The Achilles Heel of Cybersecurity: Lessons from a Recent Data Breach

August 8, 2024 | 11 minute read
Vipin Samar
Senior Vice President, Database Security
Russ Lowenthal
Vice President, Database Security
Text Size 100%:

It’s hard to escape the myth of Achilles when reading the news these days. In the myth, Achilles' mother, Thetis, dipped him in the river Styx to make him invincible. However, she held him by his heel, leaving that one spot vulnerable. This small mistake led to his downfall when an adversary shot an arrow into that unprotected area.
This ancient tale serves as a powerful allegory for today’s cybersecurity landscape. Just as Achilles had a single weak point that sealed his fate, organizations today have vulnerabilities that bad actors can discover and exploit. A seemingly minor flaw can lead to the “downfall” of your sensitive data.

Unfortunately, in real life, there can be not one but many such Achilles heels. Attacks can originate from external hackers, outsiders masquerading as trustworthy employees, or even malicious insiders. Often, well-meaning people make mistakes and accidentally misconfigure their systems opening them up for attacks. That’s why organizations need robust and comprehensive security that is both simple to use and automated, enabling them to protect their data easily and quickly.

Even with the best detective and preventive defenses in place, organizations must be prepared for the possibility of a breach or ransomware attack. The key is to minimize the loss of critical data even if the attack succeeds. Additionally, rapid recovery from breaches or ransomware attacks is essential to minimize disruption to the business.
 

Case Study: The Cloud Database Breach

Take a recent case of a cloud database provider. It’s always difficult to know the details of a breach without direct involvement, but reports suggest that the breach started with customer accounts lacking multi-factor authentication. The attackers exploited stolen usernames and passwords to access and extract vast amounts of sensitive data. Recent reports indicate that over half of adult Americans have been impacted by this breach.

Though the attackers exploited the lack of multi-factor authentication (because it was optional), there were limited controls in place from the cloud vendor to help the customers minimize potential losses in the event of a breach:

  • Private-by-default network connectivity: Databases that default to "open access" are essentially opening themselves up to attacks from the entire internet. While restricting network access alone doesn't guarantee security, it is an essential element of protecting a database. Restricting access to just legitimate subscriber network connections might have stopped the attack before it ever began.
  • Data Anonymization: Without tools to mask the original Personally Identifiable Information (PII), customers assume significant risk if they hand over such databases for analytics. Masking or anonymizing data could have made the stolen information worthless to hackers.
  • Data Minimization: When data is copied to a data warehouse, customers often load all their data, risking years' worth of data when data for just a year would have been sufficient. They need tools to limit the data in their warehouse to only what is essential for analysis. Lack of those tools meant that the size of the breach was larger than it needed to be.

Implementing these practices before they copied data into their warehouse could have helped mitigate risks and protected them from devastating losses. In addition, many other basic security controls were also missing:

  • Absence of IP Allow-listing by Default: Without any restriction to specific authorized IP addresses by default, anyone coming from the public internet with the right credentials could access the database. The use of private links was not available in all editions.
  • Unrestricted SQL Execution: The lack of controls over SQL statements allowed attackers or those with compromised user credentials to extract sensitive data easily.
  • No Password Expiry on earlier versions: According to the reports, some of the credentials purchased through an underground market were stolen long ago. Without password expiry policies on older accounts, the stolen passwords remained usable for extended periods.
  • Inadequate User Activity Tracking: Complex SQL queries and the associated long time needed to monitor user activity on this cloud vendor discouraged effective oversight, leading to missed anomalies. 
  • Limited Security Features: Basic security features, such as auditing or sensitive data classification, were not available across all database editions, creating a significant barrier to effective security management.

The Modern-Day Approach

To cope with today’s threat environment, organizations are adopting a zero-trust mindset. They approach each interaction between humans and systems or between systems as if they were potentially compromised and then apply corresponding security controls to minimize risk.

Oracle has decades of experience protecting much of the world’s most sensitive data at many of the world’s most important banks, telecoms, health providers, governments, and retailers. As one of the four largest cloud hyperscalers, Oracle is probably best known for our flagship Oracle Database. Let’s “zero” in on Oracle’s cloud database offerings and discuss how we build security from the ground up, along with high-value advanced security tools and capabilities to enable zero-trust principles.

Securing Oracle Database with Zero Trust

Databases are prime targets for attackers because they are concentrated repositories of highly valuable data designed to be easily searched, analyzed, and monetized. To protect these critical assets, adopting a Zero-Trust approach is essential—this means treating every interaction with a database as potentially hostile.

At a fundamental level, the basic security measures include security patching, strong authentication including multi-factor, encryption for data both at rest and in transit, and activity monitoring. These security mechanisms should be integral to the database service and must always be included.

These measures check off important boxes, but they are not sufficient to thwart modern-day attacks and other attack paths targeting databases, users, backups, and applications.  Attackers usually try the easiest path first, followed by progressively complex attacks.  We need to close as many avenues as possible.

