SlideShare uma empresa Scribd logo

What Every DBA Needs to Know About MySQL Security

Transferir como ODP, PDF
David Busby, CISSP
David Busby, CISSP

What Every DBA Needs to Know About MySQL Security It's not just your database at risk you need to cover every layer of your applications deployment. https://www.youtube.com/watch?v=l2MDPuyEOQQ

Tecnologia
1 de 42
What Every DBA Needs to Know About MySQL Security David Busby Percona Managed Services EMEA Lead Security Lead
www.percona.com 2 / 42 Who am I? ● David Busby ● Working at Percona since January 2013 ● Currently ● Percona Managed Services ● EMEA Lead ● Security Lead ● 14 some years as a Sysadmin ● “Devops” as it's now being called. ● Volunteer work ● Help teaching computing at a local school ● Ju-Jitsu instructor for local not for profit club
www.percona.com 3 / 42 Agenda ● Security above the MySQL layer ● How to identify and limit an attack surface ● The critical importance of password complexity ● Rigid grants and selective grants ● Deploying SELinux ● Security-related changes in MySQL 5.6 ● The importance of CVEs ● Q&A
www.percona.com 4 / 42 Security Above the MySQL Layer ● Security is applied in layers ● Think from the outside in ● As such you need to be aware of each “layer” of your deployment. ● e.g. ● ISP ingress ● Do they have IDS / IPS at their network edge ● What's their incident response program? ● Your network ingress ● e.g. dedicated hardware firewall ● SSL terminators ● OS Level packet filtering / control ● IPTables, netfilter, Haka ● Your application ingress ● In code sanitization, WAF etc. ● Your organization controls
www.percona.com 5 / 42 Security Above the MySQL Layer ● Security is applied in layers ● “a chain is only as strong as it's weakest link” ● ISP ● Network ingress ● Personnel ● Identity verification processes ● Internal security controls ● Compliance certifications ● Staff background checks ● Incident response program ● With dedicated team ● With S.L.A ● Recurring audits ● Pentests with available reports ● User ACL audits
www.percona.com 6 / 42 Security Above the MySQL Layer ● Security is applied in layers ● Your systems ● Cloud ● Are the hypervisors secured? ● H.I.D.S / H.I.P.S ● M.A.C ● Physical security measures ● Is the block storage encrypted? ● How is the block storage sanitized (if at all) when you “delete” a vm. ● How are guests securely isolated. ● Network ● “in flight” encryption, SSL, VPN (e.g. n2n) etc. ● Memory
www.percona.com 7 / 42 Identify and limit your an attack surface ● What is an “attack surface”? ● Points in your system which could be attacked. ● application ● database ● physical systems ● network ● your employees ● hosting provider ● Including hosting providers employees
www.percona.com 8 / 42 Identify and limit an attack surface ● Limit your attack surface ● Application ● Sanitize ALL user inputs ● CSRF / XSRF tokens ● Follow SSL Best practices e.g. mozilla wiki ● P.F.S + DHParam ● OSCP Stapling ● W.A.F && I.P.S (with dedicated people). ● Protect the “Audit Trail” ● Regular recurring audit procedures ● Ingress and Egress controls ● Mandatory Access Controls e.g. SELinux
www.percona.com 9 / 42 Identify and limit an attack surface ● Limit your attack surface ● Application ● Fail securely / safely ● Catch application exceptions and log, do not render to the user / attacker screen ● Think carefully about error messages ● A login form displaying invalid user / invalid password ● Can be used to enumerate users ● A page error “you do not have access to this page” ● Can be used to enumerate “points of interest” for attacking later ● Miss direction ● Intentionally “sour the milk” for automated tools data collection ● Suppress version numbers, X-Powered-By, Error pages ● Purposely return incorrect response codes ● Utilize tarpits ● Don't “hack back”
www.percona.com 10 / 42 Identify and limit an attack surface ● Limit your attack surface ● Database ● Logical / Physical network segregation from application nodes. ● Ingress and Egress controls ● Selective GRANT ● Complex passwords ● Avoid “... IDENTIFED BY 'the_plain_password'” SQL ● Mandatory Access Controls e.g. SELinux
www.percona.com 11 / 42 Identify and limit an attack surface ● Limit your attack surface ● Physical systems ● Limitation of access to hardware ● “Social engineering” is just a new term for con artistry ● Challenge “implied trust” a Badge / Uniform != ID ● Never rely on singular control methods, esp not biometrics ● Remove unneeded services and devices. ● e.g. bluetoothd, gcc, gdb, X, gnome, kde, etc. ● Barclays £1.3M “haul” could have been avoided (image credit BBC UK) ● OS Level hardening ● C.I.S, R.H.E.L Security Guide, M.A.C.
www.percona.com 12 / 42 Identify and limit an attack surface ● Limit your attack surface ● Employees (Layer 8 / Meat ware) ● Awareness training ● Social media betrays a wealth of information ● (safeinternetbanking.be youtube video) ● B.Y.O.D, a persons “smart” phone is perhaps the single largest repository of personal information you own. ● “implied trust”: “Wanna see a magic trick with your phone?” ● Lock screen bypass / debug abuse / NFC ● Remote attacks: Karma (Jassegar), Malware apps, bluetooth (android remove (bluedroid) crash youtube)
