Hardening Database Server
kaqfa
3,433 views
17 slides
Mar 09, 2011
Slide 1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
About This Presentation
Presentation on database security, type of database attacks, and two use cases on how to hardening database server using Oracle and MySQL
Slide Content
Hardening the Defense
of Database Server
Database Security
of Database Server
Database Security
Presentation Outline
The Importance of Database Security1
Finding Database Server Holes2
Type of Database Attacks3
Oracle Study
Case
4
MySQL Study Case5
The Importance of Database Security1
Finding Database Server Holes2
Type of Database Attacks3
Oracle Study
Case
4
MySQL Study Case5
Importance of Database Security
Databases often store sensitive data
Incorrect data or loss of data could
negatively affect business operations
Databases can be used as bases to attack
other systems from
Databases often store sensitive data
Incorrect data or loss of data could
negatively affect business operations
Databases can be used as bases to attack
other systems from
Principles of Finding Holes
Don't believe the documentation
Implement your own client
Debug the system to understand how it works
Identify communication protocols
Understand arbitrary code
execution bugs
Write your own "fuzzers"
Don't believe the documentation
Implement your own client
Debug the system to understand how it works
Identify communication protocols
Understand arbitrary code
execution bugs
Write your own "fuzzers"
Top Six Database Attack* [1]
Brute-force (or not) cracking of weak or default
usernames/passwords
Privilege escalation
Exploiting unused and unnecessary database
services and functionality
Targeting unpatched database vulnerabilities
SQL injection
Stolen backup (unencrypted) tapes
* based on : http://www.darkreading.com/security/encryption/211201064/index.html
Brute-force (or not) cracking of weak or default
usernames/passwords
Privilege escalation
Exploiting unused and unnecessary database
services and functionality
Targeting unpatched database vulnerabilities
SQL injection
Stolen backup (unencrypted) tapes
* based on : http://www.darkreading.com/security/encryption/211201064/index.html
Top Six Database Attacks [2]
Cracking username/password
Not to change default password is disaster
It is also better to change password periodically
Privilege Escalation
Give right person right privilege
Avoid giving low-level user all database (even read only
access)
Exploiting unnecessary service
Attacker always find open listener feature
Only install features we need
Cracking username/password
Not to change default password is disaster
It is also better to change password periodically
Privilege Escalation
Give right person right privilege
Avoid giving low-level user all database (even read only
access)
Exploiting unnecessary service
Attacker always find open listener feature
Only install features we need
Top Six Database Attacks [3]
Unpatched database vulnerabilities
Many companies reluctant to patch their database
because of availability
Database bugs many times posted in hacker website
Not to install small patch can lead big disaster
Stolen backup (unencrypted) tapes
Type of insider or accidental attack
Encrypt the backup to prevent attack
Unpatched database vulnerabilities
Many companies reluctant to patch their database
because of availability
Database bugs many times posted in hacker website
Not to install small patch can lead big disaster
Stolen backup (unencrypted) tapes
Type of insider or accidental attack
Encrypt the backup to prevent attack
Top Six Database Attacks [4]
SQL Injection
Old but still widely used attacks
Usually exploit web application weakness
Result of poor practice application development
Use statement binding to filter user input
SQL Injection
Old but still widely used attacks
Usually exploit web application weakness
Result of poor practice application development
Use statement binding to filter user input
Case Study
Security Checklists [1]
Oracle TNS Listener
Set a TNS Listener Password (encrypted) to prevent
unauthorized administration of the Listener
Turn on Admin Restrictions to ensure certain commands
cannot be called remotely
Turn on TCP Valid Node Checking allow certain hosts to
connect to the database server and prevent others
Turn off XML Database if it is not used
Turn off External Procedures if not required
Encrypt Network Traffic using the Oracle
Net Manager tool
Oracle TNS Listener
Set a TNS Listener Password (encrypted) to prevent
unauthorized administration of the Listener
Turn on Admin Restrictions to ensure certain commands
cannot be called remotely
Turn on TCP Valid Node Checking allow certain hosts to
connect to the database server and prevent others
Turn off XML Database if it is not used
Turn off External Procedures if not required
Encrypt Network Traffic using the Oracle
Net Manager tool
Security Checklists [2]
Accounts
Lock and Expire Unused Accounts
Define a user account naming standard
Define and Enforce a Good Password Policy
Roles
Be careful to make new role and give meaningful name
All user accounts should be assigned to specific role with
minimal privileges
Revoke any unnecessary permissions
Accounts
Lock and Expire Unused Accounts
Define a user account naming standard
Define and Enforce a Good Password Policy
Roles
Be careful to make new role and give meaningful name
All user accounts should be assigned to specific role with
minimal privileges
Revoke any unnecessary permissions
Security Checklists [3]
DBA Role
Enable data protection to prevent users access sensitive
tables
User secure PL/SQL coding standard, to ensure
developers make secure PL/SQL programs
Perform security audits regularly
Before installing database, use checklist of what is
needed and what is not
Install patching as soon as possible
DBA Role
Enable data protection to prevent users access sensitive
tables
User secure PL/SQL coding standard, to ensure
developers make secure PL/SQL programs
Perform security audits regularly
Before installing database, use checklist of what is
needed and what is not
Install patching as soon as possible
Case Study
Security Checklists [1]
Background
Since MySQL is open source, find many resources in the
Internet to find bugs and patches
Stay tune to MySQL security issue and MySQL update
Routine Audit
Check logs to search common SQL injection
Audit the users and check the granted privileges
Check the hashing user password to double check password
patterns
Background
Since MySQL is open source, find many resources in the
Internet to find bugs and patches
Stay tune to MySQL security issue and MySQL update
Routine Audit
Check logs to search common SQL injection
Audit the users and check the granted privileges
Check the hashing user password to double check password
patterns
Security Checklists [2]
MySQL Users
Use strong password
Rename the root MySQL user to something obscure
Restrict MySQL users by IP address and passwords
Never give anyone access to the mysql.user table
MySQL Configuration
Enable logging via the --log option
Disallow the use of symbolic links
Remove the default test database
Ensure MySQL traffic is encrypted
MySQL Users
Use strong password
Rename the root MySQL user to something obscure
Restrict MySQL users by IP address and passwords
Never give anyone access to the mysql.user table
MySQL Configuration
Enable logging via the --log option
Disallow the use of symbolic links
Remove the default test database
Ensure MySQL traffic is encrypted
Security Checklists [3]
Operating System
Turn off unnecessary services or daemons
Ensure MySQL data files cannot be read by users other than
the root or Administrator account
Use a low-privileged MySQL account to run the
MySQL daemon
Ensure MySQL users cannot access files
outside of a limited set of directories
Operating System
Turn off unnecessary services or daemons
Ensure MySQL data files cannot be read by users other than
the root or Administrator account
Use a low-privileged MySQL account to run the
MySQL daemon
Ensure MySQL users cannot access files
outside of a limited set of directories
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 3,433
- Slides 17
- Age 5383 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views