SlideShare une entreprise Scribd logo

Database security2 adebiaye

Télécharger en tant que PPTX, PDF
DR RICHMOND ADEBIAYE
DR RICHMOND ADEBIAYE

The simplest way to secure your Database especially in Oracle

Technologie
1  sur  26
DATABASE SECURITY The more you sweat in training, the less you’ll bleed in battle. Dr Richmond Adebiaye, CISSP, CISM, VCP
OUTLINE  Why is database security important?  Our environment  General Strategies and Tactics for Hardening Databases  Oracle  SQL Server  MySQL
WHY IS DATABASE SECURITY IMPORTANT?  Databases often store data which is sensitive in nature  Incorrect data or loss of data could negatively affect business operations  Databases can be used as bases to attack other systems from
OUR ENVIRONMENT *Figures found by scanning for open ports commonly used by the respective software.
HARDENING DATABASES – GENERAL STRATEGIES AND TACTICS  Principle of Least Privilege!  Stay up-to-date on patches  Remove/disable unneeded default accounts  Firewalling/Access Control  Running Database processes under dedicated non- privileged account.  Password Security  Disable unneeded components  Stored Procedures and Triggers
PRINCIPLE OF LEAST PRIVILEGE  If X service doesn’t need access to all tables in Y database… then don’t give it access to all tables.  Example: A web application that reads a list of people from a database and lists them on a website. The database also contains sensitive information about those people. The account used by the web application should not be allowed to read the table that contains sensitive non-public information.  Do not give accounts privileges that aren’t needed  Unneeded privileges to accounts allow more opportunity for privilege escalation attacks.
HARDENING DATABASES – FIREWALL/ACCESS CONTROL  Throttling connections – make it harder for the bad guys to brute-force or guess passwords  Use firewall software like IPTables  Xinetd may be useful for throttling  It’s possible that throttling could deny access to applications which make a large amount of connections legitimately.  Reducing the surface area of attack with firewall rules  Don’t let the world connect to your database server.
HARDENING DATABASES – PASSWORD SECURITY  Strong passwords are a must  Constant brute-force attacks are happening across campus. Esp. against SQL Server  Default passwords are a problem  MySQL: root@localhost:<blank>  SQL Server: sa:<blank> (Old, but still seen sometimes)  Oracle: …  Built in password policy control seems rare  How can we enforce password policy?
HARDENING DATABASES – STORED PROCEDURES, TRIGGERS  Stored Procedures and Triggers can lead to privilege escalation and compromise. Be sure to be thinking about security implications when allowing the creation of, and creating these.
HARDENING DATABASES – DISABLE UNNEEDED COMPONENTS  Just like disabling unneeded services for an operating system is a good idea disabling unneeded components for databases is a good idea.  XML FTP (Oracle)  Named Pipes access (SQL Server)
SELECT slides FROM Oracle presentation.
ORACLE’S VULNERABILITY HISTORY If [the] Oracle could see into the future... the “Unbreakable” marketing campaign may have not been a good idea.  A search on milw0rm’s exploit catalogue returns  27 exploits dated from 11/16/2000 – 07/19/2007
VULNERABILITY HISTORY (CONT.) Data and quote from The Oracle Hacker’s Handbook: “[…] 2003 and beyond […] the numbers went through the roof […]”
HARDING ORACLE - TNS LISTENER TNS Listener  “The TNS Listener is the hub of all communications in Oracle. […] When a client wishes to access the database server, the client connects first to the Listener. […] In versions of Oracle prior to 10g, the TNS Listener could be administered remotely What makes this particularly dangerous is the fact that by default the Listener is installed without a password […]” – The Database Hacker’s Handbook
HARDING ORACLE - TNS LISTENER  Set a password for TNS Listener Administration  listener.ora file  PASSWORDS_listenername = somepass  Use the lsnrctl utility  LSNRCTL> change_password
HARDENING ORACLE - DEFAULT ACCOUNTS  Decent amount of default accounts  Be aware what they are  Ensure the passwords do in fact get changed appropriatly  10g forces admin to set passwords for many default accounts on install and may lock or expire them.
SELECT slides FROM SQL Server presentation.
HARDENING SQL SERVER – LOCAL ADMINS  Removing Local BuiltinAdministrators group from sysadmins  If they are an administrator on a system running SQL Server they can get to anything in any database.
HARDENING SQL SERVER - AUTHENTICATION  If configured to use Windows Authentication password policy can be enforced!
HARDENING SQL SERVER – XP_CMDSHELL  Do not enable this on install of SQL Server 2k5 unless absolutely necessary
SELECT slides FROM MySQL presentation.
HARDING MYSQL – DISABLING NETWORK ACCESS  If your Database is only for being accessed by someone/something on the same machine  disable network-based access with the --skip- networking option  Firewall off the port MySQL is listening on (typically port 3306)
HARDENING MYSQL - ACCOUNT TYPES  Identity is determined by username AND the location connected from - Coolness  Scope Identities appropriately  Allow bob to login from any uiowa.edu hostname  GRANT […] ON somedb.sometable TO BOB@’%.uiowa.edu’;  Allow bob to login from any campus IP address  GRANT […] ON somedb.sometable TO BOB@’128.255.0.0/255.255.0.0’;
HARDENING MYSQL – ENCRYPTING TRAFFIC  MySQL supports encrypting traffic with SSL  Consider using GRANT … REQUIRE SSL or similar for an account  Useful for accounts that may be accessing sensitive data and/or data that is required to be encrypted by some requirement.
RESOURCES  The Database D.Litchfield, C.Anley, J. Heasman, B. Grindlay, Hacker’s Handbook – Defending Database Servers, Indianapolis: Wiley Publishing Inc., 2005.  Available on Books 24x7  D.Litchfield, The Oracle® Hacker’s Handbook: Hacking and Defending Oracle, Indianapolis: Wiley Publishing Inc., 2007.  Available on Books 24x7  http://databasesecurity.com  http://blogs.msdn.com/raulga/archive/2007/01/04/dynamic -sql-sql-injection.aspx  http://msdn.microsoft.com/msdnmag/issues/05/06/SQLSe rverSecurity/default.aspx  http://www.cgisecurity.com
Questions or Comments?