www.percona.com 13 / 42 Identify and limit an attack surface ● Limit your attack surface ● Employees (Layer 8 / Meat ware) ● Malicious H.I.D. devices ● Teensy Duino HID ● Data Leak Prevention Bypass ● Challenge identity and “implied trust” ● It's OK to ask for ID! (seriously we have systems do this all the time) ● “Hello I'm calling from the computer security center regarding the virus on your windows machine ...” ● “Hello I'm some_person_from_hr ...” Defcon Youtube
www.percona.com 14 / 42 Identify and limit an attack surface ● Limit your attack surface ● Employees (Layer 8 / Meat ware) ● Malicious H.I.D's are tiny, and easily made
www.percona.com 15 / 42 Identify and limit an attack surface ● Limit your attack surface ● Certain allowances must be made. ● Trust in Service / Hosting provider. ● Do your own due diligence ● You ask for S.L.A's ● Why not ask about their security and compliance? ● PCI ● HIPAA ● Even if you don't think you need it now.
www.percona.com 16 / 42 Identify and limit an attack surface ● Network ● Selective ACL (even if it's only iptables) ● e.g. MySQL doesn't need to be accessible from everywhere! ● Lest we forget CVE-2012-2122 ● Logical / Physical segregation ● H.I.P.S, H.I.P.S ● N.I.D.S, N.I.P.S ● Ensure you have staff looking at the logs! ● Writing IPS && WAF rules. ● Doing anaylsis.
www.percona.com 17 / 42 The Critical Importance of Password Complexity ● MySQL 5.5 password standard is just ● SHA1(SHA1(password)) ● Auth handshake ● SHA1(password) XOR SHA1(salt + SHA1(SHA1(password))) ● New salt for every connection ● Assume an attacker can grab a hashdump ● Or packet cap of a privileged account logging in ● The mitigation becomes time vs reward ● As with encryption we want to make it computationally expensive to retrive the original passwords
www.percona.com 18 / 42 The Critical Importance of Password Complexity ● Some sample hashes ● ACA068D24BC58DB72E9D3C2D8D29D43FB6F674D9 ● B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4 ● F469EBEEF4AD5F9DE9A0703EABF87DD88A7AF52D ● CB7DFF0540F8C51BF178A1502A286FB8F4A2691E ● F49091CCA44CEC66E65D3D97EA2C3F92D7636734 ● A simple brute force will retrieve the original passwords
www.percona.com 19 / 42 The Critical Importance of Password Complexity
www.percona.com 20 / 42 The Critical Importance of Password Complexity ● Retrieved! (oclHashCat brute force in ~1.38s) ● ACA068D24BC58DB72E9D3C2D8D29D43FB6F674D9 ● MUCH ● B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4 ● PASS ● F469EBEEF4AD5F9DE9A0703EABF87DD88A7AF52D ● SUCH ● CB7DFF0540F8C51BF178A1502A286FB8F4A2691E ● BAD ● F49091CCA44CEC66E65D3D97EA2C3F92D7636734 ● WOW
www.percona.com 21 / 42 The Critical Importance of Password Complexity ● Trivial to get weak passwords of privileged accounts. ● “Budget setup” 2 x 7750 Radeon ● Software crossfire ● 270 Million hashes per second ● Wordlists / properly configured patterns result in high hash rates ● Same as most “passwords were hacked” disclosures ● Relatively weak hashing ● MySQL only uses SALT on the network auth side ● MySQL_NA
www.percona.com 22 / 42 The Critical Importance of Password Complexity ● Conclusion? ● The greater the complexity of a password ● The more computationally expensive it is to retreive ● Reduces the likelihood of being on any pre- computed hash list ● Increases time needed for privilege escalation (via the demoed method) ● Increases the likelihood of re-mediation “before things get worse”
www.percona.com 23 / 42 Rigid grants and Selective grants ● A Rigid grant or a Selective grant is an interchangeable term ● Principle Of Least Privilege ● Think of ACL audits (which are a PCI requirement) ● What access does the user have? ● Does the user really need that level of access? ● What are the reasons? ● Does the user really need access from %? ● Most likely you can restrict this ● Your application really doesn't need ● ALL PRIVILEGES ON *.* WITH GRANT OPTION ● Equally Super_priv, Create_routine, Insert_priv, FILE ... etc.
www.percona.com 24 / 42 Rigid grants and Selective grants ● Understand “WITH GRANT OPTION” is “The Keymaker” ● Understand that Super_priv ● Can kill any process ● Can write even when read_only = 1 ● Can stop / reset slaves ● Is part of “ALL” ● Understand that FILE && Create_routine ● Can be abused to stage malicious UDF's ● Youtube link to my PLMCE live demo ● Understand that Insert_priv could ● Allow insert directly into mysql.user
www.percona.com 25 / 42 Rigid grants and Selective grants ● Understand “WITH GRANT OPTION” is “The Keymaker” ● Yes this has appeared twice it's that crucial ● It's the “keys to the kingdom” ● You're applications user REALLY should not have this. ● Seriously ● Don't ● Do ● It
www.percona.com 26 / 42 Deploying SELinux ● Performance overhead ● Variable Y.M.W.V ● Test! ● The What before the Why ● Mandatory Access Control ● Turn it ON! ● /etc/selinux/config ● SELINUX=enforcing ● SELINUXTYPE=targeted ● Also works on AMI ● Blog link
www.percona.com 27 / 42 Deploying SELinux ● Labels ● Contexts applied to files, ports, etc. ● User:role:type:level ● “targeted” policies look at the type ● Type Enforcement (policies) ● Example ● Process A runs in context B ● Context B is allowed access to ● Context C, D, E ● Not F
www.percona.com 28 / 42 Deploying SELinux ● mysqld_t ● You want to allow access to ● mysqldb_t /var/lib/mysqld ● mysql_log_t /var/log/mysql ● mysql_port_t *:3306 ● But not ● passwd_file_t /etc/passwd ● shadow_file_t /etc/shadow ● http_port_t, ssh_port_t, etc ...
