolio. (See Figure 29.)
For a majority, it may take some time to detect and correct
an unauthorized database change.
Two out of five say they simply don’t know how long it
would take, while 16 percent say it would take more than a
day. Only 12 percent could catch such incidents with the hour,
presumably before a lot of damage could be done. (See Figure 30.)
Likewise, database audits are not something most
organizations are prepared to do.
More than one-third of respondents simply do not know how
long it would take to prepare for a database audit, while another
third say it would take more than a day to prepare all the
necessary reports. Only a handful could audit their databases
within an hour, if needed. (See Figure 31.)
While respondents indicated that they rely heavily on audits
to detect and remedy database security breaches, such audits
are few and far between.
Close to one-third, in fact, only do a database audit once a
year. Almost two out of five say that they either never audit their
databases, or simply don’t know when or if such audits happen.
Only 16 percent say they are done at least once a month. As
one respondent put it: “Every few years we bring in a consulting
company to audit us.” (See Figure 32.)


21

Figure 26: Seventy percent of respondents rely on native auditing capabilities—however, no one is really looking at the data.

Figure 26: Use Native Database Auditing to Monitor Database
Activity?
Yes, on most databases 37%
No 13%

On some databases 35%

Figure 27: Only one out of four have automated tools to monitor databases for security issues on a regular basis.

Figure 27: Monitor All Production Databases for Security Issues?
Manually monitor on ad hoc basis

15%

Run tools on an ad hoc basis

15%

Manually monitor on regular basis

11%

Run tools on a regular basis

25%

No

17%

Don’t know/unsure

17%
0

20

40

60

80

100


22

Figure 28: Even among companies monitoring for data security issues, not enough is being done. Most don’t monitor who is
looking at sensitive data, or who is updating sensitive data.

Figure 28: Production Database Activities Monitored
All privileged user activities

54%

Failed logins

50%

Login/logout

41%

New account creation

40%

Database definition changes
(new tables, etc.)

39%

Writes to sensitive tables/columns

37%

Read of sensitive tables/columns

28%

Don't know/unsure

23%

Other

2%
0

20

40

60

80

100

Figure 29: In one out of four organizations, no one would know if an unauthorized database change occurred.

Figure 29: Would Unauthorized Database Change be Detected?
Yes, on most databases 30%
On some databases 46%

No 24%


23

Figure 30: For a majority, it may take some time to detect and correct an unauthorized database change.

Figure 30: Length of Time to Detect Unauthorized Database Change
< 1 hour

12%

1 to 24 hours

33%

1 to 5 days

10%

> 5 days
Don’t know/unsure

6%
39%
0

20

40

60

80

100

80

100

Figure 31: Likewise, database audits are not something most organizations are prepared to do.

Figure 31: Length of Time to Prepare for Database Security
Assessment/Audit
< 1 hour:

7%

1 to 24 hours

22%

1 to 5 days

22%

> 5 days

14%

Don’t know/unsure

35%
0

20

40

60


24

Figure 32: While respondents indicated that they rely heavily on audits to detect and remedy database security breaches,
such audits are few and far between.

Figure 32: Number of Database Security Assessments/Audits
Per Year
A few times a month

4%

At least once a month

12%

Quarterly

16%

Annually

30%

Never
Don't know/unsure
Other

8%
27%
2%
0

20

40

60

80

100


25
OPERATIONAL SECURITY
The primary modus operandi employed by hackers is SQL
injection attacks via Web applications. Two out of three data
managers in this survey report they are not prepared or don’t
know if they are prepared to fend off such attacks.
The Verizon 2010 Data Breach Investigations Report 2 notes
that more than 90 percent of all breached records are due to Web
applications involving SQL injection attacks. While this represents
a major risk for most organizations, only about one-third of
respondents say their organizations have taken steps to ensure their
applications are not subject to SQL injection attacks. (See Figure 33.)

To make matter worse, many organizations are not applying
Critical Patch Updates (CPUs) in timely fashion, increasing the
risk that an attacker will get a foothold.
An important way to mitigate the threat of security breaches is
by applying security patches—or Critical Patch Updates—as soon
as they become available. However, a majority of respondents do
not apply such patches right away—63 percent report they are at
least a cycle late with CPUs, with 17 percent stating they either
don’t apply patches at all or are unsure when they are applied.
(See Figure 34.)

