Nearly half (46%) of the world’s on-premises databases contain known vulnerabilities — most of which are high or critical severity, according to a new five-year study from Imperva.
The security vendor scanned 27,000 databases globally over five years and discovered that they contained 26 vulnerabilities each on average. Some 56% of these were ranked in the top two severity categories, meaning they could lead to serious compromise if exploited.
Some CVEs have not been addressed for several years, Imperva claimed.
Despite the growing popularity of cloud-based platforms, the news is concerning, as most organizations continue to store their most sensitive data on-premises, according to Elad Erez, chief innovation officer at Imperva.
“While organizations stress publicly how much they invest in security, our extensive research shows that most are failing,” he added.
“Too often, organizations overlook database security because they’re relying on native security offerings or outdated processes. Given that nearly one out of two on-prem databases is vulnerable, it is very likely that the number of reported data breaches will continue to grow, and the significance of these breaches will increase too.”
A standard route to compromising non-publicly accessible databases is via web application vulnerabilities such as SQLi or phishing and malware designed to give attackers a foothold into networks.
Compromising public databases is even more accessible, with attackers able to scan for exposed targets via tools like Shodan, before deploying exploit code, Imperva warned.
“Attackers now have access to a variety of tools that equip them with the ability to take over an entire database, or use a foothold into the database to move laterally throughout a network,” said Erez.
“The explosive growth in data breaches is evidence that organizations are not investing enough time or resources to truly secure their data. The answer is to build a security strategy that puts the protection of data at the center of everything.”
France was by far the worst global offender in terms of percentage of vulnerable databases (84%) and second only to China (74) in terms of the average number of bugs per database (72).