Just as there are new attackers, there are new patterns of attack. External hacking, accidental exposure, lost or stolen backup tapes, and lost or stolen computers are still significant sources of data leakage. But database attacks are often launched with the active participation of authorized insiders who extract critical data by abusing privileges, hacking application servers and SQL injections. Even well-protected databases may offer applications broad access privileges, beyond those granted to any individual. Access through an application may effectively circumvent infrastructure-based defenses. So-called “home-user” attacks inject SQL commands into otherwise innocuous fields, compromising database security from outside corporate networks. Among the most dangerous avenues of attack, this is also one of the oldest: a trusted but untrustworthy employee applying broad access privileges. Many organizations have formal access policies and processes that govern how and when sensitive data is accessed, but lack practical and cost-effective solutions for detecting or blocking activities that fall outside these policies.
Database attacks are often launched through insiders
Database breaches—often attacks by organized criminals working through authorized insiders—target valuable concentrations of business-critical information. Business impacts are immediate and profound, and damage to company and personal reputations can last for years. Database breaches are a growing component of IT Risk. There is growing recognition that the “insider threat”, and specifically the threat posed by users with privileged access, is responsible for a large number of data breaches. According to annual research conducted by CERT, up to 50% of breaches are attributed to internal users. The 2006 FBI/CSI report on the insider threat notes that two thirds of surveyed organizations (both commercial and government) reported losses caused by internal breaches, and some attributed as much as 80% of the damage to internal breaches. It was also reported that 57% of implicated insiders had privileged access to data at the time of breach. It is therefore evident that perimeter and network security measures are not enough to stop such breaches.
Driven by the consolidation of valuable information and the professionalization of computer crime, database attacks are often launched through insiders with full authorization to access the information they steal. Both the Computer Security Institute and the FBI survey document the rising incidence of such attacks. Infrastructure security solutions such as perimeter-based defenses, access controls, and intrusion detection can do little against authorized insiders. And the fact remains that no screening and authorization process can be perfect.
Unauthorized behaviors by authorized and unauthorized users
Database attacks represent unauthorized behaviors, by both authorized and unauthorized users. As we have seen, authorized insiders constitute a major threat against information safety and integrity. Barring a perfect screening process, no permission-based, asset-centric security system can close this fundamental vulnerability.
The problem grows worse
Business enterprises and security companies are in the early stages of their response to the resurgence of threats to their information assets. Yet as they struggle toward solutions, the problem grows worse. More information is made available to customers, partners, and suppliers through Web portals, often linked to critical databases. Companies integrate customer-facing applications such as customer relationship management, service provisioning, and billing more tightly, spreading critical information more widely within and across organizations. In addition more businesses outsource and offshore critical business processes to new “insiders” who may not meet their own organizations’ internal screening processes. Increasingly automated management of intellectual property, for example in pharmaceutical companies and genetic research, may put corporate assets of significant value in highly-accessible databases Virtually any organization, public or private, is at risk of public embarrassment, financial loss, and government investigation when critical information is stolen or compromised.