It is usually fairly easy to find and lock down all major databases that store sensitive information like credit card numbers and customer information. This is an important first step since many information leaks – even those that eventually occur via stolen laptops or e-mailing sensitive information – typically originate with queries to critical databases with sensitive information. This approach can effectively limit the amount of sensitive data that is leaking out from sensitive central data stores to various distributed data stores.

1. New patterns of attack

Just as there are new attackers, there are new patterns of attack. External hacking, accidental exposure, lost or stolen backup tapes, and lost or stolen computers are still significant sources of data leakage. But database attacks are often launched with the active participation of authorized insiders who extract critical data by abusing privileges, hacking application servers and SQL injections. Even well-protected databases may offer applications broad access privileges, beyond those granted to any individual. Access through an application may effectively circumvent infrastructure-based defenses. So-called “home-user” attacks inject SQL commands into otherwise innocuous fields, compromising database security from outside corporate networks. Among the most dangerous avenues of attack, this is also one of the oldest: a trusted but untrustworthy employee applying broad access privileges. Many organizations have formal access policies and processes that govern how and when sensitive data is accessed, but lack practical and cost-effective solutions for detecting or blocking activities that fall outside these policies.


Database attacks are often launched through insiders

Database breaches—often attacks by organized criminals working through authorized insiders—target valuable concentrations of business-critical information. Business impacts are immediate and profound, and damage to company and personal reputations can last for years. Database breaches are a growing component of IT Risk. There is growing recognition that the “insider threat”, and specifically the threat posed by users with privileged access, is responsible for a large number of data breaches. According to annual research conducted by CERT, up to 50% of breaches are attributed to internal users. The 2006 FBI/CSI report on the insider threat notes that two thirds of surveyed organizations (both commercial and government) reported losses caused by internal breaches, and some attributed as much as 80% of the damage to internal breaches. It was also reported that 57% of implicated insiders had privileged access to data at the time of breach. It is therefore evident that perimeter and network security measures are not enough to stop such breaches.