The Achilles Heel of Cybersecurity: Lessons from a Recent Data Breach

Written by:
Vipin Samar; Senior Vice President, Database Security, Oracle
Russ Lowenthal; Product Manager, Database Security, Oracle

It’s hard to escape the myth of Achilles when reading the news these days. In the myth, Achilles’ mother, Thetis, dipped him in the river Styx to make him invincible. However, she held him by his heel, leaving that one spot vulnerable. This small mistake led to his downfall when an adversary shot an arrow into that unprotected area.

This ancient tale serves as a powerful allegory for today’s cybersecurity landscape. Just as Achilles had a single weak point that sealed his fate, organizations today have vulnerabilities that bad actors can discover and exploit. A seemingly minor flaw can lead to the “downfall” of your sensitive data.

Unfortunately, in real life, there can be not one but many such Achilles heels. Also, attacks can originate from external hackers, outsiders masquerading as trustworthy employees, or even malicious insiders. Hence, organizations need robust and comprehensive security that is both simple to use and automated, enabling them to protect their data easily and quickly.

Moreover, even with the best defenses in place, organizations must be prepared for the possibility of a breach or ransomware attack. The key is to minimize the loss of critical data even if the attack succeeds. Additionally, rapid recovery from breaches or ransomware attacks is essential to minimize disruption to the business.

Case Study: The Cloud Database Breach

Take a recent case of a cloud database provider. It’s always difficult to know the details of a breach without direct involvement, but reports suggest that the breach started with customer accounts lacking multi-factor authentication. The attackers exploited stolen usernames and passwords to access and extract vast amounts of sensitive data. Recent reports indicate that over half of adult Americans have been impacted by this breach.

Though the attackers exploited the lack of multi-factor authentication, there were very limited controls in place from the cloud vendor to help the customers minimize potential losses in the event of a breach:

• Data Discovery: Without tools to discover data, customers cannot assess how much sensitive data they have and where. Without visibility to data, they cannot take adequate measures to minimize risks.
• Data Anonymization: Without tools to mask the original Personally Identifiable Information (PII), they cannot hand over databases for analytics without taking huge risks. Masking or anonymizing data could have made the stolen information worthless to hackers.
• Data Minimization: When data is copied to a data warehouse, customers often load all their data, risking years’ worth of data when data for just a year would have been sufficient. They need tools to limit the data in their warehouse to only what is essential for analysis.

Implementing these practices before they copied data into their warehouse could have helped mitigate risks and protect them from devastating losses. In addition, many other basic security controls were also lacking:

• Absence of IP Allow-listing by Default: Without any restriction to specific authorized IP addresses by default, anyone coming from the public internet with the right credentials could access the database. Use of private links is not available to all editions.
• Unrestricted SQL Execution: The lack of controls over SQL statements allowed attackers or those with compromised user credentials to extract sensitive data easily.
• No Password Expiry: According to the reports, some of the credentials bought from the underground market were stolen long ago. Without password expiry policies, such passwords get a long life, and remain usable for extended periods.
• Inadequate User Activity Tracking: Complex SQL queries and the associated long time needed to monitor user activity on this cloud vendor discouraged effective oversight, leading to missed anomalies.
• Limited Security Features: Basic security features, such as auditing, were not available across all database editions, creating a significant barrier to effective security management.

The Modern-Day Approach

To cope with today’s threat environment, organizations are adopting a zero-trust mindset. They approach each interaction between humans and systems or between systems as if they were potentially compromised and then apply corresponding security controls to minimize risk.

Oracle has decades of experience protecting much of the world’s most sensitive data at many of the world’s most important banks, telecoms, health providers, governments, and retailers. As one of the four largest cloud hyperscalers, Oracle is probably best known for our flagship Oracle Database. Let’s “zero” in on Oracle’s cloud database offerings and discuss how we build security from the ground up, enforcing and enabling zero-trust principles.

Securing Oracle Database with Zero Trust

Databases are prime targets for attackers due to their concentrated repositories of highly valuable data, designed to be easily searched, analyzed, and monetized. To protect these critical assets, adopting a Zero Trust approach is essential — this means treating every interaction with a database as potentially hostile.

