BGOUG 2014 Decrease Your MySQL Attack Surface
Download as PPTX, PDF4 likes752 views
Security is not a question of "if" but "when". People will hit at your server(s). A smaller attack surface means they'll be more likely to miss too. And inflict less damage in general. Let's find out some easy steps we can take to decrease MySQL's attack surface in a typical web setup
More Related Content
What's hot (20)
Similar to BGOUG 2014 Decrease Your MySQL Attack Surface (20)
More from Georgi Kodinov (20)
Recently uploaded (20)
BGOUG 2014 Decrease Your MySQL Attack Surface
- 1. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Decrease Your MySQL Attack Surface Georgi “Joro” Kodinov Team Lead MySQL Server General Team
- 2. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2
- 3. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 3 Goal: Make You Think About Security !
- 4. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Agenda 4 What is “Attack Surface” ? Why is it important to minimize it ? Ways to decrease the attack surface Further reading
- 5. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | What is “Attack Surface” ? 5
- 6. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. “The attack surface of a software environment is the sum of the different points where an unauthorized user can try to enter data to or extract data from an environment.” – Wikipedia 6
- 7. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. What is “Attack Surface” ? • It’s a property of the whole environment – database, web server, application, network • Covers entering AND extracting data – Data are precious commodity • Is exploited by unauthorized users – That includes not-sufficiently-authorized too ! 7 Takeaway Points
- 8. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Why is it Important to Minimize the Attack Surface ? 8
- 9. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 9 It is FRIGHTENINGLY EASY to find and exploit weaknesses !
- 10. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Even Safer Harbor Statement ! • This information is for demonstration only • It does not necessarily correspond to any actual live sites • You should use this information only to assess the defenses of your own installations • Never use the techniques displayed for any unauthorized access ! • Be very careful and double-check all tools you get from 3d parties before using them ! 10
- 11. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. • 22165 wide open MySQL servers available on the Net • Root passwords where applicable • Most are probably vulnerable to manipulating the underlying OS too • Some of these are pretty recent finds too • All of that on a free, open web site 11 Finding You on the Net
- 12. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. • All it needs to start is login access • Can work its way in through SQL injection too • Can automatically test password hashes against dictionary tables • Can retrieve OS files through the database • Can store the password hashes for later offline cracking • Can inject UDF shared objects into the database • “wizard” mode for “novice users” • Free and open source tool 12 And Going On Is Just As Easy …
- 13. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 13 All that from using web search for few hours !
- 14. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 14 Imagine the outcome if I was a professional !
- 15. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 15 … or even up to no good !
- 16. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Dolphins can kill sharks when working together ! 16
- 17. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Ways to Decrease the Attack Surface 17
- 18. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Always Be Up-to-date ! • It’s a race ! • 10 CVE reports addressed in the latest 5.6 MySQL Critical Patch Upgrade • Oracle provides a yum/apt repository – http://dev.mysql.com/downloads/repo/ 18 Ways to decrease the attack surface
- 19. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Remove the stuff you don’t need • Run mysql_secure_installation. Now ! • Review and restrict the network interfaces that the server listens on • Generate SSL keys and make sure the server can “talk” SSL • Remove extra user accounts and privileges • Remove unneeded files and packages 19 Ways to decrease the attack surface
- 20. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Have a Backup Plan • Schedule regular backups • Backup data, logs, and configuration • If your data are important, make backups of backups • Perform regular emergency drills 20 Ways to decrease the attack surface
- 21. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Be Vigilant: Monitor, Audit, Log, Observe • Consider enabling query logging. Create a log backup policy. • Audit the server configuration for changes. Revert the bogus ones • Monitor your server logs. Set alerts for “unusual” patterns. • Monitor security related stats. Set alerts for “unusual” patterns. • Regularly probe your “defenses” by trying bad things on purpose • Consider using Enterprise Audit 21 Ways to decrease the attack surface
- 22. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Take Control of Your User Accounts • Set passwords complexity standards • Rotate your passwords • Pick the right authentication method for your accounts • Audit changes to user account security • Avoid storing passwords in your scripts • Consider using Enterprise Authentication 22 Ways to decrease the attack surface
- 23. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Useful Parameters Parameter Recommended Value secure_file_priv Designated directory symbolic_links Boolean NO default-storage-engine InnoDB general-log Boolean ON log-raw Default : OFF skip-networking ON, if you can afford it. SSL options Set to valid values
- 24. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Useful Parameters Parameter Recommended Value plugin-dir Designated read-only directory chroot Designated directory, if you can afford it core-file OFF des-key-file File with DES keys read_only ON for slaves ! sha256_password RSA key RSA public private keys if can’t use SSL tmpdir Designated directory out of secure-file-priv
- 25. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Questions and Answers 25