Analysis & Commentary:

BANKS SUFFER HIGH RATE OF SECURITY CRACKS

As reported by Matt Berger, database software developers in the banking and finance industries reported more security breaches than database developers in any other industry polled in a recent survey.

Overall, in a poll of 700 database developers working for U.S.-based corporations and software development firms, 12 percent said the databases they support experienced a security breach within the last year, a survey from market research company Evans Data reveals.

The survey, which was conducted in December, 2001, classified security breaches under three general definitions: a computer virus that successfully corrupts or erases data in a database, a human error that leaves a database corrupted, or an unauthorized break-in to a database. Of those methods of breach, computer viruses were the type most commonly identified as being at fault, according to Joe McKendrick, an analyst with Evans Data.

Roughly 27 percent of the developers surveyed in the banking and financial services industries said they had experienced a security breach last year. In the medical and health care industry, 18 percent of database developers said they had experienced a breach. An equal percentage of developers in the telecommunications industry reported breaches.

Meanwhile, 12 percent of the developers working for electronic commerce and other Internet companies reported security snafus. Of the developers polled from the government and military sector, 9 percent said they had endured a breach.

Safeguards Overlooked

The database developers who took part in the survey use database software from a variety of vendors. The most widely used applications include Microsoft's SQL Server, IBM's DB2, and database software from Sybase and Oracle. Roughly 70 percent of the developers who participated in the survey said they support databases from two or more of these vendors.

In addition to having security protection in the form of firewalls and network authentication, databases typically include built-in security features such as data encryption. Only 37 percent of the respondents said they use the built-in security features, however.

"Major vendors have done a fantastic job of incorporating various levels of security features and tools," McKendrick said. "If these features are used, they provide a good level of security."

During the past year, reported database security glitches included a hole in Microsoft's SQL Server that left it vulnerable to hackers during a short period after a user logged off the database. Another hole, found in Microsoft's database software in December, left it vulnerable to a denial-of-service attack. And in June, the Covert Labs division of PGP Security discovered a flaw in Oracle's Oracle8i database that left it vulnerable to hack attacks.

Of the 700 developers polled by Evans Data, one quarter work at companies with more than 1000 employees. Seventy percent of the database developers work in-house at corporations; the other 30 percent work at software development companies.