SlideShare ist ein Scribd-Unternehmen logo

Database security2 adebiaye

Als PPTX, PDF herunterladen
DR RICHMOND ADEBIAYE
DR RICHMOND ADEBIAYE

The simplest way to secure your Database especially in Oracle

Technologie
1 von 26
DATABASE SECURITY The more you sweat in training, the less you’ll bleed in battle. Dr Richmond Adebiaye, CISSP, CISM, VCP
OUTLINE  Why is database security important?  Our environment  General Strategies and Tactics for Hardening Databases  Oracle  SQL Server  MySQL
WHY IS DATABASE SECURITY IMPORTANT?  Databases often store data which is sensitive in nature  Incorrect data or loss of data could negatively affect business operations  Databases can be used as bases to attack other systems from
OUR ENVIRONMENT *Figures found by scanning for open ports commonly used by the respective software.
HARDENING DATABASES – GENERAL STRATEGIES AND TACTICS  Principle of Least Privilege!  Stay up-to-date on patches  Remove/disable unneeded default accounts  Firewalling/Access Control  Running Database processes under dedicated non- privileged account.  Password Security  Disable unneeded components  Stored Procedures and Triggers
PRINCIPLE OF LEAST PRIVILEGE  If X service doesn’t need access to all tables in Y database… then don’t give it access to all tables.  Example: A web application that reads a list of people from a database and lists them on a website. The database also contains sensitive information about those people. The account used by the web application should not be allowed to read the table that contains sensitive non-public information.  Do not give accounts privileges that aren’t needed  Unneeded privileges to accounts allow more opportunity for privilege escalation attacks.
HARDENING DATABASES – FIREWALL/ACCESS CONTROL  Throttling connections – make it harder for the bad guys to brute-force or guess passwords  Use firewall software like IPTables  Xinetd may be useful for throttling  It’s possible that throttling could deny access to applications which make a large amount of connections legitimately.  Reducing the surface area of attack with firewall rules  Don’t let the world connect to your database server.
HARDENING DATABASES – PASSWORD SECURITY  Strong passwords are a must  Constant brute-force attacks are happening across campus. Esp. against SQL Server  Default passwords are a problem  MySQL: root@localhost:<blank>  SQL Server: sa:<blank> (Old, but still seen sometimes)  Oracle: …  Built in password policy control seems rare  How can we enforce password policy?
HARDENING DATABASES – STORED PROCEDURES, TRIGGERS  Stored Procedures and Triggers can lead to privilege escalation and compromise. Be sure to be thinking about security implications when allowing the creation of, and creating these.
HARDENING DATABASES – DISABLE UNNEEDED COMPONENTS  Just like disabling unneeded services for an operating system is a good idea disabling unneeded components for databases is a good idea.  XML FTP (Oracle)  Named Pipes access (SQL Server)
SELECT slides FROM Oracle presentation.
ORACLE’S VULNERABILITY HISTORY If [the] Oracle could see into the future... the “Unbreakable” marketing campaign may have not been a good idea.  A search on milw0rm’s exploit catalogue returns  27 exploits dated from 11/16/2000 – 07/19/2007
VULNERABILITY HISTORY (CONT.) Data and quote from The Oracle Hacker’s Handbook: “[…] 2003 and beyond […] the numbers went through the roof […]”
HARDING ORACLE - TNS LISTENER TNS Listener  “The TNS Listener is the hub of all communications in Oracle. […] When a client wishes to access the database server, the client connects first to the Listener. […] In versions of Oracle prior to 10g, the TNS Listener could be administered remotely What makes this particularly dangerous is the fact that by default the Listener is installed without a password […]” – The Database Hacker’s Handbook
HARDING ORACLE - TNS LISTENER  Set a password for TNS Listener Administration  listener.ora file  PASSWORDS_listenername = somepass  Use the lsnrctl utility  LSNRCTL> change_password
HARDENING ORACLE - DEFAULT ACCOUNTS  Decent amount of default accounts  Be aware what they are  Ensure the passwords do in fact get changed appropriatly  10g forces admin to set passwords for many default accounts on install and may lock or expire them.
SELECT slides FROM SQL Server presentation.
HARDENING SQL SERVER – LOCAL ADMINS  Removing Local BuiltinAdministrators group from sysadmins  If they are an administrator on a system running SQL Server they can get to anything in any database.
HARDENING SQL SERVER - AUTHENTICATION  If configured to use Windows Authentication password policy can be enforced!
HARDENING SQL SERVER – XP_CMDSHELL  Do not enable this on install of SQL Server 2k5 unless absolutely necessary
SELECT slides FROM MySQL presentation.
HARDING MYSQL – DISABLING NETWORK ACCESS  If your Database is only for being accessed by someone/something on the same machine  disable network-based access with the --skip- networking option  Firewall off the port MySQL is listening on (typically port 3306)
HARDENING MYSQL - ACCOUNT TYPES  Identity is determined by username AND the location connected from - Coolness  Scope Identities appropriately  Allow bob to login from any uiowa.edu hostname  GRANT […] ON somedb.sometable TO BOB@’%.uiowa.edu’;  Allow bob to login from any campus IP address  GRANT […] ON somedb.sometable TO BOB@’128.255.0.0/255.255.0.0’;
HARDENING MYSQL – ENCRYPTING TRAFFIC  MySQL supports encrypting traffic with SSL  Consider using GRANT … REQUIRE SSL or similar for an account  Useful for accounts that may be accessing sensitive data and/or data that is required to be encrypted by some requirement.
RESOURCES  The Database D.Litchfield, C.Anley, J. Heasman, B. Grindlay, Hacker’s Handbook – Defending Database Servers, Indianapolis: Wiley Publishing Inc., 2005.  Available on Books 24x7  D.Litchfield, The Oracle® Hacker’s Handbook: Hacking and Defending Oracle, Indianapolis: Wiley Publishing Inc., 2007.  Available on Books 24x7  http://databasesecurity.com  http://blogs.msdn.com/raulga/archive/2007/01/04/dynamic -sql-sql-injection.aspx  http://msdn.microsoft.com/msdnmag/issues/05/06/SQLSe rverSecurity/default.aspx  http://www.cgisecurity.com
Questions or Comments?

