Are database administrators negligent? By not applying security patches promptly, they could be playing into the hands of attackers. It's a meagre tree that hides a growing forest of technical complexities and ever-smaller security budgets.
A Bleak French Assessment
No one is fooled. The state has undertaken significant investigative work on cybersecurity, culminating in the Senate report of June 10, 2021, titled Cybersecurity of Companies — Prevent and Cure: What Remedies Against Cyber Viruses?
This report reveals that our increasingly digitized businesses are, unsurprisingly, more frequently targeted by cyberattacks, that cyber risk can be deadly to a business, and that awareness remains uneven. It highlights a shortage of human resources, a glaring lack of security culture among employees, and SMEs ill-equipped to face the threat. The report also regrets the absence of a true cybersecurity ecosystem, tools tailored to different types of businesses, and the obstacles to their development posed by current public procurement laws. It’s common to hear that the French are excellent engineers but poor salespeople, and that free competition doesn’t make their job easier. But it’s not just about that.
What Exasperates Every Database Administrator
Among the many cases of compromise, databases — holding data ranging from the most sensitive to the most operational — are, of course, seen by attackers as a prime target. They also represent a somewhat unique case within an IT system: based on restricted access systems — at least under Unix — they provide a sense of security undermined by years of habits that have evolved more or less inappropriately, from times when cyber risk was either rare or poorly understood.
Several articles in recent years have highlighted vulnerabilities affecting on-premises databases and remind us that vigilant application of patches is a fundamental principle of security. The responses have been swift, strongly rejecting what they see as a facile vendor argument.
A database administrator would certainly be exasperated reading these articles. As a guardian of increasingly complex security, they are tasked with managing and protecting assets whose compromise could lead to significant and serious damage. They must also navigate increasingly strict regulations within a framework that is ill-suited to new constraints.
Speaking of Negligence Ignores On-the-Ground Constraints
Database security is not just about external malice. Compromise can occur from within at any time, often due to personal interests. Administrators, as those responsible, are also more frequently targeted by phishing attempts and must be increasingly vigilant against sophisticated emails they receive.
They know they must restrict access to databases, yet the growing agility needs of the business push them to grant multiple accesses over time, as software implementations and operational actions must continue.
Many administrators inherit systems in place for years, for which no audits have been conducted. Don’t assume that a lack of information is due to negligence. The desire to control access more finely and limit the number of permissions, no matter how strong, inevitably faces the reality of an enormous project, too costly — especially in time — to become a priority. How many have attempted the task during an upgrade only to backtrack?
And all of this is underpinned by the existence of all these software packages within the IT system without which the business cannot function, and whose specific update and evolution cycle rarely aligns with that of the databases. How many still maintain unsupported versions essential to a legacy application that no longer evolves? Quite a few, it seems. This is the reality of a business.
The Cost of Hygiene Measures
Yes, the application of patches, as much as possible, is required. But let’s be honest, there are many other methods by which an attacker can gain access to a database. Just like the Senate report suggests, there is at the heart of the business a refusal to recognize the full extent of the risk and invest accordingly.
The exasperation is palpable and understandable. Systems are increasingly complex, with each element introducing its own vulnerability. The challenge today is to remain pragmatic, to maintain reasonable caution, without falling into paranoia, even though current events encourage it, along with the growing list of penalties imposed under increasingly stringent regulations.
A lack of control over the IT system can give administrators the uncomfortable feeling of being vulnerable at any moment, while the focus remains on ensuring service operations and their evolution. However, nothing will change unless administrators at the helm are given more time tomorrow than they have today to dedicate to patches and to a whole series of supportive measures. Arbitration, data encryption, access control, and auditing inadequately secured solutions that will ultimately need to be abandoned are all essential IT hygiene measures. While they consume resources (people, time, budget), they still send a strong message of trust to the business that imposes them.
If There Is Negligence, It Starts at the Top
If negligence is to be found, guilty and foremost, it starts at the highest level, where budgets are denied. The digital companies’ union NUMEUM establishes a security budget ranging from 5% to 20% of the IT budget, depending on the sector, for it to be effective and not turn the security team and its administrators into scapegoats. This is also an important point to check and good advice to give to any engineer applying for a digital security position.
