Hardening the Defense of Database Server

Importance of Database Security:

1. Databases often store sensitive data
2. Incorrect data or loss of data could negatively affect business operations
3. Databases can be used as bases to attack other systems from.

Principles of Finding Holes

Don’t believe the documentation

1. Implement your own client
2. Debug the system to understand how it works
3. Identify communication protocols
4. Understand arbitrary code execution bugs
5. Write your own “fuzzers”

Top Six Database Attack* [1] <ul><li>Brute-force (or not) cracking of weak or default usernames/passwords

1. Privilege escalation
2. Exploiting unused and unnecessary database services and functionality
3. Targeting unpatched database vulnerabilities
4. SQL injection
5. Stolen backup (unencrypted) tapes* based on : http://www.darkreading.com/security/encryption/211201064/index.html

Cracking username/password :Not to change default password is disaster.It is also better to change password periodically

Privilege Escalation :Give right person right privilege.Avoid giving low-level user all database (even read only access)

Exploiting unnecessary service :Attacker always find open listener feature.Only install features we need

Unpatched database vulnerabilities:Many companies reluctant to patch their database because of availability.Database bugs many times posted in hacker website.Not to install small patch can lead big disaster.

Stolen backup (unencrypted) tapes :Type of insider or accidental attack. Encrypt the backup to prevent attack

SQL Injection:Old but still widely used attacks.Usually exploit web application weakness.Result of poor practice application development.Use statement binding to filter user input.

Oracle’s Perspective

Oracle TNS Listener

1.Set a TNS Listener Password (encrypted) to prevent unauthorized administration of the Listener

2. Turn on Admin Restrictions to ensure certain commands cannot be called remotely

3. Turn on TCP Valid Node Checking allow certain hosts to connect to the database server and prevent others
4. Turn off XML Database if it is not used

5. Turn off External Procedures if not required

6. Encrypt Network Traffic using the Oracle Net Manager tool

Accounts

Lock and Expire Unused Accounts

Define a user account naming standard

Define and Enforce a Good Password Policy

Roles

Be careful to make new role and give meaningful name

All user accounts should be assigned to specific role with minimal privileges

Revoke any unnecessary permissions

DBA Role

Enable data protection to prevent users access sensitive tables

User secure PL/SQL coding standard, to ensure developers make secure PL/SQL programs

Perform security audits regularly

Before installing database, use checklist of what is needed and what is not

Install patching as soon as possible

MySQL’s Perspective

Background

Since MySQL is open source, find many resources in the Internet to find bugs and patches  Stay tune to MySQL security issue and MySQL update

Routine Audit

Check logs to search common SQL injection

Audit the users and check the granted privileges

Check the hashing user password to double check password patterns

MySQL Users

Use strong password

Rename the root MySQL user to something obscure

Restrict MySQL users by IP address and passwords

Never give anyone access to the mysql.user table

MySQL Configuration

Enable logging via the –log option

Disallow the use of symbolic links

Remove the default test database

Ensure MySQL traffic is encrypted

Operating System

Turn off unnecessary services or daemons

Ensure MySQL data files cannot be read by users other than the root or Administrator account

Use a low-privileged MySQL account to run the MySQL daemon

Ensure MySQL users cannot access files outside of a limited set of directories