Empfohlen

Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyOracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyPythian
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault OverviewTroy Kitch
 
Presentation database security enhancements with oracle
Presentation database security enhancements with oraclePresentation database security enhancements with oracle
Presentation database security enhancements with oraclexKinAnx
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingDLT Solutions
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQLVittorio Cioe
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructureZabeel Institute
 

Empfohlen

Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyOracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyPythian
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault OverviewTroy Kitch
 
Presentation database security enhancements with oracle
Presentation database security enhancements with oraclePresentation database security enhancements with oracle
Presentation database security enhancements with oraclexKinAnx
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingDLT Solutions
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQLVittorio Cioe
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructureZabeel Institute
 
Ahsay backup
Ahsay backupAhsay backup
Ahsay backupTheArturoO
 
Mysql security 5.7
Mysql security 5.7 Mysql security 5.7
Mysql security 5.7 Mark Swarbrick
 
Simple Way for MySQL to NoSQL
Simple Way for MySQL to NoSQLSimple Way for MySQL to NoSQL
Simple Way for MySQL to NoSQLOkcan Yasin Saygılı
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure security What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure securityZabeel Institute
 
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...Andre Essing
 
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Orgad Kimchi
 
Intro To MySQL 2019
Intro To MySQL 2019Intro To MySQL 2019
Intro To MySQL 2019Mark Swarbrick
 
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Morgan Simonsen
 
Apptimized SafeBox
Apptimized SafeBoxApptimized SafeBox
Apptimized SafeBoxApptimized
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...InSync2011
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019Kumton Suttiraksiri
 
MySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMark Swarbrick
 
[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...European Collaboration Summit
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azuresaitoserge
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Adnene Guabtni
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database VaultMarco Alamanni
 
DevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityDevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityGeorgi Kodinov
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryptionDR RICHMOND ADEBIAYE
 
DESCUBRÍ ARGENTINA
DESCUBRÍ ARGENTINADESCUBRÍ ARGENTINA
DESCUBRÍ ARGENTINAfatimabeatrizcardoso
 

Weitere ähnliche Inhalte

Was ist angesagt?

Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure security What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure securityZabeel Institute
 
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...Andre Essing
 
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Orgad Kimchi
 
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Morgan Simonsen
 
Apptimized SafeBox
Apptimized SafeBoxApptimized SafeBox
Apptimized SafeBoxApptimized
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...InSync2011
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019Kumton Suttiraksiri
 
MySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMark Swarbrick
 
[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...European Collaboration Summit
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azuresaitoserge
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Adnene Guabtni
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
DevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityDevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityGeorgi Kodinov
 

Was ist angesagt? (20)

Ahsay backup
Ahsay backupAhsay backup
Ahsay backup
 
Mysql security 5.7
Mysql security 5.7 Mysql security 5.7
Mysql security 5.7
 
Simple Way for MySQL to NoSQL
Simple Way for MySQL to NoSQLSimple Way for MySQL to NoSQL
Simple Way for MySQL to NoSQL
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting started
 
What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure security What is Microsoft Azure Security?-Microsoft Azure security
What is Microsoft Azure Security?-Microsoft Azure security
 
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
SQL Server goes Linux - Hello, my name is Tux, I would like to join the #SQLF...
 