At a fundamental level, the basic security measures include security patching, strong multi-factor authentication, encryption for data both at rest and in transit, and monitoring. These security mechanisms should be integral to the database service and must always be included.

These measures check off important boxes, but they are not sufficient to thwart modern-day attacks. Oracle also includes the following critical security capabilities at no additional cost in cloud databases:

• Comprehensive Database Security Assessment: Modern-day databases have hundreds of security-related parameters, and hackers can easily run scripts to find the Achilles heels and exploit them. Oracle can periodically assess the databases to help ensure they address compliance requirements from GDPR, STIG, and CIS. We also raise alerts if your configuration deviates from your established standards due to unapproved changes or application patches.
• User and Access Management: Oracle can analyze administrator and user entitlements across your entire fleet of Oracle databases, reviewing who has access to what, and how they have drifted over time. Organizations are often surprised by the number of users with access to sensitive data and how many of them are not even following password hygiene or password rotation policies, making them much easier to attack. Customers of other cloud database services are forced to analyze users’ access manually, greatly increasing their cost, or worse, skipping this step entirely.
• User Privilege Analysis: Many DBAs grant their users far more power and privileges than necessary to fulfill their responsibilities. Oracle databases include a unique Oracle-only Privilege Analysis feature that analyzes the gap between the granted privileges and the used privileges, helping customers easily implement the least privilege model, and contain the risk in case these users get compromised.

Beyond basic configuration and user management, securing your database requires a full understanding of your data’s sensitivity, and strategies to minimize losses in the event of a breach. To address these concerns, Oracle cloud databases include the following differentiated features — at no additional cost:

• Sensitive Data Catalog: Today’s organizations are inundated with data, and many do not know where their sensitive data is located. Oracle can maintain a comprehensive catalog of many sensitive data types, detailing what you have, where it is stored, and its quantity. This inventory of sensitive data enables you to comprehensively secure data by implementing controls needed to minimize risk.
• Data Anonymization and Masking: Employees routinely make copies of databases for AI, analytics, machine learning, testing, and development. As the number of data copies continually increases, bad actors find it easy to find such copies and then target them as they are often not protected as rigorously as the source databases. You can minimize your risk of exposure by anonymizing or masking your data without having to change your applications. We support over a hundred well-known PII data types and masking formats to anonymize your data.

Before organizations make copies of data, they can use Oracle Data Masking and Subsetting to also subset their data based on parameters such as time, location, type, and size, helping minimize collateral damage in case of a successful attack.

Unfortunately, cyber breaches often look like normal, authorized user activities. To address this, we offer advanced security features at no extra cost:

• Centralized Activity Monitoring: Oracle can centrally collect user and administrator activity data so that you can view detailed reports and receive alerts based on your requirements. For example, you would have received immediate notifications if a privileged user had attempted to access sensitive data, as happened in the recent data breach.
• Blocking Unauthorized SQL and SQL Injection: Oracle Database 23ai includes an embedded SQL firewall that implements an allow list of SQL statements from specific IP addresses, blocking unauthorized SQL and SQL injection attacks. If an attack occurs, the SQL firewall can detect, block, and alert you for investigation. The in-database SQL firewall cannot be bypassed and does not add expensive network hops to database communication.
• Connection Restrictions: Oracle can limit connections from unknown machines or running unknown programs to increase data protection.

As attackers are now targeting backups, our approach extends beyond static and runtime protection:

• Backup and Recovery: Oracle can continuously encrypt and back up your data in immutable storage, safeguarding it from ransomware attacks. Oracle continually validates the integrity and recoverability of the data, scales to protect thousands of databases, and protects backups across the full lifecycle, including disk backup, cloud archiving, remote replication, and tape archiving. In addition to zero data loss and air-gapped backups, we facilitate rapid recovery to a specific point in time with the Zero Data Loss Autonomous Recovery Service (ZRCV) — even down to recovering an individual transaction or System Change Number (SCN) — further minimizing costs and enhancing resilience. With this service, organizations can help mitigate the impact of ransomware, outages, and human errors by restoring databases to the point-in-time just before the attack, outage, or error occurred.

