As security professionals, we are constantly bombarded with threats. The news cycles are filled with tales of sophisticated phishing campaigns, novel malware strains, and the ever-evolving tactics of network intruders. We diligently patch our endpoints, implement robust firewalls, and train our users to be wary of social engineering ploys. These are vital defenses, the frontline in our ongoing battle.

But consider the endgame. What is the ultimate prize for these attackers? What are they really after? In the vast majority of data breaches, the answer lies within the heart of our digital ecosystems: the database.

Think about the headlines that truly sting. The breaches that expose millions of customer records, sensitive financial information, credit cards, email addresses, passwords, and more. Now, dig a little deeper. Where did all that data come from? What is the common denominator? In almost every case, the attackers, regardless of their initial point of entry, ultimately had to compromise the database.

The initial intrusion – the phishing email that tricked an employee, the vulnerability in a web application, the misconfigured network device – are the equivalent of a burglar finding an unlocked window. They provide access, but the real treasure lies within the vault. And in our digital world, that vault is the database.

You might argue, “But we have perimeter security! We have intrusion detection systems!” And that’s commendable. These are essential layers of defense. However, focusing solely on perimeter security is like swatting at mosquitoes while walking in the park. You might get lucky and eliminate a few, but the threat is always there and some will land on your skin and bite you.

Consider the ransomware epidemic. For an attacker to truly cripple an organization and extract a hefty ransom, they need to steal and encrypt the data in the database. Penetrating the database machine is a prerequisite for a successful ransomware attack. Connecting to that database is the only way to dump out the data so they can threaten to expose it.

The truth is that the sophistication of SQL injection attacks, the insidious nature of credential theft, and the ever-present risk of malicious insiders represent the main threat to the very lifeblood of our organizations. These aren’t theoretical risks; they are the mechanisms by which the most damaging breaches occur.

Why then, does database security often feel like a secondary concern, overshadowed by the more visible and perhaps more sensationalized threats? Why are database threats not your biggest concern? Perhaps it’s the perceived complexity and the specialized knowledge required. Maybe it’s the “out of sight, out of mind” mentality. The database often hums quietly deep in the data center as a seemingly impenetrable fortress.

But this perceived impenetrability is a dangerous illusion with catastrophic consequences. Attackers understand the value of your data and that is what they are after. Long ago they developed methods that bypass traditional database security measures. Setting up encryption and applying the least privileged principle, while important, will not stop them. We must understand how attackers get to your data and then deploy measures to detect and stop them.

We need a paradigm shift. We must elevate database security from a niche concern to a core pillar of our overall security strategy. This isn’t about dismissing the importance of network security or endpoint protection. It’s about recognizing that these are usually just stepping stones for attackers. The ultimate targets, the crown jewels, reside within the database.

Database Threats

While it’s great to champion database security and advocate for addressing real-world threats, the question remains – what are those threats and how can we address them? Let’s start with how attackers pull off this magic and get into the database.

There are three things to consider when answering this question:

• Inspect real-world case studies of significant breaches. You can’t always find published information about what exactly transpired, but sometimes there are clues. For example, a ransomware attack means the server was compromised or the attackers wouldn’t be able to encrypt the files. Another example is the always-present internal threat, which is hovering around 20% of breaches for years.
• Challenge your database team to figure out how they would breach their databases. It’s a sort of theoretical red team exercise.
• Acknowledge facts. While many vendors try to confuse us with imaginary threats, the reality is that attackers can’t connect to a database without a valid username and password. All modern databases have long moved past the point of a special packet that will magically get someone past security. There are no stack overflows or undocumented backdoors to gain access.

Having said that, how do attackers get in? We know they do, so what’s the trick? Well, there’s no real magic and you already know the answer:

• Internal Threat. We don’t like to admit it, but statistics show that internal actors account for about 20% of data breaches. Every year it shows on the Verizon DBIR (Data Breach Investigation Report). Individuals we trust and give them access abuse their privileges.
• Compromised Individual Accounts. Many times attackers impersonate people. They steal passwords or compromise a desktop and use it to connect. If an attacker penetrates a machine with database access like a DBA desktop, getting to the data is very simple.
• Compromised Shared Accounts. The credentials to shared privileged accounts (like SYS or SA) and application accounts are stored in configuration files, spreadsheets, and more. No one remembers a strong 12-character password, it’s always written somewhere.
• Local Access. Gaining access to the database server will get you into the database. That happens in all ransomware attacks. Not only can you steal the data files, but there is a local operating system account that can connect to the database without a password.
• Application. Application vulnerabilities are another common path. SQL Injection is the most famous application attack vector, but many application flaws allow attackers to modify or extract data from the database.

But even though we know these threats exist and realize they are exploited, we still ignore them. That is illogical. This is how data breaches occur! That’s what we must stop!

Adressing the Threats

As you look through these threats and think of traditional database security, you’ll notice traditional measures won’t help. Yes, it’s important to encrypt data in transit and data at rest. But attackers don’t target network traffic and don’t steal physical files (though they might encrypt them for ransom). Yes, it’s important to apply least-privileged principles and close unused accounts, but that’s not how a hacker would usually get to your data.

So how can we defend? Maybe the reason we don’t focus on database security is that we can’t protect databases.

Modern database security solutions like Core Audit have plenty of capabilities to address these threats:

• Compliance Reporting. One of the oldest methods is the type of reports used in all compliance frameworks. Reports on DBA activity, DDLs, etc. While this type of reporting can be time-consuming, it gives good visibility into certain high-risk aspects of the database activity. This is the traditional way to protect databases against internal threats, compromised accounts, and local access.
• Anomaly Analysis. A modern approach is to look for changes in activity profiles. Looking for a new combination of users and programs connecting to the database. Searching for a new SQL that’s accessing sensitive data. Activity at an unusual time of day or higher than usual activity volume. Anomalies are powerful tools to control repetitive and high-volume activity, like the application. It is effective against all threats including internal threats, compromised accounts, local access, and application vulnerabilities like SQL injection.
• Proactive Forensics. Another powerful tool is giving security personnel visibility into what’s happening in the database. By involving people in the security process you can identify attacks, poor security practices, and gaps in your controls. Most importantly proactive forensics helps you design effective reports and alerts that target the activity profile in your particular database.
• Advanced SQL Blocking. Moving from detection to prevention, advanced SQL blocking lets you limit DBA privileges, control activity sources, enforce separation of duties, and more. This enhances database security moving beyond what the built-in capabilities offer.

Buzzing mosquitoes are annoying but it’s the bite that really gets you. Similarly, perimeter intrusions are concerning yet inevitable, but it’s the compromise of the database that leads to catastrophic data breaches.

We cannot afford to remain complacent. We must understand real-world database threats and champion the cause of database security to address them. We must do so with the same vigor and urgency we apply to other areas of cybersecurity if not more. The silent majority – our databases and the threats they face – are the secret to defeating our adversaries. Our data is the treasure they crave and it’s time we gave our databases the protection they deserve.

You can protect your database. The solution is here. Contact us today!