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
Oracle Solaris 11 platform for ECI Telecom private cloud infrastructure
 
Intro To MySQL 2019
Intro To MySQL 2019Intro To MySQL 2019
Intro To MySQL 2019
 
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
Turning off the lights - Going all in with the Public Cloud (Lumagate Nordic ...
 
Apptimized SafeBox
Apptimized SafeBoxApptimized SafeBox
Apptimized SafeBox
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
03_Azure Security Center_GAB2019
03_Azure Security Center_GAB201903_Azure Security Center_GAB2019
03_Azure Security Center_GAB2019
 
MySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the DolphinMySQL Dublin Event Nov 2018 - State of the Dolphin
MySQL Dublin Event Nov 2018 - State of the Dolphin
 
[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...[de Jager] Classify, Label and Protect your data with Azure Information Prote...
[de Jager] Classify, Label and Protect your data with Azure Information Prote...
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azure
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
DevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityDevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 Security
 

Andere mochten auch

Essential introduction to computers adebiaye
Essential introduction to computers adebiayeEssential introduction to computers adebiaye
Essential introduction to computers adebiayeDR RICHMOND ADEBIAYE
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 

Andere mochten auch (6)

Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
DESCUBRÍ ARGENTINA
DESCUBRÍ ARGENTINADESCUBRÍ ARGENTINA
DESCUBRÍ ARGENTINA
 
Essential introduction to computers adebiaye
Essential introduction to computers adebiayeEssential introduction to computers adebiaye
Essential introduction to computers adebiaye
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 

Ähnlich wie Database security2 adebiaye

DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxsiti829412
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseWinWire Technologies Inc
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLDave Stokes
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
From Nice to Have to Mission Critical: MySQL Enterprise Edition
From Nice to Have to Mission Critical: MySQL Enterprise EditionFrom Nice to Have to Mission Critical: MySQL Enterprise Edition
From Nice to Have to Mission Critical: MySQL Enterprise Edition郁萍 王
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseEDB
 
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...Cloudera, Inc.
 
Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Connor McDonald
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptLokeshK66
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionOlivier DASINI
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 

Ähnlich wie Database security2 adebiaye (20)

DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQL
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
Database security
Database securityDatabase security
Database security
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 
From Nice to Have to Mission Critical: MySQL Enterprise Edition
From Nice to Have to Mission Critical: MySQL Enterprise EditionFrom Nice to Have to Mission Critical: MySQL Enterprise Edition
From Nice to Have to Mission Critical: MySQL Enterprise Edition
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous Database
 
Creating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres DatabaseCreating a Multi-Layered Secured Postgres Database
Creating a Multi-Layered Secured Postgres Database
 
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
Enterprise Hadoop in the Cloud. In Minutes. | How to Run Cloudera Enterprise ...
 
Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015Securing data in Oracle Database 12c - 2015
Securing data in Oracle Database 12c - 2015
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Vault_KT.pptx
Vault_KT.pptxVault_KT.pptx
Vault_KT.pptx
 