Oracle includes the following critical security capabilities at no additional cost in cloud databases:

  • Comprehensive Database Security Assessment: Modern-day databases have hundreds of security-related parameters, and hackers can easily run scripts to find the Achilles heels and exploit them. Oracle includes tools to periodically assess databases to help ensure they address configuration requirements from GDPR, STIG, and CIS. We raise alerts if your configuration deviates from your established standards due to unapproved or accidental changes or changes triggered by application patches. 
  • User and Access Management: Oracle can analyze administrator and user entitlements across your entire fleet of Oracle databases, reviewing who has access to what, and how they have drifted over time. Organizations are often surprised by the number of users with access to sensitive data and how many of them are not even following password hygiene or password rotation policies, making them much easier to attack.  Customers of other cloud database services are forced to analyze users’ access manually, greatly increasing their cost or, worse, skipping this step entirely.
  • User Privilege Analysis: Many DBAs grant their users far more power and privileges than necessary to fulfill their responsibilities. Organizations can use the Privilege Analysis feature of Oracle Database to analyze the gap between the granted privileges and the actually used privileges.  This makes it easy to implement a least privilege model by revoking unnecessary privilege grants to shrink the blast radius of compromised accounts.

Beyond basic configuration and user management, securing your database requires a full understanding of your data's sensitivity, and strategies to minimize losses in the event of a breach. To address these concerns, Oracle cloud databases include the following differentiated features—at no additional cost:

  • Sensitive Data Model: Today’s organizations are inundated with data, and many do not know where their sensitive data is located. Oracle can maintain a comprehensive catalog of many sensitive data types, detailing what you have, where it is stored, and its quantity. This inventory of sensitive data enables you to comprehensively secure data by implementing controls needed to minimize risk.
  • Data Anonymization and Masking: Organizations routinely make copies of databases for AI, analytics, machine learning, testing, and development. As the number of data copies increases, bad actors find it easy to find such copies and then target them as they are often not protected as rigorously as the source databases. You can minimize your risk of exposure by anonymizing or masking your data without having to change your applications. We support over a hundred well-known PII data types and associated masking formats to anonymize sensitive data.

Before organizations make copies of data, they can use Oracle Data Masking and Subsetting (which is included with Autonomous Database at no extra cost) to subset their data based on parameters such as time, location, type, and size, helping minimize collateral damage in case of a successful attack.

Unfortunately, cyber breaches often look like normal, authorized user activities. To address this, we offer advanced security features at no extra cost:

  • Centralized Activity Monitoring: Oracle can centrally collect user and administrator activity data so that you can view detailed reports and receive alerts based on your requirements. For example, if a privileged user had attempted to access sensitive data, as happened in the recent data breach, or if a previously inactive user account suddenly began connecting to the database, you would receive immediate notifications.
  • Blocking Unauthorized SQL and SQL Injection: Oracle Database 23ai includes an embedded SQL firewall that implements an allow-list of SQL statements from specific IP addresses, blocking unauthorized SQL and SQL injection attacks. If an attack occurs, the SQL firewall can detect, block, and raise alerts for investigation. The in-database SQL firewall cannot be bypassed and does not add expensive network hops to database communication.
  • Connection Restrictions: Oracle can limit connections from unknown IP addresses or unknown programs to increase data protection.

As attackers (especially ransomware) now routinely target backups, our approach extends beyond static and runtime protection:

  • Backup and Recovery: Oracle can continuously encrypt and back up your data in immutable storage to safeguard it from ransomware attacks.  Oracle continually validates the integrity and recoverability of the data, scales to protect thousands of databases, and protects backups across the full lifecycle, including disk backup, cloud archiving, remote replication, and tape archiving.  In addition to zero data loss and air-gapped backups, we facilitate rapid recovery to a specific point in time with the Zero Data Loss Autonomous Recovery Service (ZRCV)—even down to recovering an individual transaction or System Change Number (SCN)—further helping to minimize costs and enhancing resilience. With this service, organizations can help mitigate the impact of ransomware, outages, and human errors by restoring databases to the point-in-time just before that unfortunate event.

Zero-trust dictates that we trust no one, including our own people and our cloud administrators.  To help customers protect their data from unauthorized administrative access or tampering, Oracle provides:

  • Restricted Data Access: Many organizations face the key challenge of stopping malicious insiders or hackers masquerading as insiders from stealing or changing their data. Oracle’s unique Database Vault helps you prevent even your privileged users, such as DBAs, from accessing sensitive user data while allowing them to do their regular database management activities.
  • Immutable and Blockchain Tables:  Immutable read-only tables in Oracle databases help you prevent unauthorized data tampering and modifications by insiders and accidental data modifications resulting from human errors. Blockchain tables add cryptographic hashes over rows of data to help detect manipulations.
  • Operator Access Control:  To ensure full management and accountability when Oracle cloud administrators access customer resources, customers first need to grant access along with the when, which actions, and for how long.  They also get a full near real-time report of all performed actions.

