Hardening Database Server
•Download as ODP, PDF•
0 likes•3,408 views
Presentation on database security, type of database attacks, and two use cases on how to hardening database server using Oracle and MySQL
Report
Share
Hardening Database Server
- 1. Hardening the Defense of Database Server Database Security
- 2. Presentation Outline The Importance of Database Security 1 Finding Database Server Holes 2 Type of Database Attacks 3 Oracle Study Case 4 MySQL Study Case 5
- 3. Importance of Database Security Databases often store sensitive data
- 4. Incorrect data or loss of data could negatively affect business operations
- 5. Databases can be used as bases to attack other systems from
- 6. Principles of Finding Holes Don't believe the documentation
- 7. Implement your own client
- 8. Debug the system to understand how it works
- 10. Understand arbitrary code execution bugs
- 11. Write your own "fuzzers"
- 12. Top Six Database Attack* [1] Brute-force (or not) cracking of weak or default usernames/passwords
- 14. Exploiting unused and unnecessary database services and functionality
- 15. Targeting unpatched database vulnerabilities
- 16. SQL injection
- 17. Stolen backup (unencrypted) tapes * based on : http://www.darkreading.com/security/encryption/211201064/index.html
- 18. Top Six Database Attacks [2] Cracking username/password Not to change default password is disaster
- 19. It is also better to change password periodically Privilege Escalation Give right person right privilege
- 20. Avoid giving low-level user all database (even read only access) Exploiting unnecessary service Attacker always find open listener feature
- 21. Only install features we need
- 22. Top Six Database Attacks [3] Unpatched database vulnerabilities Many companies reluctant to patch their database because of availability
- 23. Database bugs many times posted in hacker website
- 24. Not to install small patch can lead big disaster Stolen backup (unencrypted) tapes Type of insider or accidental attack
- 25. Encrypt the backup to prevent attack
- 26. Top Six Database Attacks [4] SQL Injection Old but still widely used attacks
- 27. Usually exploit web application weakness
- 28. Result of poor practice application development
- 29. Use statement binding to filter user input
- 30. Case Study
- 31. Security Checklists [1] Oracle TNS Listener Set a TNS Listener Password (encrypted) to prevent unauthorized administration of the Listener
- 32. Turn on Admin Restrictions to ensure certain commands cannot be called remotely
- 33. Turn on TCP Valid Node Checking allow certain hosts to connect to the database server and prevent others
- 34. Turn off XML Database if it is not used
- 35. Turn off External Procedures if not required
- 36. Encrypt Network Traffic using the Oracle Net Manager tool
- 37. Security Checklists [2] Accounts Lock and Expire Unused Accounts
- 38. Define a user account naming standard
- 39. Define and Enforce a Good Password Policy Roles Be careful to make new role and give meaningful name
- 40. All user accounts should be assigned to specific role with minimal privileges
- 41. Revoke any unnecessary permissions
- 42. Security Checklists [3] DBA Role Enable data protection to prevent users access sensitive tables
- 43. User secure PL/SQL coding standard, to ensure developers make secure PL/SQL programs
- 44. Perform security audits regularly
- 45. Before installing database, use checklist of what is needed and what is not
- 46. Install patching as soon as possible
- 47. Case Study
- 48. Security Checklists [1] Background Since MySQL is open source, find many resources in the Internet to find bugs and patches
- 49. Stay tune to MySQL security issue and MySQL update Routine Audit Check logs to search common SQL injection
- 50. Audit the users and check the granted privileges
- 51. Check the hashing user password to double check password patterns
- 52. Security Checklists [2] MySQL Users Use strong password
- 53. Rename the root MySQL user to something obscure
- 54. Restrict MySQL users by IP address and passwords
- 55. Never give anyone access to the mysql.user table MySQL Configuration Enable logging via the --log option
- 56. Disallow the use of symbolic links
- 57. Remove the default test database
- 58. Ensure MySQL traffic is encrypted
- 59. Security Checklists [3] Operating System Turn off unnecessary services or daemons
- 60. Ensure MySQL data files cannot be read by users other than the root or Administrator account
- 61. Use a low-privileged MySQL account to run the MySQL daemon
- 62. Ensure MySQL users cannot access files outside of a limited set of directories
- 63. Thank You !