www.percona.com 29 / 42 Deploying SELinux ● D.A.C vs M.A.C ● Discretionary Access Control (POSIX permissions) ● Allows access to whatever resource the user it is running as has access to ● Software still runs as a user ● Unlikely you want software to have the same rights as a user ● Viruses, Malware etc ... ● D.A.C chmod 777 == Shotgun + Foot ● A chmod 777 on the plugins dir allows malicious UDF staging in my PLMCE live demo
www.percona.com 30 / 42 Deploying SELinux ● Debugging ● `setenforce 0` == Permissive != OFF ● ALWAYS ensure you go back to `setenforce 1` ● New tools make everything easier ● setroubleshoot-server, libselinux-python ● 9/10 issues are “incorrect labeling” ● Common gotchas ● New files / Dirs inherit labels ● Moved / copied files KEEP their original context
www.percona.com 31 / 42 Deploying SELinux ● Arrests “out of context” behaviour ● My live demo malicious UDF is blocked by SELinux ● By default! ● Additional layer of security ● Not a replacement for multiple layers ● CVE-2013-2094 was not blocked by default ● perf_swevent_enabled -> priv escalation ● J.I.T patching possible using SELinux ● Change user context to user_u from unconfined_u ● RH BZ Link #962792
www.percona.com 32 / 42 Deploying SELinux ● Living with SELinux ● Most common tools have the -Z option ● ls -Z ● unconfined_u:object_r:user_home_t:s0 ● ps -z ● unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ● MySQL / Percona Server / MariaDB work “out of the box” ● For the defaults ● /var/lib/mysql ● *:3306 etc.
www.percona.com 33 / 42 Deploying SELinux ● Living with SELinux ● Install the tools ● policycoreutils ● setools-console ● setroubleshoot-server ● setroubleshoot-plugins ● SELinux booleans ● mysql_connect_any ● Allow mysqld to connect to all ports ● allow_user_mysql_connect ● Allow users to connect to mysql socket (not mysql users, local system users)
www.percona.com 34 / 42 Deploying SELinux ● Living with SELinux ● Change the datadir ● semanage fontext -a -t mysqld_db_t “/path/to/mysql(/.*)?” ● Change the port ● semanage port -a -t mysqld_port_t -p NNNN ● orchestration frameworks can ease your use of SELinux ● Ansible ● file: dest=/path/to/mysql state=diesctory owner=mysql group=mysql mode=0755 seuser=system_u serole=object_r setype=mysqld_db_t selevel=0 ● seboolean: name=httpd_can_network_connect_db state=yes persistent=yes
www.percona.com 35 / 42 Security Related Changes in 5.6 ● Password expiration ● default_password_lifetime ● default 360 days ● 0 == disable auto expiry ● dissconnect_on_expired_password ● NO ● Drop to sandbox on expiry to allow change ● YES ● Disconnect ● Force an expiry ● ALTER USER 'user'@'host' PASSWORD EXPIRE; ● mysql.user.password_expired ● Not available Maria DB 10 “to be implemented in later 10.x versions” ● Tested against 10.0.12
www.percona.com 36 / 42 Security Related Changed in 5.6 ● Password validation plugin ● validate_password_policy = LEVEL ● LOW ● >= 8 Chars ● MEDIUM ● All requirements of LOW ● >= 1 number ● >= 1 upper case ● STRONG (unsure why this isn't called HIGH) ● All requirements of MEDIUM ● Substrings >= 4 chars must not appear on defined dictionary
www.percona.com 37 / 42 Security Related Changed in 5.6 ● Password validation plugin ● Customizable ● validate_dictionary_password_file = “/path/to/file” ● validate_password_length = 8 ● validate_password_mixed_case_count = 1 ● validate_password_number_count = 1 ● validate_password_special_char_count = 1 ● Circumventable ● Not yet available in MariaDB 10 see: MDEV-6431 planned for 10.1 ● Pluggable authentication ● sha256_password plugin ● mysql.users.authentication_string ● Opens the possibility for stronger algos ● Not yet available in MariaDB 10 see: dev list thread “to be implemented in later 10.x version”
www.percona.com 38 / 42 Security Related Changed in 5.6 ● SSL ● Tunable cipher spec ● --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA ● MariaDB 10 does support this tested against 10.0.12 ● High performance overhead ● Mostly due to connection handshake overhead ● Connection pooling helps to reduce this “cost” ● Client can not “force” an SSL / TLS connection :( ● Silently fails
www.percona.com 39 / 42 The Importance of CVE's ● Common Vulnerabilities and Exposures ● Common classification and notation of known vulnerabilities ● $vendors and $researcher alike use this to classify vulnerabilities ● Along with CVSS scoring ● Used in changelogs to note when a patch has been applied. ● Syntax changed in January to allow for >9999 filings per year. ● Additional resources ● Open Source Vulnerability Database ● Secunia ● National Vulnerability Database ● ExploitDB ● Reddit /r/netsec ● news.ycombinator.com ● Full disclosure list (has re-opened!)
www.percona.com 40 / 42 Percona Services ● Consulting ● Typically short term engagements ● For security projects, we'd assess gaps in MySQL and infrastructure and implement changes in collaboration with the customer. ● Available for remote and on-site activities ● Managed services including Remote DBA ● The Long term solution ● Fix problems present today and operate using best practices for the future in collaboration with Percona ● Manage security as well as other DBA Ops needs ● backup ● Recovery ● Etc ...
www.percona.com 41 / 42 Percona Live London 2014 ● November 3-4, 2014 ● Learn what works from leading companies who use MySQL ● Hear how to drive down costs and improve performance with innovative solutions. ● Discuss your unique challenges and discover options for solving them ● Early bird pricing available now: http://www.percona.com/live/london-2014/
www.percona.com 42 / 42 Questions? ● Q&A ● And thanks for attending!