In the new world where AI-generated SQL is going to be used by Apps, it’s going to create new security vulnerabilities unless user privileges to data are directly enforced by the database.  Along with privilege analysis to implement the least-privilege model, Oracle provides multiple technologies to implement fine-grained row/column-level access control:

  • Embedded Access Control Policy: When multiple end-users or applications access the same tables, it is critical to enforce row/column access at the table level. Oracle was the first to provide such a Virtual Private Database feature through which customers could specify their own policy.
  • Data Classification and User Labels: Oracle Label Security helps customers automatically enforce user access to specific rows based on the data classification and user labels.
  • Advanced Application Security: In most modern-day applications, security needs to be applied consistently for complex data relationships, including master-detail, organizational hierarchy, parameter-driven, and star-schema organized data. Besides, access control decisions need to be driven by the environment and application run-time context. Instead of building and maintaining such complex authorization policies manually, Oracle provides unique Real Application Security that helps customers implement complex authorization models at the database tier.  This need is going to be felt strongly for new AI-generated SQL workloads and AI agents where there are significant risks due to prompt injection and excessive agency for sensitive data in the database.

Zero Trust with Low Touch

The lesson is clear: even a single “hole” in your defense—a vulnerability akin to Achilles' heel—can lead to significant disruption and damage. Adopting a zero-trust approach is essential to effectively securing your infrastructure and data.  Equally important is to implement zero trust with low touch through automation and default policies. It's important to have tools that secure not only one database but your entire fleet. Oracle aims to provide unique full fleet security assurance for all your Oracle databases, whether on any cloud or on-premises.

To protect your data from organized criminals and nation-states armed with advanced tools, you need comprehensive and automated security tools for configuration assessment, administrator controls, user assessment, data anonymization, data minimization, data masking, tamper protection, SQL firewall, data encryption, cyber-secure backups, and rapid recovery.

Getting to specifics, Oracle Database supports all major data types, workloads, and development styles in a single database platform.  We call this a Converged Database.  Converged data type and workload support minimize the number of databases needed to implement an application.  Minimizing databases reduces risky data copies and avoids introducing disparate databases, each with different security models, functionality, limitations, and vulnerabilities. For example, if you need to move data from a transactional database to an analytical database to run queries on your latest data, that’s an unnecessary trip that only increases surface area exposures. This is further amplified when adding separate, isolated databases for graph, spatial, blockchain, time series, documents, and more. Let’s be realistic – every new data platform you adopt comes with a requirement for trained administrators, security controls and baselines, and activity monitoring. Using a converged platform for all of the different modes and workloads reduces your overall burden, lowers your total cost to operate, and lets you more effectively reduce the risk of data theft or destruction.

Oracle Autonomous Database comprehensively enforces strong security and access controls while automating most security functions, including data and network encryption, hardened security configuration, network access control, privilege user control, comprehensive logging and auditing, and cloud operator control.

Oracle Data Safe empowers organizations to implement and monitor security controls, evaluate data risks, mask sensitive data, assess user security, monitor user activity, and manage Oracle Database 23ai SQL Firewall—all in a single, unified console. These advanced security technologies and automation capabilities help to manage the day-to-day security and compliance requirements of Oracle Databases, both on-premises and in the cloud.

And, as highlighted earlier, Oracle Zero Data Loss Autonomous Recovery Service, with its unique, automated capabilities, protects Oracle Database changes in real-time, validateds backups without production database overhead, and enables fast, predictable recover to any point in time.

Unlike providers that leave gaps and require you to piece together disparate security technologies, Oracle offers a defense-in-depth strategy with a suite of best-in-class, integrated security components that aim to support you in seamlessly protecting your data everywhere.

Security starts with an understanding of your current state and risks 

The first step in any security program is to know where you are starting from: what sensitive data you need to protect, who your users are, what privileges they have, and how they are accessing your data. Oracle includes the tools you need to assess all of these and more.

If your Oracle Databases are running as a database service in the Oracle Cloud Infrastructure, Oracle Cloud@Customer, Oracle DB@Azure, or Oracle DB@GCP you should register those databases with Oracle Data Safe (it’s free – already included in your database cloud subscription). If your Oracle Databases are not running as an Oracle Database cloud service, you can choose to subscribe to Oracle Data Safe, or download the Oracle Database Security Assessment Tool (DBSAT) from My Oracle Support (DBSAT is included for ALL Oracle Databases).
 

Vipin Samar

Senior Vice President, Database Security

Vipin Samar is the Senior Vice President of Development for Database Security at Oracle. 

Russ Lowenthal

Vice President, Database Security

Russ Lowenthal is the Vice President for Database Security, focused on database encryption, access control, audit, and monitoring.

 

Russ is based in Greenville, North Carolina, USA and has been with Oracle for over twenty-five years. Leveraging over thirty-five years of experience in IT including database, UNIX systems and network administration, he now advises Oracle's customers on secure implementations of information systems technology.

Russ' certifications include Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Oracle Certified Master (OCM),  Microsoft Certified Systems Engineer (MCSE) and Certified Technical Trainer (CTT). 

 


Previous Post

Introducing custom alert policies in Oracle Data Safe

Angeline Dhanarani | 10 min read

Next Post


Introducing JSON Full-Text Search with Oracle Globally Distributed Database 23ai

Richard Delval | 16 min read