Zero-trust dictates that we trust no one, including theirs and our cloud administrators. To help customers protect their data from unauthorized administrative access or tampering, we provide:

• Restricted Data Access: Many organizations face the key challenge of stopping malicious insiders or hackers masquerading as insiders from stealing or changing their data. Oracle’s unique Database Vault can prevent even your privileged users, such as DBAs, from accessing sensitive user data while allowing them to do their regular database management activities.
• Immutable and Blockchain Tables: Immutable read-only tables in Oracle databases prevent unauthorized data tampering and modifications by insiders and accidental data modifications resulting from human errors. Blockchain tables add cryptographic hashes over rows of data so that manipulations can be detected.
• Operator Access Control: To ensure full management and accountability when Oracle cloud administrators access customer resources, customers first need to grant access along with the when, which actions, and for how long. They also get a full near real-time report of all performed actions.

In the new world where AI-generated SQL is going to be used by Apps, it’s going to create new security vulnerabilities unless user privileges to data are enforced by the database. Along with privilege analysis to implement the least-privilege model, Oracle provides multiple technologies to implement fine-grained row/column-level access control:

• Embedded Access Control Policy: When multiple end-users or applications access the same tables, it is critical to enforce row/column access at the table-level so that security policy cannot be bypassed. Oracle was the first to provide such a Virtual Private Database feature through which customers could specify their own policy within the database.
• Data Classification and User Labels: Oracle Label Security helps customers automatically enforce user access to specific rows based on the data classification and user labels.
• Advanced Application Security: Most modern application data elements have complex relationships including master-detail, organizational hierarchy, parameter-driven, and star-schema. Besides, access control decisions need to be driven by the environment and application run-time context. Instead of building and maintaining such complex policies manually, Oracle provides unique Real Application Security that can implement such complex relationships at the database tier, enforcing real-world security requirements. This is going to be critical for new AI-generated SQL workloads and applications.

Zero Trust with Low Touch

The lesson is clear: even a single “hole” in your defense — a vulnerability akin to Achilles’ heel — can lead to significant disruption and damage. Adopting a zero-trust approach is essential to effectively securing your infrastructure and data. Equally important is to implement zero trust with low touch through automation and default policies. It’s important to have tools that secure not only one database but your entire fleet. Oracle provides unique full fleet security assurance for all your Oracle databases, whether on any cloud or on-premises.

To protect your data from well-funded and organized criminals and nation-states armed with advanced tools, you need comprehensive and automated security tools for configuration assessment, administrator controls, user assessment, data anonymization, data minimization, data masking, SQL firewall, data encryption, cyber-secure backups, tamper protection, and rapid recovery.

Getting to specifics, Oracle Database provides support for all major data types, workloads and development styles in a single database platform. We call this a Converged Database. Converged data type and workload support minimize the number of databases needed to implement an application. Minimizing databases reduces risky data copies and avoids introducing disparate databases, each with different security models, functionality, limitations, and vulnerabilities. For example, if you need to move data from a transactional database to an analytical database to run queries on your latest data, that’s an unnecessary trip that only increases surface area exposures. This is further amplified when adding separate, isolated databases for graph, spatial, blockchain, time series, documents and more.

Oracle Autonomous Database comprehensively enforces strong security and access controls while automating most security functions, including data and network encryption, hardened security configuration, network access control, privilege user control through Database Vault, comprehensive logging and auditing, and cloud operator control.

Oracle Data Safe empowers organizations to implement and monitor security controls, evaluate data risks, mask sensitive data, assess user security, monitor user activity, and manage Oracle Database 23ai SQL Firewall — all in a single, unified console. These advanced security technologies and automation capabilities help to manage the day-to-day security and compliance requirements of Oracle Databases, both on-premises and in the cloud.

And as highlighted earlier, Oracle Zero Data Loss Autonomous Recovery Service, with its unique, automated capabilities, protects Oracle Database changes in real-time, validates backups without production database overhead, and enables fast, predictable recovery at any point-in-time.

Unlike providers that leave gaps and require you to piece together disparate security technologies, Oracle offers a defense-in-depth strategy with a suite of best-in-class, integrated security components that seamlessly protect your data everywhere.

You can download Oracle’s free database security assessment tool here.