Recommandé

Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyOracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyPythian
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault OverviewTroy Kitch
 
Presentation database security enhancements with oracle
Presentation database security enhancements with oraclePresentation database security enhancements with oracle
Presentation database security enhancements with oraclexKinAnx
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingDLT Solutions
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQLVittorio Cioe
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructureZabeel Institute
 

Recommandé

Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyOracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyPythian
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault OverviewTroy Kitch
 
Presentation database security enhancements with oracle
Presentation database security enhancements with oraclePresentation database security enhancements with oracle
Presentation database security enhancements with oraclexKinAnx
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingDLT Solutions
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQLVittorio Cioe
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructureZabeel Institute
 
Ahsay backup
Ahsay backupAhsay backup
Ahsay backupTheArturoO
 
Mysql security 5.7
Mysql security 5.7 Mysql security 5.7
Mysql security 5.7 Mark Swarbrick
 
Simple Way for MySQL to NoSQL
Simple Way for MySQL to NoSQLSimple Way for MySQL to NoSQL
Simple Way for MySQL to NoSQLOkcan Yasin Saygılı
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure security What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure securityZabeel Institute
 
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...Andre Essing
 
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Orgad Kimchi
 
Intro To MySQL 2019
Intro To MySQL 2019Intro To MySQL 2019
Intro To MySQL 2019Mark Swarbrick
 
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Morgan Simonsen
 
Apptimized SafeBox
Apptimized SafeBoxApptimized SafeBox
Apptimized SafeBoxApptimized
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...InSync2011
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019Kumton Suttiraksiri
 
MySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMark Swarbrick
 
[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...European Collaboration Summit
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azuresaitoserge
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Adnene Guabtni
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database VaultMarco Alamanni
 
DevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityDevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityGeorgi Kodinov
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryptionDR RICHMOND ADEBIAYE
 
DESCUBRÍ ARGENTINA
DESCUBRÍ ARGENTINADESCUBRÍ ARGENTINA
DESCUBRÍ ARGENTINAfatimabeatrizcardoso
 

Contenu connexe

Tendances

Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure security What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure securityZabeel Institute
 
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...Andre Essing
 
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Orgad Kimchi
 
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Morgan Simonsen
 
Apptimized SafeBox
Apptimized SafeBoxApptimized SafeBox
Apptimized SafeBoxApptimized
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...InSync2011
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019Kumton Suttiraksiri
 
MySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMark Swarbrick
 
[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...European Collaboration Summit
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azuresaitoserge
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Adnene Guabtni
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
DevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityDevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityGeorgi Kodinov
 