Recomendados

Plmce mysql-101-security-basics
Plmce mysql-101-security-basicsPlmce mysql-101-security-basics
Plmce mysql-101-security-basicsDavid Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Ligjerata 7
Ligjerata 7Ligjerata 7
Ligjerata 7Ferdi Nuredini
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudCumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudDavid Busby, CISSP
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLwolfSSL
 
DB2 and PHP in Depth on IBM i
DB2 and PHP in Depth on IBM iDB2 and PHP in Depth on IBM i
DB2 and PHP in Depth on IBM iAlan Seiden
 

Recomendados

Plmce mysql-101-security-basics
Plmce mysql-101-security-basicsPlmce mysql-101-security-basics
Plmce mysql-101-security-basicsDavid Busby, CISSP
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Security its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutSecurity its-more-than-just-your-database-you-should-worry-about
Security its-more-than-just-your-database-you-should-worry-aboutDavid Busby, CISSP
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Ligjerata 7
Ligjerata 7Ligjerata 7
Ligjerata 7Ferdi Nuredini
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudCumulonimbus fortification-secure-your-data-in-the-cloud
Cumulonimbus fortification-secure-your-data-in-the-cloudDavid Busby, CISSP
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLwolfSSL
 
DB2 and PHP in Depth on IBM i
DB2 and PHP in Depth on IBM iDB2 and PHP in Depth on IBM i
DB2 and PHP in Depth on IBM iAlan Seiden
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Mais conteúdo relacionado

Último

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Destaque

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Destaque (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

