Databases are Valuable but they are Vulnerable.
Even though high risk vulnerabilities are found and patches are released, exploit scripts are posted to the web within hours of every patch release.
Typically it takes organizations nine months to deploy a database patch.
Misconfigured databases are another easy target.
Default and weak passwords are still there. It is not only DBMS have own default accounts, but applications install them too as developers use these passwords to make it easy for the process. Weak passwords can be cracked.
Database login activity is seldom monitored.
Database attacks typically bypass encryption as well as traditional intrusion prevention systems. Why?
- With network (Data-in-Transit) encryption only the network links are protected against attackers stealing data via network monitoring. You have no protection from application access (SQLi) , DBA access or media/backup theft.
- Using File/Disk encryption (Data-at-Rest) only the files stored on disk are encrypted and stops attackers from stealing data by taking physical media and some backups. You have no protection from application access (SQLi) , DBA access or network monitoring.
- With Column/Full DB (Data-in-Use) encryption data is stored encrypted inside the database protecting it from unauthorized DBA/direct access and extends security to backups and physical media. You have no protection from application access (SQLi) or network monitoring. Protection from DBA access is limited to only when the DBAs do not admin the crypto system (but they usually do).
Dynamic Data Masking is an evolving technology that will add another layer of defense but still you will have authorized and unauthorized users with different privileges. Today advanced threats search for exploitable scenarios outside and inside your network.
Database Activity Monitoring will help you discover your databases, locate sensitive data, scan and fix vulnerabilities, scan and fix user privileges, audit access, actively respond to abuses via policy enabled procedures.