More than 300 database vulnerabilities identified by the industry in past 4 years, Imperva ADC Research Center predicts more to come
LONDON, UK, Apr. 24, 2007 – Imperva®, the global leader in data security and compliance solutions for the data centre, today raised concerns that the rising number of database related security breaches in the US might soon affect major UK database projects like the Government’s National Identity Register (NIR) scheme.
Database vulnerabilities are reported to have been at the heart of several recent high profile incidents in the US, especially among online banking and other financial institutions. In the recent case of discount retailer TJX, owner of UK retailer TK Maxx, hackers were able to steal millions of payment card details. There is mounting concern that the trend towards database vulnerabilities and misconfigurations being specifically targeted by hackers for financial gain may soon come to the UK.
“Under US disclosure laws firms are obliged to go public when there has been a serious breach of security,” says Jonathan Mepsted, Imperva’s managing director for EMEA. “In the UK and the rest of Europe there are no such laws.”
“We can only suspect that such incidents are equally commonplace over here,” he continues, “but we just do not hear about them. This is why it is imperative the UK Government is seen to be doing all it can to implement the technology, policies and practices to eliminate database security risks.”
According to Imperva’s Application Defense Center (ADC), an internationally-recognised security research organisation, more than 300 vulnerabilities have been identified in all of the most common database software products in the past four years. These vulnerabilities expose databases to privilege abuse attacks, privilege escalation and denial-of-service attacks affecting the confidentiality, integrity and availability of critical information.
“Databases are the IT equivalent of the bank vault and will always be a focus for hackers and insider abuse so we can be confident that vulnerabilities will continue to appear over time,” said Amichai Shulman, CTO of Imperva and head of the Imperva Application Defense Center which brought at least 20 of these vulnerabilities to light. “The first step towards locking down databases is vulnerability assessment but there are not many effective tools around.”
He added: “Organisations that are interested in testing their database infrastructure for these vulnerabilities can now do so for free using a database scanning product from Imperva called Scuba.”
Scuba by Imperva is a lightweight Java utility that is specially designed to support the database assessment efforts of database, compliance, and information security professionals. The software scans Oracle, Microsoft SQL Server, IBM DB2, and Sybase databases for hundreds of vulnerabilities that facilitate SQL injection, buffer overflow, and other attacks. It also detects configuration problems like insecure passwords, unsafe processes, unrestricted permission levels, and more.
Scuba by Imperva is available for download – completely free – at www.imperva.com/scuba.
About Imperva
Imperva is the leader in application data security and compliance. Leading enterprise and government organizations worldwide rely on Imperva to prevent data theft and abuse, and ensure data integrity. The company’s SecureSphere products provide data governance and protection solutions that monitor, audit and secure business applications and databases. For more information, visit www.imperva.com
# # #
Imperva and SecureSphere are trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.
Editorial Contact
Marc Gendron
(781) 237-0341
marc@mqpr.net