1.

• Hardening the Defense of Database Server

• Database Security

2.

Presentation Outline

The Importance of Database Security

1

Finding Database Server Holes

2

Type of Database Attacks

3

Oracle Study Case

4

MySQL Study Case

5

3. Importance of Database Security

Databases often store sensitive data

4. Incorrect data or loss of data could negatively affect business operations 5. Databases can be used as bases to attack other systems from 6. Principles of Finding Holes

Don't believe the documentation

7. Implement your own client 8. Debug the system to understand how it works 9. Identify communication protocols 10. Understand arbitrary codeexecution bugs 11. Write your own "fuzzers" 12. Top Six Database Attack* [1]

Brute-force (or not) cracking of weak or default usernames/passwords

13. Privilege escalation 14. Exploiting unused and unnecessary database services and functionality 15. Targeting unpatched database vulnerabilities 16. SQL injection 17. Stolen backup (unencrypted) tapes* based on : http://www.darkreading.com/security/encryption/211201064/index.html 18. Top Six Database Attacks [2]

Cracking username/password

• Not to change default password is disaster

19. It is also better to change password periodically

Privilege Escalation

• Give right person right privilege

20. Avoid giving low-level user all database (even read only access)

Exploiting unnecessary service

• Attacker always find open listener feature

21. Only install features we need

22. Top Six Database Attacks [3]

Unpatched database vulnerabilities

• Many companies reluctant to patch their database because of availability

23. Database bugs many times posted in hacker website

24. Not to install small patch can lead big disaster

Stolen backup (unencrypted) tapes

• Type of insider or accidental attack

25. Encrypt the backup to prevent attack

26. Top Six Database Attacks [4]

SQL Injection

• Old but still widely used attacks

27. Usually exploit web application weakness

28. Result of poor practice application development 29. Use statement binding to filter user input 30. Case Study 31.

Security Checklists [1]

Oracle TNS Listener

• Set a TNS Listener Password (encrypted) to prevent unauthorized administration of the Listener

32. Turn on Admin Restrictions to ensure certain commands cannot be called remotely

33. Turn on TCP Valid Node Checking allow certain hosts to connect to the database server and prevent others 34. Turn off XML Database if it is not used 35. Turn off External Procedures if not required 36. Encrypt Network Traffic using the OracleNet Manager tool 37. Security Checklists [2]

Accounts

• Lock and Expire Unused Accounts

38. Define a user account naming standard

39. Define and Enforce a Good Password Policy

Roles

• Be careful to make new role and give meaningful name

40. All user accounts should be assigned to specific role with minimal privileges

41. Revoke any unnecessary permissions 42.

Security Checklists [3]

DBA Role

• Enable data protection to prevent users access sensitive tables

43. User secure PL/SQL coding standard, to ensure developers make secure PL/SQL programs

44. Perform security audits regularly 45. Before installing database, use checklist of what is needed and what is not 46. Install patching as soon as possible 47. Case Study 48.

Security Checklists [1]

Background

• Since MySQL is open source, find many resources in the Internet to find bugs and patches

49. Stay tune to MySQL security issue and MySQL update

Routine Audit

• Check logs to search common SQL injection

50. Audit the users and check the granted privileges

51. Check the hashing user password to double check password patterns 52.

Security Checklists [2]

MySQL Users

• Use strong password

53. Rename the root MySQL user to something obscure

54. Restrict MySQL usersby IP address and passwords 55. Never give anyone access to the mysql.user table

MySQL Configuration

• Enable logging via the --log option

56. Disallow the use of symbolic links

57. Remove the default test database 58. Ensure MySQL traffic is encrypted 59.

Security Checklists [3]

Operating System

• Turn off unnecessary services or daemons

60. Ensure MySQL data files cannot be read by users other than the root or Administrator account

61. Use a low-privileged MySQL account to run theMySQL daemon 62. Ensure MySQL users cannot access filesoutside of a limited set of directories 63.

Thank You !