David Litchfield ran a scan on the Internet for the typical SQL Server and Oracle ports. It is unbelievable that he found approx. 490'000 servers on the Internet – unprotected and often un-patched. On unsupported version levels, on unsupported Service Packs.
What is going on there? Are these test servers nobody cares of (they are pretty often connected to the corporate network and can easily be used as an entry point for a criminal)? Who is the company behind that? ...
Looking at the comments to the article Hacker finds 492,000 unprotected Oracle, SQL database servers people just talk of the admins being stupid … I tend to disagree. Often the ITPros (and this is just my assumption) are just overstrained. They do not get enough training. They have to be the AD Admin, the SharePoint Guru, the Exchange Pro, the Network specialist, the…., the…., the…. and we expect them to be the Security Officer as well? They are held responsible for having a good uptime – unfortunately not for security!
Do not get me wrong. I do not say that this situation is good but up to a certain point I can understand them. We tend to compare them with us, being security professionals. They are often not. Instead of blaming them, we should rather make sure that we can help them and improve the situation. Do they do it deliberately? For sure no! Calling them ignorant and dumb is unfair and the wrong approach!