Data Security: Trust No One

The Big 3: Data Security Disasters That Exposed America

The Big 3: Data Security Disasters That Exposed America When trust failed, millions paid the price 1. EQUIFAX (2017) The Identity Theft Catastrophe 148M Americans' SSNs exposed What they stole: • Social Security Numbers • Birth dates, addresses • Driver's license numbers The damage: • Data still sold on dark web • Victims got ~$125 each • Identity theft for decades 2. NATIONAL PUBLIC DATA (2024) The Data Broker Disaster 170M People across US/UK/Canada What they stole: • 2.9 billion records total • SSNs, phone numbers • Current & past addresses The damage: • Company went bankrupt • No help for victims • Half of US population hit 3. CHANGE HEALTHCARE (2024) The Medical Records Nightmare 193M Americans' medical data What they stole: • Medical records, SSNs • Diagnoses, prescriptions • Insurance information The damage: • Paid $22M, data still leaked • Pharmacies couldn't operate • Medical fraud risk forever 490% increase from 2023→2024 3-4x per year your data is exposed $4.88M average breach cost (IBM 2024) Your Database Could Be Next Unless you implement Zero Trust Security — where nothing and no one is trusted by default

Zero Trust, Always Verify: The 5 Attack Vectors

The Uncomfortable Truth

These 5 things WILL betray you. Plan accordingly.

Don't Trust the Network

Assume: Already compromised

• Man-in-the-middle attacks
• Packet sniffing
• DNS poisoning

Don't Trust Users

Assume: Already phished

• Credential theft
• Social engineering
• Malware on devices

Don't Trust Admins

Assume: Insider threat

• Disgruntled employees
• Compromised accounts
• Privilege abuse

Don't Trust Code

Assume: Injection attempts

• SQL injection
• Supply chain attacks
• Malicious libraries

Don't Trust Backups

Assume: Will be deleted

• Ransomware targets
• Corrupted restores
• Untested procedures

Zero Trust DB Checklist (Starter)

PriorityTimeZero Trust Action
CRITICAL5 minSecure Password Management
• Change default passwords
• Set password expiry
• Enforce strong passwords
CRITICAL1 hourSecure Network Configuration
• Enable SSL/TLS encryption
• Limit max connections
• Restrict connection sources
CRITICAL10 minLeast Privilege Access
• Read-only for analytics/data science
• Keep UPDATE/DELETE
HIGH5 minEnable audit logging
HIGH45 minComplete 3-2-1 Backup Strategy
3 copies: Primary + Secondary + Offsite
2 storage types: Local disk + Cloud (S3)
1 offsite: Different region/location
Test restores: Verify backups actually work
Immutable backups: Protect from ransomware

Zero Trust DB App Checklist (Starter)

Example: SQL Injection Defense

Demonstrates: Verify Everything (validate all inputs) • Layer Defenses (parameterized queries)

The Bobby Tables Attack (Still Works in 2025!) How a simple quote mark can destroy your database VULNERABLE CODE (What NOT to do) # Python - String concatenation (BAD!) def get_user (username): query = f"SELECT * FROM users WHERE name = ' {username} '" # User input directly in query! cursor.execute(query) return cursor.fetchall() Attacker Input: Robert'; DROP TABLE users; -- Resulting Query: SELECT * FROM users WHERE name = ' Robert'; DROP TABLE users; --' ↑ Query ends ↑ New command! ↑ Comment SECURE CODE (Always use prepared statements) # Python - Prepared statement (GOOD!) def get_user (username): query = "SELECT * FROM users WHERE name = %s" # Placeholder, not string! cursor.execute(query, (username,) ) return cursor.fetchall() Same Attack Input: Robert'; DROP TABLE users; -- Resulting Query: SELECT * FROM users WHERE name = 'Robert''; DROP TABLE users; --' ↑ Entire string treated as data, not code!