Download as ODP, PPTX
Uploaded byDavid Busby, CISSP
Plmce mysql-101-security-basics
This document discusses essential security principles for MySQL, highlighting the inevitability of security breaches and the importance of a solid foundational approach. It covers various security measures, including the need for strong password policies, the reduction of attack surfaces, and the significance of employee training against threats. Key topics include authentication mechanisms, minimizing access avenues, and utilizing specific MySQL security features.
More Related Content
Similar to Plmce mysql-101-security-basics
![[INSIGHT OUT 2011] B12 better my sql security and administration(ronald)](https://cdn.slidesharecdn.com/ss_thumbnails/insightout2011b12bettermysqlsecurityandadministrationronald-111114182222-phpapp01-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Plmce mysql-101-security-basics
- 1. MySQL 101 Security Basics DavidBusby 2015-04-16
- 2. `whoami` • David Busby –InformationSecurity Architect –Percona since Jan 2013 –Several talks on Security 2
- 3. You will becompromised • Let's talk about –Kübler-Ross model –Acceptance –Damage Limitation –Mitigation –Focus on what can be controlled 3
- 4. You will becompromised • Let's NOT talk about –$three_letter_agencies –$govt –$espionage –$doomsday_scenario 4
- 5. Security from theground up • Let's talk about –A solid foundation –VM, Baremetal –Side channel attacks –Phishing, Spear Phishing –Social Engineering –Unintentional emissions 5
- 6. Because … acronyms! •Let's talk about –A.C.L –P.O.L.P –M.A.C –D.A.C –I.D.S / I.P.S –W.A.F 6
- 7. Because … acronyms! •I.D.S 7
- 8. Because … acronyms! •I.P.S 8
- 9. Plugging the holes •Let's talk about – Attack surface – Reduce avenues of access – Reduce visibility – Remove Bad ACLs ANY ↔ ANY:ANY GRANT ALL – Bad file permissions – 0640 files, 0750 dirs 9
- 10. Plugging the holes •Let's continue to talk about –Attack surface –Remove redundant packages –Remove redundant services –Isolate the DB system via network ACL –Don't be the guy in the “target vest” 10
- 11. Plugging the holes •Let's talk about –MySQL security features –sha256_password –auth_pam –Proxy groups Requires MySQL >= 5.7.7 Or use of auth plugin 11
- 12. Plugging the holes •Let's talk about –Selective grants NO: “ALL on *.*” NO: “SUPER” NO: “WITH GRANT OPTION” 12
- 13. Plugging the holes •Let's talk about –MySQL auth handshake && passwords (default 5.x) –Password storage: sha1(sha1(password)) –Auth: SHA1(password) XOR (salt + sha1(sha1(password))) –Strong passwords are KEY! 13
- 14.
- 15.
- 16. Why password complexityis important • We've “recovered” the passwords MUCH: ACA068D24BC58DB72E9D3C2D8D29D43FB6F674D9 PASS: B415DD9C4FB5EF59FE80C4FEBC1F9C715E6E97C4 SUCH: F469EBEEF4AD5F9DE9A0703EABF87DD88A7AF52D BAD: CB7DFF0540F8C51BF178A1502A286FB8F4A2691E WOW: F49091CCA44CEC66E65D3D97EA2C3F92D7636734 16
- 17. Plugging the holes •Let's talk about – REQUIRE SSL – Auth takes place over SSL connection – Overhead – ssl_cipher 17
- 18. Plugging the holes •Let's talk about – Training your employees – Train yourself – No “head in the sand” – Be aware of potential threats 18
- 19. … more acronyms •Let's talk about – B.Y.O.D – I.o.T – Malicous H.I.D – Abusing / Malicious WiFi 19
- 20.