What Every DBA Needs to Know About MySQL Security

  • 1. What Every DBA Needs to Know About MySQL Security David Busby Percona Managed Services EMEA Lead Security Lead
  • 2. www.percona.com 2 / 42 Who am I? ● David Busby ● Working at Percona since January 2013 ● Currently ● Percona Managed Services ● EMEA Lead ● Security Lead ● 14 some years as a Sysadmin ● “Devops” as it's now being called. ● Volunteer work ● Help teaching computing at a local school ● Ju-Jitsu instructor for local not for profit club
  • 3. www.percona.com 3 / 42 Agenda ● Security above the MySQL layer ● How to identify and limit an attack surface ● The critical importance of password complexity ● Rigid grants and selective grants ● Deploying SELinux ● Security-related changes in MySQL 5.6 ● The importance of CVEs ● Q&A
  • 4. www.percona.com 4 / 42 Security Above the MySQL Layer ● Security is applied in layers ● Think from the outside in ● As such you need to be aware of each “layer” of your deployment. ● e.g. ● ISP ingress ● Do they have IDS / IPS at their network edge ● What's their incident response program? ● Your network ingress ● e.g. dedicated hardware firewall ● SSL terminators ● OS Level packet filtering / control ● IPTables, netfilter, Haka ● Your application ingress ● In code sanitization, WAF etc. ● Your organization controls
  • 5. www.percona.com 5 / 42 Security Above the MySQL Layer ● Security is applied in layers ● “a chain is only as strong as it's weakest link” ● ISP ● Network ingress ● Personnel ● Identity verification processes ● Internal security controls ● Compliance certifications ● Staff background checks ● Incident response program ● With dedicated team ● With S.L.A ● Recurring audits ● Pentests with available reports ● User ACL audits
  • 6. www.percona.com 6 / 42 Security Above the MySQL Layer ● Security is applied in layers ● Your systems ● Cloud ● Are the hypervisors secured? ● H.I.D.S / H.I.P.S ● M.A.C ● Physical security measures ● Is the block storage encrypted? ● How is the block storage sanitized (if at all) when you “delete” a vm. ● How are guests securely isolated. ● Network ● “in flight” encryption, SSL, VPN (e.g. n2n) etc. ● Memory
  • 7. www.percona.com 7 / 42 Identify and limit your an attack surface ● What is an “attack surface”? ● Points in your system which could be attacked. ● application ● database ● physical systems ● network ● your employees ● hosting provider ● Including hosting providers employees
  • 8. www.percona.com 8 / 42 Identify and limit an attack surface ● Limit your attack surface ● Application ● Sanitize ALL user inputs ● CSRF / XSRF tokens ● Follow SSL Best practices e.g. mozilla wiki ● P.F.S + DHParam ● OSCP Stapling ● W.A.F && I.P.S (with dedicated people). ● Protect the “Audit Trail” ● Regular recurring audit procedures ● Ingress and Egress controls ● Mandatory Access Controls e.g. SELinux
  • 9. www.percona.com 9 / 42 Identify and limit an attack surface ● Limit your attack surface ● Application ● Fail securely / safely ● Catch application exceptions and log, do not render to the user / attacker screen ● Think carefully about error messages ● A login form displaying invalid user / invalid password ● Can be used to enumerate users ● A page error “you do not have access to this page” ● Can be used to enumerate “points of interest” for attacking later ● Miss direction ● Intentionally “sour the milk” for automated tools data collection ● Suppress version numbers, X-Powered-By, Error pages ● Purposely return incorrect response codes ● Utilize tarpits ● Don't “hack back”
  • 10. www.percona.com 10 / 42 Identify and limit an attack surface ● Limit your attack surface ● Database ● Logical / Physical network segregation from application nodes. ● Ingress and Egress controls ● Selective GRANT ● Complex passwords ● Avoid “... IDENTIFED BY 'the_plain_password'” SQL ● Mandatory Access Controls e.g. SELinux
  • 11. www.percona.com 11 / 42 Identify and limit an attack surface ● Limit your attack surface ● Physical systems ● Limitation of access to hardware ● “Social engineering” is just a new term for con artistry ● Challenge “implied trust” a Badge / Uniform != ID ● Never rely on singular control methods, esp not biometrics ● Remove unneeded services and devices. ● e.g. bluetoothd, gcc, gdb, X, gnome, kde, etc. ● Barclays £1.3M “haul” could have been avoided (image credit BBC UK) ● OS Level hardening ● C.I.S, R.H.E.L Security Guide, M.A.C.