Tendances (20)

Ahsay backup
Ahsay backupAhsay backup
Ahsay backup
 
Mysql security 5.7
Mysql security 5.7 Mysql security 5.7
Mysql security 5.7
 
Simple Way for MySQL to NoSQL
Simple Way for MySQL to NoSQLSimple Way for MySQL to NoSQL
Simple Way for MySQL to NoSQL
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting started
 
What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure security What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure security
 
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
 
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
 
Intro To MySQL 2019
Intro To MySQL 2019Intro To MySQL 2019
Intro To MySQL 2019
 
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
 
Apptimized SafeBox
Apptimized SafeBoxApptimized SafeBox
Apptimized SafeBox
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019
 
MySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the Dolphin
 
[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azure
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
DevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityDevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 Security
 

En vedette

Essential introduction to computers adebiaye
Essential introduction to computers adebiayeEssential introduction to computers adebiaye
Essential introduction to computers adebiayeDR RICHMOND ADEBIAYE
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 

En vedette (6)

Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
DESCUBRÍ ARGENTINA
DESCUBRÍ ARGENTINADESCUBRÍ ARGENTINA
DESCUBRÍ ARGENTINA
 
Essential introduction to computers adebiaye
Essential introduction to computers adebiayeEssential introduction to computers adebiaye
Essential introduction to computers adebiaye
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 

Similaire à Database security2 adebiaye

DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxsiti829412
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseWinWire Technologies Inc
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLDave Stokes
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
From Nice to Have to Mission Critical: MySQL Enterprise Edition
From Nice to Have to Mission Critical: MySQL Enterprise EditionFrom Nice to Have to Mission Critical: MySQL Enterprise Edition
From Nice to Have to Mission Critical: MySQL Enterprise Edition郁萍 王
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseEDB
 
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...Cloudera, Inc.
 
Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Connor McDonald
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptLokeshK66
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionOlivier DASINI
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 

Similaire à Database security2 adebiaye (20)

DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQL
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
Database security
Database securityDatabase security
Database security
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 
From Nice to Have to Mission Critical: MySQL Enterprise Edition
From Nice to Have to Mission Critical: MySQL Enterprise EditionFrom Nice to Have to Mission Critical: MySQL Enterprise Edition
From Nice to Have to Mission Critical: MySQL Enterprise Edition
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous Database
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
 
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
 
Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Vault_KT.pptx
Vault_KT.pptxVault_KT.pptx
Vault_KT.pptx
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Dernier (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Database security2 adebiaye

