Where are the DBAs?

Wednesday, October 07, 2009

Infosec Island Admin


What I really want to know is this: Where are the Database Admins (DBAs) these days?

I cant tell you how many times in the past 18 months that I’ve found real enterprises running vulnerable databases with default passwords, weak passwords and no real permissions management.

It’s bad enough that the stats right now are this (so I guess I can tell you):

- 9 out of 10 organizations have a Microsoft SQL Database with a blank “sa” password (or an sa password of “sa”, “sql” or “password”)

- 9 out of 10 organizations have a Postgres Database with a default password

- 9 out of 10 organizations have a Sybase Database with a default password

- Several default Microsoft SQL Server 2000 Installations–do you remember SQL Slammer/Saphire??? Yup…still out there

- Oracle Listener services not requiring authentication–this means anyone with network access can shutdown the DB server

- Common practice of NOT patching a DB server, or deploying anti-virus…for Microsoft SQL Servers, exploit an unpatched Windows vuln and “poof”–get a terminal services session and you’ve got full control of the database (or fall prey to Slammer 7 years after the fact)

- No defined DBA position–application developers or system admins are the DB admins…no wonder why I see this so often Storing passwords unencrypted–I’ve seen this in MAJOR software vendors’ DB implementations

This is just the short list, but with all of the other ways to get access to a database through the applications connected to it, why has the industry at large neglected the baseline security parameters of database administration? Is being a DBA just not sexy enough these days? Is there a shortage of qualified DBAs? Can most organizations even afford a good DBA?

Forget the whole database optimization/normalization value of employing a DBA, but the security implications of leaving DBA tasks in the hands of developers and engineers is massive.

Am I the only one seeing this, or can you relate?

Original Post Here:
Possibly Related Articles:
General Enterprise Security
Higher Education K-12 Preschool Accounting Banking Financial Services Federal Military Municipal State/County Bio/Pharma Healthcare Provider Consulting Hardware Information Security Reseller/Integrator Service Provider Software
Encryption Passwords Budgets Databases
Post Rating I Like this!
Tuomo Stauffer Correct but remember, administrators were called operators not so long ago. So, they are not even supposed to think security except on what belongs to their task, which is administration(!) Of course, the basics but how and what I see DBA certification, training, etc (no education!) today is how to use a product, how to configure, how to script, how to run a tool, whatever - (almost) not a word about security, capacity, reliability, and so on - just trust the provider (certificate!)

So, maybe administrators should stay administering (operating) databases but where are the analysts, architects, database designers, security oversight, etc?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.