Nearly half (46%) of all on-premises databases globally are vulnerable to attack, results from a five-year study conducted by Imperva Research Labs show.
The study covered nearly 27,000 scanned databases and results showed that more than half (56%) of the common vulnerabilities and exposures (CVEs) found were ranked as “high or “critical” severity, aligned with guidelines from the National Institute of Standards and Technology (NIST) in the United States.
Imperva said this indicates that many organisations are not prioritising the security of their data and neglecting routine patching exercises. Based on Imperva scans, some CVEs have gone unaddressed for three or more years.
“While organisations stress publicly how much they invest in security, our extensive research shows that most are failing,” said Elad Erez, CIO of Imperva.
“Too often, organisations overlook database security because they’re relying on native security offerings or outdated processes,” said Erez. “Although we continue to see a major shift to cloud databases, the concerning reality is that most organizations rely on on-premises databases to store their most sensitive data.”
Regional analysis uncovers significant disparities between nations, with countries such as France (84%), Australia (65%) and Singapore (64%) having much higher incidences of insecure databases.
However, for countries such as Germany and Mexico, while the number of insecure databases is relatively low, those that are vulnerable are well above the average when it comes to the number of vulnerabilities capable of exploitation.
A separate study by Imperva Research Labs earlier this year found that the number of data breaches is growing by 30% annually while the number of records compromised increases by an average of 224%.
For non-publicly accessible databases, attackers can use a range of tools such as SQL injections (SQLi) to exploit vulnerabilities in web applications that are connected to a database. This remains a consistent business threat as nearly 50% of breaches in the past several years originate at the application layer.
When it comes to public databases, the threat is even greater as exploiting them requires even less effort. Attackers can search for vulnerable targets through tools such as Shodan and acquire exploit code through repositories like ExploitDB which hold hundreds of points of compromise (POC) codes.
An analysis of data breaches since 2017 shows that a majority (74%) of the data stolen in a breach is personal data, while login credentials (15%) and credit card details (10%) are also lucrative targets.
“Attackers now have access to a variety of tools that equip them with the ability to take over an entire database, or use a foothold into the database to move laterally throughout a network,” said Erez.
“The explosive growth in data breaches is evidence that organizations are not investing enough time or resources to truly secure their data,” he added.