firstinitiallastname

Survey: Most Oracle Shops Don’t Mandate Security Patches

Heads up criminals with technical skills: Oracle products are wide open in most places! While 32% of these survey respondents are doing their cost-benefit analysis on patching their Oracle DBs, you could be stealing their data. A full 11% haven’t ever installed an Oracle patch. So get on the ball and get cracking…oh, you already have.

” ‘I think the feeling in those organizations is that since databases are a little more isolated than the desktop, there’s less of a [security] concern,’ said [Ian] Abramson, director of the enterprise data group at Thoughtcorp, an IT services firm in Toronto.”

No, Ian Abramson, it’s actually not the enterprises’ fault for mis-calculating the risk. They may have done so, but that’s not why these patches aren’t applied. Your aptly named cohort at the IOUG has it right:

“Patching databases in particular is a complex task that can require months of lab or and significant system downtime.” said Ian Abramson, the Independent Oracle Users Group’s president.

To recap, patches aren’t applied because it’s really hard to do so. Who makes it hard to apply the patches? The vendor does. Best thing Oracle could do for security would be to make applying patches easy…really easy.

Tight economy, everyone struggling, no budget, more work, etc etc. Here are six tips for doing more with less in information security.

This list really should be called “six things you should have been doing all along that tough economic times remind you about,” but that’s not a very catchy title. This list makes me mad, really. Why? At the risk of being overly verbose, let’s take them one by one:

1. Get out of the deployment business.

Why are you in the deployment business in the first place? Did you ask for responsibility for full disk encryption and web application firewalls? If you did, then, well, you asked for it. Pulling an ‘oh nevermind’ and giving it back isn’t going to make running information security any easier. If you didn’t ask for responsibility for these things, then you’ll have a tough time getting rid of them anyway.

2. Spread the cost of security with other groups.

Yes yes yes! But doing this in the midst of tough economic times is a recipe for disaster. You’re effectively trying to sell services into groups who have just as little money in their proverbial wallets as you do. Do you think they’ll want to buy? No. What happens when they don’t? You either continue to offer the service and manage the cost yourself (“if I don’t pay for this, what happens? Nothing…oh…”) or you don’t provide the service and security gets thrown under the economic bus.

3. Get more out of your existing security tools and systems.

Can’t argue with this one. Should be doing this all the time, of course. Just like the government, gotta cut expensive programs that don’t work.

4. Tie a security purchase to your compliance mandates.

Again, if you weren’t doing this before…

5. Outsource or automate some security functions.

As long as you’re not outsourcing your own job, that’s cool. Of course, outsourcing is addictive when successful, and expensive when it’s not. Taking new risks isn’t always a recipe for economic success.

6. Take advantage of a security buyer’s market.

“Reasonable security vendors will be flexible on pricing and payment terms, especially when they know you are well-informed about competing solutions,” WhiteHat’s Grossman says. “Ask for additional discounts if purchasing decisions are made quickly, or by committing to multiyear contracts. Then once you’ve selected a solution you really love, forge close relationships and help the vendor evangelize by serving as or reference or case study.”

Quick, everyone call Whitehat and tell them Jerimiah told you to ask for a discount! Really, it is a vendor’s dream that the customer will trade discounts for public endorsement of product. I suggest a tattoo with the vendor’s name, priced based on bodily location. It worked for this guy, I’m sure.