Figure 33: Taken Steps to Prevent SQL Injection Attacks?
No 22%


Yes 35%

2

2010 Data Breach Investigations Report, Wade Baker, Mark Goude, et al., Verizon
Corp., 2010. http://www.verizonbusiness.com/resources/reports/rp_2010-databreach-report_en_xg.pdf


26

Figure 34: To make matter worse, many organizations are not applying Critical Patch Updates (CPUs) in timely fashion,
increasing the risk that an attacker will get a foothold.

Figure 34: How Quickly are Critical Patch Updates Applied to
All Systems?
Typically before the next CPU released
(within 1–3 months)

37%

One cycle late (3–6 months)

17%

Two cycles late (6–9 months)

9%

Three cycles late (9–12 months)

3%

Four or more cycles late (more than 1 year)

7%

Within 1 year

4%

We have never applied a CPU

1%

Don't know/unsure
Other

16%
5%
0

20

40

60

80

100


27
CONCLUSION
Many enterprises are not addressing data security
proactively and are unable to prevent unauthorized access to
data in real-time. They are taking measures, often on an ad hoc
basis, to detect suspicious database activity in the hope of being
able to remedy a security problem after the fact. Unfortunately,
that approach is often too little, too late—the data has left the
building!
This survey of 430 members of the Independent Oracle Users
Group finds awareness of internal threats to data, but little being
done to mitigate the risks.
Most organizations in this survey do not effectively track
or monitor the activities of their privileged database users, let alone
prevent data breaches by these insiders. There is a false sense of
security that unauthorized database activity can be “prevented” by
auditing and recovery processes. However, database audits are ad
hoc—and recovery is not always possible or comes at a steep cost.
Many are aware that their organizations have been lucky so
far, but that luck has its limits.
Close to two-thirds of companies either expect to have a data
security incident that they will have to deal with in the next 12
months, or simply don’t know what to expect.
Respondents are aware that there’s a good chance the data will
be compromised, breached, or tampered with. Close to one-third,
31 percent, of the respondents to this survey say that they are
likely to experience a data breach over the coming year. Another

34 percent simply don’t know what the likelihood of a security
incident will be in their organizations. (See Figure 35.)
A number of respondents say that their information is “safe”
because it is not of interest to hackers.
That leaves more than one-third of the respondents, 36
percent, who say they do not expect to experience security
incidents within their data environments. Why not? In comments
related to this question, respondents seemed to rely on the fact
that their databases are not accessible directly from the Internet.
This is a false comfort that may lead to a rude awakening given
the increasing rate of database attacks originating from within the
firewall through SQL injections, malware, and stolen credentials.
But even seemingly uninteresting data may have value in the
wrong hands. As one respondent admitted: “We think we have
thoroughly investigated our outside support providers as well
as our internal support folks. However, one place we see as a
vulnerability is the ability of various people to see what is paid
for different items. If they were to develop a cozy relationship
with a supplier, we feel that the pricing info might be passed on,
thereby weakening our ability to negotiate a lower price on the
goods we purchase.”
In most cases, respondents have either been lucky or have not
been made aware of any data breaches that may have occurred
within their organizations over the past year. (See Figure 36.)
But how long can their luck hold out?

Figure 35: Likelihood of a Data Breach Over the Next 12 Months
Highly unlikely

13%

Somewhat unlikely

23%

Somewhat likely

26%

Inevitable
Don’t know/unsure

5%
34%
0

20

40

60

80

100


28

Figure 36: Enterprise Data Breached, Compromised or Tampered
With Over the Past Year?

Yes 6%

Not aware of any incidents
in past year 79%


Join the IOUG—If you're not already an IOUG member and would like to continue receiving key information like this, visit the IOUG at w3.ioug.org/join/today for information on how to join
The information in this report has been gathered through Web-based surveys of member and prospective member lists provided by the IOUG, through interviews with knowledgeable
participants in the computer industry and through secondary research of generally available documents, reports and other published media, as well as from earlier studies conducted by
Unisphere Research. Unisphere Research has relied on the accuracy and validity of all information so obtained. Unisphere Research assumes no liability for inaccurate or omitted information

2010 report data security survey

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (20)

Similar to 2010 report data security survey

Similar to 2010 report data security survey (20)

Recently uploaded

Recently uploaded (20)

2010 report data security survey