As security professionals, we are constantly bombarded with threats. The news cycles are filled with tales of sophisticated phishing campaigns, novel malware strains, and the ever-evolving tactics of network intruders. We diligently patch our endpoints, implement robust firewalls, and train our users to be wary of social engineering ploys. These are vital defenses, the frontline in our ongoing battle.

But consider the endgame. What is the ultimate prize for these attackers? What are they truly after? In the vast majority of data breaches, the answer lies within the heart of our digital ecosystems: the database.

Think about the headlines that truly sting. The breaches that expose millions of customer records, sensitive financial information, credit cards, email addresses, passwords, and more. Now, dig a little deeper. Where did all that data come from? What is the common denominator? In almost every case, the attackers, regardless of their initial point of entry, must ultimately compromise the database.

The initial intrusion – the phishing email that tricked an employee, the vulnerability in a web application, the misconfigured network device – it is like a burglar finding an unlocked window. They provide access, but the real treasure lies within the vault. And in our digital world, that vault is the database.

You might argue, “But we have perimeter security! We have intrusion detection systems!” And that is commendable. These are essential layers of defense. However, focusing solely on perimeter security is like swatting at mosquitoes while walking in the park. You might get lucky and eliminate a few, but the threat is always there, and some will land on your skin and bite you.

Consider the ransomware epidemic. For an attacker to truly cripple an organization and extract a hefty ransom, they must steal and encrypt the data in the database. Penetrating the database machine is a prerequisite for a successful ransomware attack. Connecting to that database is the only way to dump out the data, so they can threaten to expose it.

The truth is that the sophistication of SQL injection attacks, the insidious nature of credential theft, and the ever-present risk of malicious insiders represent the main threat to the very lifeblood of our organizations. These are not theoretical risks; they are the mechanisms by which the most damaging breaches occur.

Why, then, does database security often feel like a secondary concern, overshadowed by the more visible and perhaps more sensationalized threats? Why are database threats not your biggest concern? Perhaps it is the perceived complexity and the specialized knowledge required. Maybe it is the “out of sight, out of mind” mentality. The database often hums quietly deep in the data center like a seemingly impenetrable fortress.

But this perceived impenetrability is a dangerous illusion with catastrophic consequences. Attackers understand the value of your data, and that is what they are after. Long ago, they developed methods that bypass traditional database security measures. Setting up encryption and applying the principle of least privilege, while important, will not stop them. We must understand how attackers can access your data and deploy measures to detect and stop them.

We need a paradigm shift. We must elevate database security from a niche concern to a core pillar of our overall security strategy. That is not to dismiss the importance of network security or endpoint protection. However, we must recognize they are merely stepping stones for attackers. The ultimate targets, the crown jewels, reside within the database.

Database Threats

While it is great to champion database security and advocate for addressing real-world threats, the question remains: what are those threats, and how can we address them? Let’s start by examining how attackers pull off this magic trick and penetrate the database.

There are three things to consider when answering this question:

• Inspect real-world case studies of significant breaches. You cannot always find published information detailing what transpired, but you can sometimes find clues. For example, a ransomware attack means the server was compromised, or the attackers would not be able to encrypt the files. Another example is the often-overlooked internal threat, which has been hovering around 20% of breaches for years.
• Challenge your database team to find a way to breach the databases they manage. How would they do it? It is a sort of theoretical red team exercise.
• Acknowledge facts. While many vendors try to confuse us with imaginary threats, the reality is that attackers cannot connect to a database without a valid username and password. All modern databases have long moved past the point of a special packet that magically bypasses security. There are no stack overflows or undocumented backdoors that grant access.

Having said that, how do attackers get in? We know they do, so what is the trick? Well, there is no real magic, and you already know the answer:

• Internal Threat. We do not like to admit it, but statistics show internal actors are responsible for about 20% of data breaches. Every year, the Verizon DBIR (Data Breach Investigation Report) shows the same thing. Individuals we trust and give access to abuse their privileges.
• Compromised Individual Accounts. Many times, attackers impersonate people. They steal passwords or compromise a desktop and use it to connect to the database. If an attacker penetrates a machine with database access, such as a DBA desktop, the path to the data is pretty short.
• Compromised Shared Accounts. We do not remember credentials for accessing, for example, shared privileged accounts (such as SYS or SA) and application accounts. We store them in configuration files, spreadsheets, and more. No one can memorize a strong 12-character password: we always write it somewhere.
• Local Access. Gaining access to the database server lets you access the database. Every ransomware attack uses this attack path. Local access means you can not only steal the data files, but with a specific operating system account, you can connect to the database without a password.
• Application. Application vulnerabilities are another common path. SQL Injection is the most famous application attack vector, but many application flaws allow attackers to modify or extract data from the database.

We know these threats exist. We realize our adversaries exploit them. Yet we still ignore them. That is illogical. That is how data breaches occur! That is what we must stop!

Addressing the Threats

If you attempt to apply traditional database security measures to these threats, you will realize they cannot help. Yes, it is necessary to encrypt data in transit and at rest. However, attackers do not target network traffic and do not steal physical files (though they might encrypt them for ransom). Yes, it is also essential to apply least-privileged principles and close unused accounts, but that is not how hackers usually access your data.

So, how can we defend? Maybe the reason we do not focus on database security is that we cannot protect databases.

Modern database security solutions like Core Audit have plenty of capabilities to address these threats:

• Compliance Reporting. One of the oldest methods is the type of reports used in all compliance frameworks. Reports on DBA activity, DDLs, etc. While this type of reporting can be time-consuming, it gives good visibility into certain high-risk aspects of the database activity. That is the traditional way for protecting databases against internal threats, compromised accounts, and local access.
• Anomaly Analysis. A modern approach is to look for changes in activity profiles. Looking for a new combination of users and programs connecting to the database. Searching for a new SQL that is accessing sensitive data. Activity at an unusual time of day or higher than usual activity volume. Anomalies are powerful tools for controlling repetitive and high-volume activity. For example, the application activity. It is effective against all threats, including internal threats, compromised accounts, local access, and application vulnerabilities like SQL injection.
• Proactive Forensics. Another powerful tool is giving security personnel visibility into what’s happening in the database. By involving people in the security process, you can identify attacks, poor security practices, and gaps in your controls. Most importantly, proactive forensics helps you design effective reports and alerts that target the activity profile in your particular database.
• Advanced SQL Blocking. Moving from detection to prevention, advanced SQL blocking lets you limit DBA privileges, control activity sources, enforce separation of duties, and more. That enhances database security, moving beyond the capabilities built into the database.

Final Thoughts

Buzzing mosquitoes are annoying, but it is the bite that really gets you. Similarly, perimeter intrusions are concerning yet inevitable, but it is the compromise of the database that leads to catastrophic data breaches.

We cannot afford to remain complacent. We must understand real-world database threats and champion the cause of database security to address them. We must do so with the same vigor and urgency we apply to other areas of cybersecurity, if not more. The silent majority – our databases and the threats they face – they are the secret to defeating our adversaries. Our data is the treasure they crave, and it is time we gave our databases the protection they deserve.

You can protect your database. The solution is here. Contact us today!