• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Hardening Database Server

Hardening Database Server



Presentation on database security, type of database attacks, and two use cases on how to hardening database server using Oracle and MySQL

Presentation on database security, type of database attacks, and two use cases on how to hardening database server using Oracle and MySQL



Total Views
Views on SlideShare
Embed Views



1 Embed 3

http://www.linkedin.com 3



Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Hardening Database Server Hardening Database Server Presentation Transcript

      • Hardening the Defense of Database Server
        Database Security
      • Presentation Outline
        The Importance of Database Security
        Finding Database Server Holes
        Type of Database Attacks
        Oracle Study Case
        MySQL Study Case
    • Importance of Database Security
      • Databases often store sensitive data
      • Incorrect data or loss of data could negatively affect business operations
      • Databases can be used as bases to attack other systems from
    • Principles of Finding Holes
      • Don't believe the documentation
      • Implement your own client
      • Debug the system to understand how it works
      • Identify communication protocols
      • Understand arbitrary code execution bugs
      • Write your own "fuzzers"
    • Top Six Database Attack* [1]
      • Brute-force (or not) cracking of weak or default usernames/passwords
      • Privilege escalation
      • Exploiting unused and unnecessary database services and functionality
      • Targeting unpatched database vulnerabilities
      • SQL injection
      • Stolen backup (unencrypted) tapes
      * based on : http://www.darkreading.com/security/encryption/211201064/index.html
    • Top Six Database Attacks [2]
      • Cracking username/password
        • Not to change default password is disaster
        • It is also better to change password periodically
      • Privilege Escalation
        • Give right person right privilege
        • Avoid giving low-level user all database (even read only access)
      • Exploiting unnecessary service
        • Attacker always find open listener feature
        • Only install features we need
    • Top Six Database Attacks [3]
      • Unpatched database vulnerabilities
        • Many companies reluctant to patch their database because of availability
        • Database bugs many times posted in hacker website
        • Not to install small patch can lead big disaster
      • Stolen backup (unencrypted) tapes
        • Type of insider or accidental attack
        • Encrypt the backup to prevent attack
    • Top Six Database Attacks [4]
      • SQL Injection
        • Old but still widely used attacks
        • Usually exploit web application weakness
        • Result of poor practice application development
        • Use statement binding to filter user input
    • Case Study
      • Security Checklists [1]
      • Oracle TNS Listener
        • Set a TNS Listener Password (encrypted) to prevent unauthorized administration of the Listener
        • Turn on Admin Restrictions to ensure certain commands cannot be called remotely
        • Turn on TCP Valid Node Checking allow certain hosts to connect to the database server and prevent others
        • Turn off XML Database if it is not used
        • Turn off External Procedures if not required
        • Encrypt Network Traffic using the Oracle Net Manager tool
    • Security Checklists [2]
      • Accounts
        • Lock and Expire Unused Accounts
        • Define a user account naming standard
        • Define and Enforce a Good Password Policy
      • Roles
        • Be careful to make new role and give meaningful name
        • All user accounts should be assigned to specific role with minimal privileges
        • Revoke any unnecessary permissions
      • Security Checklists [3]
      • DBA Role
        • Enable data protection to prevent users access sensitive tables
        • User secure PL/SQL coding standard, to ensure developers make secure PL/SQL programs
        • Perform security audits regularly
        • Before installing database, use checklist of what is needed and what is not
        • Install patching as soon as possible
    • Case Study
      • Security Checklists [1]
      • Background
        • Since MySQL is open source, find many resources in the Internet to find bugs and patches
        • Stay tune to MySQL security issue and MySQL update
      • Routine Audit
        • Check logs to search common SQL injection
        • Audit the users and check the granted privileges
        • Check the hashing user password to double check password patterns
      • Security Checklists [2]
      • MySQL Users
        • Use strong password
        • Rename the root MySQL user to something obscure
        • Restrict MySQL users by IP address and passwords
        • Never give anyone access to the mysql.user table
      • MySQL Configuration
        • Enable logging via the --log option
        • Disallow the use of symbolic links
        • Remove the default test database
        • Ensure MySQL traffic is encrypted
      • Security Checklists [3]
      • Operating System
        • Turn off unnecessary services or daemons
        • Ensure MySQL data files cannot be read by users other than the root or Administrator account
        • Use a low-privileged MySQL account to run the MySQL daemon
        • Ensure MySQL users cannot access files outside of a limited set of directories
      • Thank You !