  • 1. DATABASE SECURITY The more you sweat in training, the less you’ll bleed in battle. Dr Richmond Adebiaye, CISSP, CISM, VCP
  • 2. OUTLINE  Why is database security important?  Our environment  General Strategies and Tactics for Hardening Databases  Oracle  SQL Server  MySQL
  • 3. WHY IS DATABASE SECURITY IMPORTANT?  Databases often store data which is sensitive in nature  Incorrect data or loss of data could negatively affect business operations  Databases can be used as bases to attack other systems from
  • 4. OUR ENVIRONMENT *Figures found by scanning for open ports commonly used by the respective software.
  • 5. HARDENING DATABASES – GENERAL STRATEGIES AND TACTICS  Principle of Least Privilege!  Stay up-to-date on patches  Remove/disable unneeded default accounts  Firewalling/Access Control  Running Database processes under dedicated non- privileged account.  Password Security  Disable unneeded components  Stored Procedures and Triggers
  • 6. PRINCIPLE OF LEAST PRIVILEGE  If X service doesn’t need access to all tables in Y database… then don’t give it access to all tables.  Example: A web application that reads a list of people from a database and lists them on a website. The database also contains sensitive information about those people. The account used by the web application should not be allowed to read the table that contains sensitive non-public information.  Do not give accounts privileges that aren’t needed  Unneeded privileges to accounts allow more opportunity for privilege escalation attacks.
  • 7. HARDENING DATABASES – FIREWALL/ACCESS CONTROL  Throttling connections – make it harder for the bad guys to brute-force or guess passwords  Use firewall software like IPTables  Xinetd may be useful for throttling  It’s possible that throttling could deny access to applications which make a large amount of connections legitimately.  Reducing the surface area of attack with firewall rules  Don’t let the world connect to your database server.
  • 8. HARDENING DATABASES – PASSWORD SECURITY  Strong passwords are a must  Constant brute-force attacks are happening across campus. Esp. against SQL Server  Default passwords are a problem  MySQL: root@localhost:<blank>  SQL Server: sa:<blank> (Old, but still seen sometimes)  Oracle: …  Built in password policy control seems rare  How can we enforce password policy?
  • 9. HARDENING DATABASES – STORED PROCEDURES, TRIGGERS  Stored Procedures and Triggers can lead to privilege escalation and compromise. Be sure to be thinking about security implications when allowing the creation of, and creating these.
  • 10. HARDENING DATABASES – DISABLE UNNEEDED COMPONENTS  Just like disabling unneeded services for an operating system is a good idea disabling unneeded components for databases is a good idea.  XML FTP (Oracle)  Named Pipes access (SQL Server)
  • 11. SELECT slides FROM Oracle presentation.
  • 12. ORACLE’S VULNERABILITY HISTORY If [the] Oracle could see into the future... the “Unbreakable” marketing campaign may have not been a good idea.  A search on milw0rm’s exploit catalogue returns  27 exploits dated from 11/16/2000 – 07/19/2007
  • 13. VULNERABILITY HISTORY (CONT.) Data and quote from The Oracle Hacker’s Handbook: “[…] 2003 and beyond […] the numbers went through the roof […]”
  • 14. HARDING ORACLE - TNS LISTENER TNS Listener  “The TNS Listener is the hub of all communications in Oracle. […] When a client wishes to access the database server, the client connects first to the Listener. […] In versions of Oracle prior to 10g, the TNS Listener could be administered remotely What makes this particularly dangerous is the fact that by default the Listener is installed without a password […]” – The Database Hacker’s Handbook
  • 15. HARDING ORACLE - TNS LISTENER  Set a password for TNS Listener Administration  listener.ora file  PASSWORDS_listenername = somepass  Use the lsnrctl utility  LSNRCTL> change_password
  • 16. HARDENING ORACLE - DEFAULT ACCOUNTS  Decent amount of default accounts  Be aware what they are  Ensure the passwords do in fact get changed appropriatly  10g forces admin to set passwords for many default accounts on install and may lock or expire them.
  • 17. SELECT slides FROM SQL Server presentation.
  • 18. HARDENING SQL SERVER – LOCAL ADMINS  Removing Local BuiltinAdministrators group from sysadmins  If they are an administrator on a system running SQL Server they can get to anything in any database.
  • 19. HARDENING SQL SERVER - AUTHENTICATION  If configured to use Windows Authentication password policy can be enforced!
  • 20. HARDENING SQL SERVER – XP_CMDSHELL  Do not enable this on install of SQL Server 2k5 unless absolutely necessary
  • 21. SELECT slides FROM MySQL presentation.
  • 22. HARDING MYSQL – DISABLING NETWORK ACCESS  If your Database is only for being accessed by someone/something on the same machine  disable network-based access with the --skip- networking option  Firewall off the port MySQL is listening on (typically port 3306)
  • 23. HARDENING MYSQL - ACCOUNT TYPES  Identity is determined by username AND the location connected from - Coolness  Scope Identities appropriately  Allow bob to login from any uiowa.edu hostname  GRANT […] ON somedb.sometable TO BOB@’%.uiowa.edu’;  Allow bob to login from any campus IP address  GRANT […] ON somedb.sometable TO BOB@’128.255.0.0/255.255.0.0’;
  • 24. HARDENING MYSQL – ENCRYPTING TRAFFIC  MySQL supports encrypting traffic with SSL  Consider using GRANT … REQUIRE SSL or similar for an account  Useful for accounts that may be accessing sensitive data and/or data that is required to be encrypted by some requirement.
  • 25. RESOURCES  The Database D.Litchfield, C.Anley, J. Heasman, B. Grindlay, Hacker’s Handbook – Defending Database Servers, Indianapolis: Wiley Publishing Inc., 2005.  Available on Books 24x7  D.Litchfield, The Oracle® Hacker’s Handbook: Hacking and Defending Oracle, Indianapolis: Wiley Publishing Inc., 2007.  Available on Books 24x7  http://databasesecurity.com  http://blogs.msdn.com/raulga/archive/2007/01/04/dynamic -sql-sql-injection.aspx  http://msdn.microsoft.com/msdnmag/issues/05/06/SQLSe rverSecurity/default.aspx  http://www.cgisecurity.com