News Stay informed about the latest enterprise technology news and product updates.

Survey finds thousands of database servers open to attack

Security expert David Litchfield found hundreds of thousands of Microsoft SQL Server and Oracle database servers available on the Internet and not protected by a firewall.

SAN FRANCISCO -- A new report from security guru David Litchfield shows that thousands of Microsoft SQL Server and Oracle database servers can be accessed on the Internet, lack critical updates and are vulnerable to attack.

Litchfield, managing director at UK-based NGS (Next Generation Security) Software Ltd., examined the number of Microsoft SQL Server and Oracle database servers that are on the Internet and not protected by a firewall. The report, called "The Database Exposure Survey 2007," found that about 368,000 Microsoft SQL Servers and 124,000 Oracle database servers were directly accessible on the Internet and not protected by a firewall. The survey was last conducted in 2005.

"In the author's opinion, these findings represent a significant risk," Litchfield said. "Whilst it's not possible to say how many of these systems are engaged in a commercial function, with just under half a million servers accessible there is clearly potential for external hackers and criminals to gain access to these systems and to sensitive information."

Database security:
Become compliant without breaking the bank

Litchfield: Database security is IT's biggest problem: Black Hat: Database security guru David Litchfield unveils 20-plus IBM Informix flaws that attackers could exploit to create malicious files, gain DBA-level privileges and access sensitive data.

Podcast: Database Security:
In this Security Wire Weekly podcast, database security expert Amichai Shulman explains why attackers are targeting communication protocols to gain access to critical files.

Litchfield said 66% of Oracle database servers found were running versions known to be vulnerable to critical vulnerabilities. He said 82% of SQL Servers were running SQL Server 2000 and only 46% were running Service Pack 4, the remainder running Service Pack 3a or less. DBAs are also failing to deploy hotfixes and instead are waiting for service packs for SQL Server, he said.

"It may be the case that many database administrators don't even know that their systems are accessible over the Internet," Litchfield said.

In addition, the number of SQL Server databases at risk has increased significantly since the survey was last conducted in 2005, Litchfield said. There were around 210,000 unprotected SQL Servers in 2005 and today the survey found about 368,000 at risk.

Database administrators attending Oracle OpenWorld 2007 weren't surprised by the results of the survey. Many times DBAs implement a test server and don't even realize it's available online and vulnerable to attack, said Tim Spoddard, a DBA with a Midwestern retailer.

"It's a good reminder to take a look at your systems," Spoddard said. "In this day and age you want to close off the attack vectors to avoid a breach."

Is your SQL Server data protected?
  • Database security: Options to protect data in SQL Server
    Encryption and data separation in SQL Server are not easy or cheap options. Read about other tools and techniques to protect against hacker attacks.
  • Avoid SQL injection with these best practices
    Avoiding SQL Server injection through validating data may be tedious, but it is usually simple and always worthwhile.
  • Andy Lehman, a DBA based in San Jose, Calif., said most database servers accessible on the Internet likely don't contain sensitive information. Still, they should be locked down and separated from critical systems, he said.

    "If they're not updated and have critical flaws, they probably don't contain anything worth stealing," he said. "It still provides a jumping off point for an attacker."

    Litchfield said database servers should be tested to make sure they can't be accessed from the Internet. Also, any external access to database servers should be controlled by a firewall to only allow connections from set IP addresses or address ranges, he said.

    Dig Deeper on Database Security Management-Enterprise Data Protection

    Join the conversation


    Send me notifications when other members comment.

    Please create a username to comment.

    It is indeed time to take a look at our systems and take steps to prevent any such attacks.
    Not surprising at all for smaller companies but you should think major companies, like those that had data breaches in the last year, would have better security. Maybe they just have a "it's too small a percentage to worry about it" attitude.  They are wrong.