Database Security

Hardening the Defense

of Database Server
 Presentation Outline

1 The Importance of Database Security

2 Finding Database Server Holes

3 Type of Database Attacks

4 Oracle Study Case

5 MySQL Study Case

 Importance of Database Security

 Databases often store sensitive data

 Incorrect data or loss of data could

negatively affect business operations

 Databases can be used as bases to attack

other systems from
 Principles of Finding Holes

 Don't believe the documentation

 Implement your own client

 Debug the system to understand how it works

 Identify communication protocols

 Understand arbitrary code

execution bugs
 Write your own "fuzzers"
 Top Six Database Attack* [1]

 Brute-force (or not) cracking of weak or

default usernames/passwords
 Privilege escalation

 Exploiting unused and unnecessary database

services and functionality
 Targeting unpatched database vulnerabilities

 SQL injection

 Stolen backup (unencrypted) tapes

* based on : http://www.darkreading.com/security/encryption/211201064/index.html
 Top Six Database Attacks [2]

 Cracking username/password
 Not to change default password is disaster
 It is also better to change password periodically

 Privilege Escalation
 Give right person right privilege
 Avoid giving low-level user all database (even read
only access)

 Exploiting unnecessary service

 Attacker always find open listener feature
 Only install features we need
 Top Six Database Attacks [3]

 Unpatched database vulnerabilities

 Many companies reluctant to patch their database
because of availability
 Database bugs many times posted in hacker website
 Not to install small patch can lead big disaster

 Stolen backup (unencrypted) tapes

 Type of insider or accidental attack
 Encrypt the backup to prevent attack
 Top Six Database Attacks [4]

 SQL Injection
 Old but still widely used attacks
 Usually exploit web application weakness
 Result of poor practice application development
 Use statement binding to filter user input
Case Study
 Security Checklists [1]

 Oracle TNS Listener

 Set a TNS Listener Password (encrypted) to prevent
unauthorized administration of the Listener
 Turn on Admin Restrictions to ensure certain
commands cannot be called remotely
 Turn on TCP Valid Node Checking allow certain hosts
to connect to the database server and prevent others
 Turn off XML Database if it is not used
 Turn off External Procedures if not required
 Encrypt Network Traffic using the Oracle
Net Manager tool
 Security Checklists [2]

 Accounts
 Lock and Expire Unused Accounts
 Define a user account naming standard
 Define and Enforce a Good Password Policy
 Roles
 Be careful to make new role and give meaningful name
 All user accounts should be assigned to specific role with
minimal privileges
 Revoke any unnecessary permissions
 Security Checklists [3]

 DBA Role
 Enable data protection to prevent users access
sensitive tables
 User secure PL/SQL coding standard, to ensure
developers make secure PL/SQL programs
 Perform security audits regularly
 Before installing database, use checklist of what is
needed and what is not
 Install patching as soon as possible
Case Study
 Security Checklists [1]

 Background
 Since MySQL is open source, find many resources in the
Internet to find bugs and patches
 Stay tune to MySQL security issue and MySQL update
 Routine Audit
 Check logs to search common SQL injection
 Audit the users and check the granted privileges
 Check the hashing user password to double check password
patterns
 Security Checklists [2]

 MySQL Users
 Use strong password
 Rename the root MySQL user to something obscure
 Restrict MySQL users by IP address and passwords
 Never give anyone access to the mysql.user table
 MySQL Configuration
 Enable logging via the --log option
 Disallow the use of symbolic links
 Remove the default test database
 Ensure MySQL traffic is encrypted
 Security Checklists [3]

 Operating System
 Turn off unnecessary services or daemons
 Ensure MySQL data files cannot be read by users other than
the root or Administrator account
 Use a low-privileged MySQL account to run the
MySQL daemon
 Ensure MySQL users cannot access files
outside of a limited set of directories