Hardening the Defense of Database Server ****************************************************
Importance of Database Security: Databases often store sensitive data
Incorrect data or loss of data could negatively affect business operations
Databases can be used as bases to attack other systems from.
Principles of Finding HolesDon’t believe the documentation
Implement your own client
Debug the system to understand how it works
Identify communication protocols
Understand arbitrary code execution bugs
Write your own “fuzzers”
Top Six Database Attack* [1] <ul><li>Brute-force (or not) cracking of weak or default usernames/passwords
Privilege escalation
Exploiting unused and unnecessary database services and functionality
Targeting unpatched database vulnerabilities
SQL injection
Stolen backup (unencrypted) tapes* based on :
http://www.darkreading.com/security/encryption/211201064/index.htmlCracking username/password :Not to change default password is disaster.It is also better to change password periodically
Privilege Escalation :Give right person right privilege.Avoid giving low-level user all database (even read only access)
Exploiting unnecessary service :Attacker always find open listener feature.Only install features we need
Unpatched database vulnerabilities:Many companies reluctant to patch their database because of availability.Database bugs many times posted in hacker website.Not to install small patch can lead big disaster.
Stolen backup (unencrypted) tapes :Type of insider or accidental attack. Encrypt the backup to prevent attack
SQL Injection:Old but still widely used attacks.Usually exploit web application weakness.Result of poor practice application development.Use statement binding to filter user input.
Oracle’s PerspectiveOracle TNS Listener
1.Set a TNS Listener Password (encrypted) to prevent unauthorized administration of the Listener
2. Turn on Admin Restrictions to ensure certain commands cannot be called remotely
3. Turn on TCP Valid Node Checking allow certain hosts to connect to the database server and prevent others
4. Turn off XML Database if it is not used
5. Turn off External Procedures if not required
6. Encrypt Network Traffic using the Oracle Net Manager tool
AccountsLock and Expire Unused Accounts
Define a user account naming standard
Define and Enforce a Good Password Policy
RolesBe careful to make new role and give meaningful name
All user accounts should be assigned to specific role with minimal privileges
Revoke any unnecessary permissions
DBA RoleEnable data protection to prevent users access sensitive tables
User secure PL/SQL coding standard, to ensure developers make secure PL/SQL programs
Perform security audits regularly
Before installing database, use checklist of what is needed and what is not
Install patching as soon as possible
MySQL’s PerspectiveBackground
Since MySQL is open source, find many resources in the Internet to find bugs and patches Stay tune to MySQL security issue and MySQL update
Routine AuditCheck logs to search common SQL injection
Audit the users and check the granted privileges
Check the hashing user password to double check password patterns
MySQL UsersUse strong password
Rename the root MySQL user to something obscure
Restrict MySQL users by IP address and passwords
Never give anyone access to the mysql.user table
MySQL ConfigurationEnable logging via the –log option
Disallow the use of symbolic links
Remove the default test database
Ensure MySQL traffic is encrypted
Operating SystemTurn off unnecessary services or daemons
Ensure MySQL data files cannot be read by users other than the root or Administrator account
Use a low-privileged MySQL account to run the MySQL daemon
Ensure MySQL users cannot access files outside of a limited set of directories