Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A grammatically correct random pass phrase generator"] [Next entry: "60 million password hashes/second Oracle password cracker available"]

IOUG Data Security Report 2009 is out



I saw via Roxana Bradescu's blog that the IOUG has released its second "annual" - not twice a year, the second time its been done - security survey. This year its different as last year bloggers like myself were asked to promote the survey outside of the IOUG and get people to log in and fill it in on the IOUG site. This year Oracle has sponsored it and they have used a research company to survey IOUG's members, at the deadline only 316 has responded and taken part in the web based survey. I don't know the number of IOUG members but it doesnt sound like a huge response - I am guessing they have a lot more members.

The key findings in the report say that data breaches are up 50% on last year but there is also a growing awareness towards data security; managers are now recognising the issues of internal threats, its taken 4 years since the first surveys (not IOUG) started to quantify that internal threats are greater than external threats, the message is finally getting through to the masses. Interestingly the report says that most sites still dont have any mechanism to prevent admins from messing with sensitive data. This is certainly true in my experience in dealing with clients through performing security audits for them. Also interestingly the report says that over half the organisations use production data in non-production environments. My feeling on this one is that the other half probably do as well and either dont recognise it or dont know (more likely) - my experience from performing security audits is that I always find production data outside of the production database being reviewed. period.

The report makes interesting reading and simply backs up my day to day view of data security. The one thing I would say from talking to and working for a lot of organisations is that the message is getting through; people are more aware of data security (this "could be" / "probably is") skewed as people are likely to talk to me specifically because they have become aware of data security otherwise why do they seek me out to give me work or ask for advice. But the one thing I do draw is that the number of people asking and talking has grown massively since over the last 8 years so the message in my opinion is getting through that data must be secured, its probably not getting through fast enough though.

I could not find the report on the IOUG site and the only link I could find on Oracle's site was in Roxana's blog. The link to the report is here. It would be nice if Oracle provide a more prominent link to an important survey such as this. Also don't get fed up clicking links, logging in, updating profiles.... to get to it, percevere and read it, its the message that we all need to pay more attention to data security that counts.

There has been 2 Comments posted on this article


October 3rd, 2009 at 10:42 am

Data Security says:

Hey,
This is an awesome blog you've
got here!! I'm definitely going to
bookmark it!
smile



October 5th, 2009 at 09:30 am

Pete says:

Thanks for your comnpliement.

BTW, your product looks quite interesting but I would wonder about the fact that its software based. if someone just re-installs the OS then your tracking software is gone.

cheers

Pete