Sign in / up

back to article Thousands of internet-connected databases contain high or critical CVEs, says report by cloud security biz

After spending five years poring over port scan results, infosec firm Imperva reckons there's about 12,000 vulnerability-containing databases accessible through the internet. The study also found that of the 46 per cent of 27,000 databases scanned, just over half that number contained "high" or "critical" vulns as defined by …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. elsergiovolador Silver badge

    Think of the databases

    Given the authoritarianism is no longer something that is frowned upon by the current elites, and that they like to use fear and security as an excuse to advance the agenda of total control, it's not a far fetched idea that in not so distant future only the government will be allowed to run databases.

    This means your tech company will have to apply for a database, state its purpose, what kind of data it is going to hold in and what RDMS system will be required and so on. Then company will get the keys and will be able to store e.g. customer data in a "secure" database to "protect" citizens, but everything will be looked after by dedicated agency and government will be able to see what the population is up to.

    0 4 Reply
    1. Wellyboot Silver badge
      Reply Icon

      Re: Think of the databases

      Just to be clear, are you using the term 'elites' as a description for the self aggrandizing power hungry numpties and hangers on that we get to choose between at election time or the self aggrandizing power hungry numpties and hangers on that run big tech?

      2 0 Reply
      1. elsergiovolador Silver badge
        Reply Icon

        Re: Think of the databases

        I mean both. They are intertwined. I am sure any of big tech companies would love to run such project - it will keep competition at bay, it will get extra revenue - possibly an opportunity for politicians to use tax payer money to subsidise those databases for "startups" and getting PR, they will have leverage when it comes to avoiding paying taxes (we know we don't pay tax, but we can also turn the lights off and what you gonna do?), more data to train AI... the list of mutual benefits is probably endless...

        0 1 Reply
  2. noisy_typist

    Port scan results

    So the universe if databases they have results for is those with an open and scannable port facing the internet... I would expect a basic security procedure in almost all cases would be to not do this.

    So out of the set of databases exposed directly to the internet, just under half have critical vulnerabilities. I am surprised it's not higher.

    5 0 Reply
    1. simkin
      Reply Icon

      Re: Port scan results

      Seriously. The fact that a database is exposed to the Internet at all is a critical vulnerability.

      6 0 Reply
      1. JimboSmith
        Reply Icon

        Re: Port scan results

        A CTO I heard giving a speech said that it was important to remember that despite all the buzz about 'the cloud'........."That's still just somebody else's computer permanently connected to the internet."

        4 0 Reply
  3. Warm Braw

    On-premises databases tend to be more vulnerable

    They seem to have a Cloud Data Security product nevertheless.

    Bring back the good old days when a basement, a filing cabinet and a leopard (or threat thereof) was all you needed.

    2 0 Reply
    1. stiine Silver badge
      Reply Icon
      Coat

      Re: On-premises databases tend to be more vulnerable

      Ah, but you're forgetting the missing staircase and illumination, and the possible leopard.

      0 0 Reply
  4. Steve Davies 3 Silver badge
    Facepalm

    Duh!

    Quote

    "Erez's company sells cloud security products,"

    Says it all really... It is in his companies interest to get YOUR data into the Cloud that THEY control.

    3 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Duh!

      They also sell on-prem hardware and software which means its in his company's interest for you to keep your data in your own datacenters.

      0 0 Reply
  5. rcxb1

    Naievely matching version strings

    These types of scans / surveys just connect to an open port and read the version string. They have no idea whether they're hitting lots of honey-pots, version strings being spoofed, or old services that have been patched for vulns but not entirely upgraded to a newer version of the product...

    Of course they know they're getting a lot of nonsense, but they're happy as it helps their product pitch if they find large numbers that make good headlines, and reporters don't actually bother asking questions these days.

    6 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Naievely matching version strings

      That might be true. I've found that Nessus thinks some current BSD based devices are PCs running Windows Vista... Every month we have to dispute this.

      On the other hand, any apache version that hasn't been supported since CentOS 5 is probably a good indicator that something's quite out of date.

      1 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    "Put your data on someone else's computer to keep it safe, urges Imperva"

    That just shifts some of the blame onto someone else... you probably still set the wrong access permissions and they probably still forget to apply all the patches in a timely manner

    As pointed out above... "That's still just somebody else's computer permanently connected to the internet."

    1 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    We will continue to be at risk while the industry hires people with worthless money making certifications like CEH instead of the people who have grown up reverse engineering electronic devices or finding back doors in software protection.

    Its time big business woke up to the fact that these pointless, out of date and irrelevant certifications do not magically turn someone who has seen a few episodes of spooks in to a l33t h4><Or, they churn out people who think running a fifteen year old exploit against DVWA is how vulnerabilities are found and exploited.

    Oh, and can we please stop using the term 'threat actor'. It makes the person using the term sound like a d***.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like