  • 12. www.percona.com 12 / 42 Identify and limit an attack surface ● Limit your attack surface ● Employees (Layer 8 / Meat ware) ● Awareness training ● Social media betrays a wealth of information ● (safeinternetbanking.be youtube video) ● B.Y.O.D, a persons “smart” phone is perhaps the single largest repository of personal information you own. ● “implied trust”: “Wanna see a magic trick with your phone?” ● Lock screen bypass / debug abuse / NFC ● Remote attacks: Karma (Jassegar), Malware apps, bluetooth (android remove (bluedroid) crash youtube)
  • 13. www.percona.com 13 / 42 Identify and limit an attack surface ● Limit your attack surface ● Employees (Layer 8 / Meat ware) ● Malicious H.I.D. devices ● Teensy Duino HID ● Data Leak Prevention Bypass ● Challenge identity and “implied trust” ● It's OK to ask for ID! (seriously we have systems do this all the time) ● “Hello I'm calling from the computer security center regarding the virus on your windows machine ...” ● “Hello I'm some_person_from_hr ...” Defcon Youtube
  • 14. www.percona.com 14 / 42 Identify and limit an attack surface ● Limit your attack surface ● Employees (Layer 8 / Meat ware) ● Malicious H.I.D's are tiny, and easily made
  • 15. www.percona.com 15 / 42 Identify and limit an attack surface ● Limit your attack surface ● Certain allowances must be made. ● Trust in Service / Hosting provider. ● Do your own due diligence ● You ask for S.L.A's ● Why not ask about their security and compliance? ● PCI ● HIPAA ● Even if you don't think you need it now.
  • 16. www.percona.com 16 / 42 Identify and limit an attack surface ● Network ● Selective ACL (even if it's only iptables) ● e.g. MySQL doesn't need to be accessible from everywhere! ● Lest we forget CVE-2012-2122 ● Logical / Physical segregation ● H.I.P.S, H.I.P.S ● N.I.D.S, N.I.P.S ● Ensure you have staff looking at the logs! ● Writing IPS && WAF rules. ● Doing anaylsis.
  • 17. www.percona.com 17 / 42 The Critical Importance of Password Complexity ● MySQL 5.5 password standard is just ● SHA1(SHA1(password)) ● Auth handshake ● SHA1(password) XOR SHA1(salt + SHA1(SHA1(password))) ● New salt for every connection ● Assume an attacker can grab a hashdump ● Or packet cap of a privileged account logging in ● The mitigation becomes time vs reward ● As with encryption we want to make it computationally expensive to retrive the original passwords
  • 18. www.percona.com 18 / 42 The Critical Importance of Password Complexity ● Some sample hashes ● ACA068D24BC58DB72E9D3C2D8D29D43FB6F674D9 ● B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4 ● F469EBEEF4AD5F9DE9A0703EABF87DD88A7AF52D ● CB7DFF0540F8C51BF178A1502A286FB8F4A2691E ● F49091CCA44CEC66E65D3D97EA2C3F92D7636734 ● A simple brute force will retrieve the original passwords
  • 19. www.percona.com 19 / 42 The Critical Importance of Password Complexity
  • 20. www.percona.com 20 / 42 The Critical Importance of Password Complexity ● Retrieved! (oclHashCat brute force in ~1.38s) ● ACA068D24BC58DB72E9D3C2D8D29D43FB6F674D9 ● MUCH ● B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4 ● PASS ● F469EBEEF4AD5F9DE9A0703EABF87DD88A7AF52D ● SUCH ● CB7DFF0540F8C51BF178A1502A286FB8F4A2691E ● BAD ● F49091CCA44CEC66E65D3D97EA2C3F92D7636734 ● WOW
  • 21. www.percona.com 21 / 42 The Critical Importance of Password Complexity ● Trivial to get weak passwords of privileged accounts. ● “Budget setup” 2 x 7750 Radeon ● Software crossfire ● 270 Million hashes per second ● Wordlists / properly configured patterns result in high hash rates ● Same as most “passwords were hacked” disclosures ● Relatively weak hashing ● MySQL only uses SALT on the network auth side ● MySQL_NA
  • 22. www.percona.com 22 / 42 The Critical Importance of Password Complexity ● Conclusion? ● The greater the complexity of a password ● The more computationally expensive it is to retreive ● Reduces the likelihood of being on any pre- computed hash list ● Increases time needed for privilege escalation (via the demoed method) ● Increases the likelihood of re-mediation “before things get worse”