Kürzlich hochgeladen

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Database security2 adebiaye

  • 1. DATABASE SECURITY The more you sweat in training, the less you’ll bleed in battle. Dr Richmond Adebiaye, CISSP, CISM, VCP
  • 2. OUTLINE  Why is database security important?  Our environment  General Strategies and Tactics for Hardening Databases  Oracle  SQL Server  MySQL
  • 3. WHY IS DATABASE SECURITY IMPORTANT?  Databases often store data which is sensitive in nature  Incorrect data or loss of data could negatively affect business operations  Databases can be used as bases to attack other systems from
  • 4. OUR ENVIRONMENT *Figures found by scanning for open ports commonly used by the respective software.
  • 5. HARDENING DATABASES – GENERAL STRATEGIES AND TACTICS  Principle of Least Privilege!  Stay up-to-date on patches  Remove/disable unneeded default accounts  Firewalling/Access Control  Running Database processes under dedicated non- privileged account.  Password Security  Disable unneeded components  Stored Procedures and Triggers
  • 6. PRINCIPLE OF LEAST PRIVILEGE  If X service doesn’t need access to all tables in Y database… then don’t give it access to all tables.  Example: A web application that reads a list of people from a database and lists them on a website. The database also contains sensitive information about those people. The account used by the web application should not be allowed to read the table that contains sensitive non-public information.  Do not give accounts privileges that aren’t needed  Unneeded privileges to accounts allow more opportunity for privilege escalation attacks.
  • 7. HARDENING DATABASES – FIREWALL/ACCESS CONTROL  Throttling connections – make it harder for the bad guys to brute-force or guess passwords  Use firewall software like IPTables  Xinetd may be useful for throttling  It’s possible that throttling could deny access to applications which make a large amount of connections legitimately.  Reducing the surface area of attack with firewall rules  Don’t let the world connect to your database server.
  • 8. HARDENING DATABASES – PASSWORD SECURITY  Strong passwords are a must  Constant brute-force attacks are happening across campus. Esp. against SQL Server  Default passwords are a problem  MySQL: root@localhost:<blank>  SQL Server: sa:<blank> (Old, but still seen sometimes)  Oracle: …  Built in password policy control seems rare  How can we enforce password policy?
  • 9. HARDENING DATABASES – STORED PROCEDURES, TRIGGERS  Stored Procedures and Triggers can lead to privilege escalation and compromise. Be sure to be thinking about security implications when allowing the creation of, and creating these.
  • 10. HARDENING DATABASES – DISABLE UNNEEDED COMPONENTS  Just like disabling unneeded services for an operating system is a good idea disabling unneeded components for databases is a good idea.  XML FTP (Oracle)  Named Pipes access (SQL Server)
  • 11. SELECT slides FROM Oracle presentation.
  • 12. ORACLE’S VULNERABILITY HISTORY If [the] Oracle could see into the future... the “Unbreakable” marketing campaign may have not been a good idea.  A search on milw0rm’s exploit catalogue returns  27 exploits dated from 11/16/2000 – 07/19/2007
  • 13. VULNERABILITY HISTORY (CONT.) Data and quote from The Oracle Hacker’s Handbook: “[…] 2003 and beyond […] the numbers went through the roof […]”
  • 14. HARDING ORACLE - TNS LISTENER TNS Listener  “The TNS Listener is the hub of all communications in Oracle. […] When a client wishes to access the database server, the client connects first to the Listener. […] In versions of Oracle prior to 10g, the TNS Listener could be administered remotely What makes this particularly dangerous is the fact that by default the Listener is installed without a password […]” – The Database Hacker’s Handbook
  • 15. HARDING ORACLE - TNS LISTENER  Set a password for TNS Listener Administration  listener.ora file  PASSWORDS_listenername = somepass  Use the lsnrctl utility  LSNRCTL> change_password
  • 16. HARDENING ORACLE - DEFAULT ACCOUNTS  Decent amount of default accounts  Be aware what they are  Ensure the passwords do in fact get changed appropriatly  10g forces admin to set passwords for many default accounts on install and may lock or expire them.
  • 17. SELECT slides FROM SQL Server presentation.
  • 18. HARDENING SQL SERVER – LOCAL ADMINS  Removing Local BuiltinAdministrators group from sysadmins  If they are an administrator on a system running SQL Server they can get to anything in any database.
  • 19. HARDENING SQL SERVER - AUTHENTICATION  If configured to use Windows Authentication password policy can be enforced!
  • 20. HARDENING SQL SERVER – XP_CMDSHELL  Do not enable this on install of SQL Server 2k5 unless absolutely necessary
  • 21. SELECT slides FROM MySQL presentation.
  • 22. HARDING MYSQL – DISABLING NETWORK ACCESS  If your Database is only for being accessed by someone/something on the same machine  disable network-based access with the --skip- networking option  Firewall off the port MySQL is listening on (typically port 3306)
  • 23. HARDENING MYSQL - ACCOUNT TYPES  Identity is determined by username AND the location connected from - Coolness  Scope Identities appropriately  Allow bob to login from any uiowa.edu hostname  GRANT […] ON somedb.sometable TO BOB@’%.uiowa.edu’;  Allow bob to login from any campus IP address  GRANT […] ON somedb.sometable TO BOB@’128.255.0.0/255.255.0.0’;
  • 24. HARDENING MYSQL – ENCRYPTING TRAFFIC  MySQL supports encrypting traffic with SSL  Consider using GRANT … REQUIRE SSL or similar for an account  Useful for accounts that may be accessing sensitive data and/or data that is required to be encrypted by some requirement.
  • 25. RESOURCES  The Database D.Litchfield, C.Anley, J. Heasman, B. Grindlay, Hacker’s Handbook – Defending Database Servers, Indianapolis: Wiley Publishing Inc., 2005.  Available on Books 24x7  D.Litchfield, The Oracle® Hacker’s Handbook: Hacking and Defending Oracle, Indianapolis: Wiley Publishing Inc., 2007.  Available on Books 24x7  http://databasesecurity.com  http://blogs.msdn.com/raulga/archive/2007/01/04/dynamic -sql-sql-injection.aspx  http://msdn.microsoft.com/msdnmag/issues/05/06/SQLSe rverSecurity/default.aspx  http://www.cgisecurity.com