Comment by bruce343434
6 hours ago
The issue is how easy computers make everything, and how well processes scale with computers. Back in the day to heist data you'd have to physically break in or infiltrate, rummage through files, copy them somehow or just straight up take them. In a briefcase?? How many files can you exfiltrate per day like that?
But on a database it's practically a matter of running a copy command and uploading it or exfiltrating it. And there will always be software vulnerabilities.
Computer processes have no inherent rate limiter to them, and they even allow you to run stuff from a distance.
It all comes down to where the boundary for data access is implemented, and how strictly.
If your webapp has unfettered database access then don't be surprised if it is hacked and someone can do `select * from users` and then posts that dump somewhere.
The attack surface changes if your webapp can only do a REST call to pull a single user record at a time. That way you can put some auditing in, you can put rate limiting in to detect that, etc.
Obviously the user record REST api endpoint is still vulnerable, but it's a much smaller attack surface, easier to audit, and can be monitored a lot more closely.
Yes, ultimately, there will still be a set of vulnerable humans that have access to the database servers themselves and they can always walk out of the place with an SD card hidden in a Rubik's cube but there has to be an element of trust somewhere.
The problem is that too many people put that trust boundary way too far out into the big bad Internet. Or don't even consider it at all and just rely on the fact that other targets are more appealing.