  • 23. www.percona.com 23 / 42 Rigid grants and Selective grants ● A Rigid grant or a Selective grant is an interchangeable term ● Principle Of Least Privilege ● Think of ACL audits (which are a PCI requirement) ● What access does the user have? ● Does the user really need that level of access? ● What are the reasons? ● Does the user really need access from %? ● Most likely you can restrict this ● Your application really doesn't need ● ALL PRIVILEGES ON *.* WITH GRANT OPTION ● Equally Super_priv, Create_routine, Insert_priv, FILE ... etc.
  • 24. www.percona.com 24 / 42 Rigid grants and Selective grants ● Understand “WITH GRANT OPTION” is “The Keymaker” ● Understand that Super_priv ● Can kill any process ● Can write even when read_only = 1 ● Can stop / reset slaves ● Is part of “ALL” ● Understand that FILE && Create_routine ● Can be abused to stage malicious UDF's ● Youtube link to my PLMCE live demo ● Understand that Insert_priv could ● Allow insert directly into mysql.user
  • 25. www.percona.com 25 / 42 Rigid grants and Selective grants ● Understand “WITH GRANT OPTION” is “The Keymaker” ● Yes this has appeared twice it's that crucial ● It's the “keys to the kingdom” ● You're applications user REALLY should not have this. ● Seriously ● Don't ● Do ● It
  • 26. www.percona.com 26 / 42 Deploying SELinux ● Performance overhead ● Variable Y.M.W.V ● Test! ● The What before the Why ● Mandatory Access Control ● Turn it ON! ● /etc/selinux/config ● SELINUX=enforcing ● SELINUXTYPE=targeted ● Also works on AMI ● Blog link
  • 27. www.percona.com 27 / 42 Deploying SELinux ● Labels ● Contexts applied to files, ports, etc. ● User:role:type:level ● “targeted” policies look at the type ● Type Enforcement (policies) ● Example ● Process A runs in context B ● Context B is allowed access to ● Context C, D, E ● Not F
  • 28. www.percona.com 28 / 42 Deploying SELinux ● mysqld_t ● You want to allow access to ● mysqldb_t /var/lib/mysqld ● mysql_log_t /var/log/mysql ● mysql_port_t *:3306 ● But not ● passwd_file_t /etc/passwd ● shadow_file_t /etc/shadow ● http_port_t, ssh_port_t, etc ...
  • 29. www.percona.com 29 / 42 Deploying SELinux ● D.A.C vs M.A.C ● Discretionary Access Control (POSIX permissions) ● Allows access to whatever resource the user it is running as has access to ● Software still runs as a user ● Unlikely you want software to have the same rights as a user ● Viruses, Malware etc ... ● D.A.C chmod 777 == Shotgun + Foot ● A chmod 777 on the plugins dir allows malicious UDF staging in my PLMCE live demo
  • 30. www.percona.com 30 / 42 Deploying SELinux ● Debugging ● `setenforce 0` == Permissive != OFF ● ALWAYS ensure you go back to `setenforce 1` ● New tools make everything easier ● setroubleshoot-server, libselinux-python ● 9/10 issues are “incorrect labeling” ● Common gotchas ● New files / Dirs inherit labels ● Moved / copied files KEEP their original context
  • 31. www.percona.com 31 / 42 Deploying SELinux ● Arrests “out of context” behaviour ● My live demo malicious UDF is blocked by SELinux ● By default! ● Additional layer of security ● Not a replacement for multiple layers ● CVE-2013-2094 was not blocked by default ● perf_swevent_enabled -> priv escalation ● J.I.T patching possible using SELinux ● Change user context to user_u from unconfined_u ● RH BZ Link #962792
  • 32. www.percona.com 32 / 42 Deploying SELinux ● Living with SELinux ● Most common tools have the -Z option ● ls -Z ● unconfined_u:object_r:user_home_t:s0 ● ps -z ● unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ● MySQL / Percona Server / MariaDB work “out of the box” ● For the defaults ● /var/lib/mysql ● *:3306 etc.
  • 33. www.percona.com 33 / 42 Deploying SELinux ● Living with SELinux ● Install the tools ● policycoreutils ● setools-console ● setroubleshoot-server ● setroubleshoot-plugins ● SELinux booleans ● mysql_connect_any ● Allow mysqld to connect to all ports ● allow_user_mysql_connect ● Allow users to connect to mysql socket (not mysql users, local system users)
