The document discusses the concept of 'attack surface' in software environments, highlighting its importance in identifying vulnerabilities that unauthorized users can exploit. It provides strategies to decrease the attack surface, including maintaining updated systems, removing unnecessary components, establishing a backup plan, and monitoring server activity. The emphasis is on securing MySQL servers and implementing best practices to protect sensitive data.

1. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Decrease Your
MySQL
Attack Surface
Georgi “Joro” Kodinov
Team Lead
MySQL Server General Team

2. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
2

3. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 3
Goal: Make You Think About Security !

4. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Agenda
4
 What is “Attack Surface” ?
 Why is it important to minimize it ?
 Ways to decrease the attack surface
 Further reading

5. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
What is “Attack Surface” ?
5

6. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
“The attack surface of a software
environment is the sum of the different
points where an unauthorized user can
try to enter data to or extract data
from an environment.”
– Wikipedia
6

7. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
What is “Attack Surface” ?
• It’s a property of the whole environment
– database, web server, application, network
• Covers entering AND extracting data
– Data are precious commodity
• Is exploited by unauthorized users
– That includes not-sufficiently-authorized too !
7
Takeaway Points

8. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Why is it Important to Minimize
the Attack Surface ?
8

9. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 9
It is FRIGHTENINGLY EASY to find and exploit weaknesses !

10. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Even Safer Harbor Statement !
• This information is for demonstration only
• It does not necessarily correspond to any actual live sites
• You should use this information only to assess the defenses of your own
installations
• Never use the techniques displayed for any unauthorized access !
• Be very careful and double-check all tools you get from 3d parties before
using them !
10

11. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
• 22165 wide open MySQL servers
available on the Net
• Root passwords where applicable
• Most are probably vulnerable to
manipulating the underlying OS too
• Some of these are pretty recent finds too
• All of that on a free, open web site
11
Finding You on the Net

12. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
• All it needs to start is login access
• Can work its way in through SQL injection
too
• Can automatically test password hashes
against dictionary tables
• Can retrieve OS files through the
database
• Can store the password hashes for later
offline cracking
• Can inject UDF shared objects into the
database
• “wizard” mode for “novice users”
• Free and open source tool
12
And Going On Is Just As Easy …

13. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 13
All that from using web search for few hours !

14. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 14
Imagine the outcome if I was a professional !

15. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 15
… or even up to no good !

16. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Dolphins can
kill sharks
when working
together !
16

17. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Ways to Decrease the Attack Surface
17

18. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Always Be Up-to-date !
• It’s a race !
• 10 CVE reports addressed in the latest 5.6 MySQL Critical Patch Upgrade
• Oracle provides a yum/apt repository
– http://dev.mysql.com/downloads/repo/
18
Ways to decrease the attack surface

19. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Remove the stuff you don’t need
• Run mysql_secure_installation. Now !
• Review and restrict the network interfaces that the server listens on
• Generate SSL keys and make sure the server can “talk” SSL
• Remove extra user accounts and privileges
• Remove unneeded files and packages
19
Ways to decrease the attack surface

20. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Have a Backup Plan
• Schedule regular backups
• Backup data, logs, and configuration
• If your data are important, make backups of backups
• Perform regular emergency drills
20
Ways to decrease the attack surface

21. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Be Vigilant: Monitor, Audit, Log, Observe
• Consider enabling query logging. Create a log backup policy.
• Audit the server configuration for changes. Revert the bogus ones
• Monitor your server logs. Set alerts for “unusual” patterns.
• Monitor security related stats. Set alerts for “unusual” patterns.
• Regularly probe your “defenses” by trying bad things on purpose
• Consider using Enterprise Audit
21
Ways to decrease the attack surface

22. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Take Control of Your User Accounts
• Set passwords complexity standards
• Rotate your passwords
• Pick the right authentication method for your accounts
• Audit changes to user account security
• Avoid storing passwords in your scripts
• Consider using Enterprise Authentication
22
Ways to decrease the attack surface

23. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Useful Parameters
Parameter Recommended Value
secure_file_priv Designated directory
symbolic_links Boolean NO
default-storage-engine InnoDB
general-log Boolean ON
log-raw Default : OFF
skip-networking ON, if you can afford it.
SSL options Set to valid values

24. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Useful Parameters
Parameter Recommended Value
plugin-dir Designated read-only directory
chroot Designated directory, if you can afford it
core-file OFF
des-key-file File with DES keys
read_only ON for slaves !
sha256_password RSA key RSA public private keys if can’t use SSL
tmpdir Designated directory out of secure-file-priv

25. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Questions and Answers
25