  • 34. www.percona.com 34 / 42 Deploying SELinux ● Living with SELinux ● Change the datadir ● semanage fontext -a -t mysqld_db_t “/path/to/mysql(/.*)?” ● Change the port ● semanage port -a -t mysqld_port_t -p NNNN ● orchestration frameworks can ease your use of SELinux ● Ansible ● file: dest=/path/to/mysql state=diesctory owner=mysql group=mysql mode=0755 seuser=system_u serole=object_r setype=mysqld_db_t selevel=0 ● seboolean: name=httpd_can_network_connect_db state=yes persistent=yes
  • 35. www.percona.com 35 / 42 Security Related Changes in 5.6 ● Password expiration ● default_password_lifetime ● default 360 days ● 0 == disable auto expiry ● dissconnect_on_expired_password ● NO ● Drop to sandbox on expiry to allow change ● YES ● Disconnect ● Force an expiry ● ALTER USER 'user'@'host' PASSWORD EXPIRE; ● mysql.user.password_expired ● Not available Maria DB 10 “to be implemented in later 10.x versions” ● Tested against 10.0.12
  • 36. www.percona.com 36 / 42 Security Related Changed in 5.6 ● Password validation plugin ● validate_password_policy = LEVEL ● LOW ● >= 8 Chars ● MEDIUM ● All requirements of LOW ● >= 1 number ● >= 1 upper case ● STRONG (unsure why this isn't called HIGH) ● All requirements of MEDIUM ● Substrings >= 4 chars must not appear on defined dictionary
  • 37. www.percona.com 37 / 42 Security Related Changed in 5.6 ● Password validation plugin ● Customizable ● validate_dictionary_password_file = “/path/to/file” ● validate_password_length = 8 ● validate_password_mixed_case_count = 1 ● validate_password_number_count = 1 ● validate_password_special_char_count = 1 ● Circumventable ● Not yet available in MariaDB 10 see: MDEV-6431 planned for 10.1 ● Pluggable authentication ● sha256_password plugin ● mysql.users.authentication_string ● Opens the possibility for stronger algos ● Not yet available in MariaDB 10 see: dev list thread “to be implemented in later 10.x version”
  • 38. www.percona.com 38 / 42 Security Related Changed in 5.6 ● SSL ● Tunable cipher spec ● --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA ● MariaDB 10 does support this tested against 10.0.12 ● High performance overhead ● Mostly due to connection handshake overhead ● Connection pooling helps to reduce this “cost” ● Client can not “force” an SSL / TLS connection :( ● Silently fails
  • 39. www.percona.com 39 / 42 The Importance of CVE's ● Common Vulnerabilities and Exposures ● Common classification and notation of known vulnerabilities ● $vendors and $researcher alike use this to classify vulnerabilities ● Along with CVSS scoring ● Used in changelogs to note when a patch has been applied. ● Syntax changed in January to allow for >9999 filings per year. ● Additional resources ● Open Source Vulnerability Database ● Secunia ● National Vulnerability Database ● ExploitDB ● Reddit /r/netsec ● news.ycombinator.com ● Full disclosure list (has re-opened!)
  • 40. www.percona.com 40 / 42 Percona Services ● Consulting ● Typically short term engagements ● For security projects, we'd assess gaps in MySQL and infrastructure and implement changes in collaboration with the customer. ● Available for remote and on-site activities ● Managed services including Remote DBA ● The Long term solution ● Fix problems present today and operate using best practices for the future in collaboration with Percona ● Manage security as well as other DBA Ops needs ● backup ● Recovery ● Etc ...
  • 41. www.percona.com 41 / 42 Percona Live London 2014 ● November 3-4, 2014 ● Learn what works from leading companies who use MySQL ● Hear how to drive down costs and improve performance with innovative solutions. ● Discuss your unique challenges and discover options for solving them ● Early bird pricing available now: http://www.percona.com/live/london-2014/

Notas do Editor

  1. There may be (though hopefully not) some runover there's a lot of material to be covered in a short amount of time, Feel free to catch me after the talk for additional questions / breakout demos. There's livedemos but just incase there's also videos to fallback on if $something doesn'twork.
  2. There may be (though hopefully not) some runover there's a lot of material to be covered in a short amount of time, Feel free to catch me after the talk for additional questions / breakout demos. There's livedemos but just incase there's also videos to fallback on if $something doesn'twork.