September 2, 2014

Database security: Why should you review yours?

Ah database security… the black sheep of topics and something you would really rather not have to deal with right?

I mean surely all the fanfare and paranoia is reserved for the neck beards with tinfoil hats whom live in their own D.I.Y Faraday cage … that must be it … it just has to be?

Database Security and why you need to review yoursNo, the hard reality is the world is not rose tinted and “they” are out to get you be it for fun or for profit; from defacements to theft compromising your applications, and more importantly your data is big business. For some these acts are nothing short of sheer entertainment for an otherwise boring evening. (I’ll be speaking about this topic next week in much more detail at the Percona Live MySQL Conference and Expo in Santa Clara, California. My session, “Security and why you need to review yours” will go into much more detail on April 2. Use the code “SeeMeSpeak” on the registration page and save 10 percent.)

Note I’m avoiding discussing corporate espionage/government spying, as this re-enforces the image of it all being cloak and dagger; admittedly some of it is … the part that’s going to affect you, your business, your livelihood isn’t.

It’s time for that wake-up caffeine infusion and drink the “kool aid” – this is not something you can shun and pretend it’s a monster under the bed/in the closet that doesn’t really exist. Unlike the “bogey man” these threats are real, and have real impacts to peoples livelihood.

F.U.D? The fear part I certainly am wanting to portray here; a level of Fear is healthy;  it keeps you alert, the uncertainty and doubt? No these should and will be removed so please allow me to continue.

Removing Uncertainty
As with anything that requires research I’m sure you the reader would carry out proper “Due Diligence.” You wouldn’t want anything to adversely affect your product/business, taking hosting as an example you’ll look at the providers reputation their S.L.A. agreements etc.

What about their Security credentials? PCI / SOX / HIPAA … there’s numerous classifications.

“But I don’t need PCI / SOX / HIPAA!” to this I say you need a compromise of your application/business even less… what’s the harm in asking the provider if they have been through any regulatory compliance? I just don’t get the stigma some people seem to feel when asking a question related to security. Remember when deploying your application you’re building upon your hosting providers infrastructure.

“A foolish man who built his house on sand” in short if your foundations are not sound you’re opening yourself up to failure and compromise, an example Paypal and godaddy socially engineered resulting in the loss of a $50K twitter username and Barclays £1.37M theft both of which are due to the same level of Failure, the term for which is “Social Engineering” … which really is just a new term for conning someone into doing what you want them to do.

“The art of the con” is hardly anything new; and has been around for centuries take Victor Lustig whose infamous example of con artistry was to sell the Eiffel tower for scrap … twice.

Dispelling Doubt
“By failing to prepare you are preparing to fail” - Benjamin Franklin

Let’s look at this a little more with some common misconceptions.

“I don’t really need to look at security, my project business is small and will not be attacked.” I’d liken this statement to saying you don’t need seat belts and air bags because you’re a careful driver; driving at night with no lights on because “I have good night vision.” You have safety and security measures in your everyday life which because they fall as part of the routine are not thought about: locks on doors, car/home/business alarms, cctv, gps locators for phones/cars/tablets/laptops … we need to eliminate this thinking that information security is anything other than a requirement which should form part of our every day “norms”.

“Security is too expensive.” Have you looked at the cost of a compromise of your system, how much is the potential loss of your entire customer base worth to you? …not looking quiet so expensive now is it? Liken an investment in security to an investment in High Availability: you want your application to be “always on” … why do many think “secure” is prohibitively expensive to achieve?

“We simply don’t have the resources to implement security measures.” Yet you have the resources for development, DBA’s, sysadmins? One of the best ways to introduce security into your application is “from the ground up,” so that it becomes part of your general practise – this requires a “state of mind” orientated toward security.

What many fail to realize is assuming your business is successful you already have a state of mind orientated to best practises which work for your business to produce an application/service of value; minor tweaking to this could also introduce a mindset of security.

Remediation - “the action of remedying something, in particular of reversing or stopping environmental damage.”

It’s not going to be a painful or expensive as you may think; the first most powerful step is a minor change of development/sysadmin attitudes to consider security implications of code/services/configurations, let’s bring back the healthy attitude of asking questions.

Do I really need to disable SELinux to get this to work? – the answer is of course no you shouldn’t, this should be the same vein of thought of do I really need to chmod this 777 to make it work?

Does this service really need to be installed? – e.g. bluetoothd doesn’t need to be on your production machines.

We’re adding a user input form, we should really sanitize the input – seems obvious to most now, though this was met with just as much “resistance to change” before it became a best practise standard.

Does MySQL really need to be accessible from everywhere on the internet? – again may seem obvious to most now, though this was and sometimes still met with resistance of “I may need to run queries from home, off my mobile, from the open wifi at the local coffee shop …” (those of a security orientated nature I apologize for this statement and I can sense the cringing now in progress as this is read …).

The above is just a small example of reducing your attack surface. Your attack surface being the potential entry points into your system/network/application which can be potentially attacked.

The thinking behind the need to invest a lot of money into some expensive appliance / magic solution is for the most part misguided and throwing a “security blanket” over or in front of your application isn’t going to be as effective as ensuring consideration of security at every layer of your business.

Over the coming months I will be working on more related blogs, webinars – and a reminder that I’ll also be giving a talk on “Security and why you need to review yours” at Percona Live in Santa Clara this April 2nd.

Comments

  1. Hi David,

    Database security is not an easy sell to clients. Most think that the security is the responsibility of the application, and not the database. Maybe the reason for this is that most hacked websites are hacked because of a flaw in the application, and not the database. Nevertheless, the negligence of database security has gone too far, where most websites interact with the database with a DB user that has ALL privileges over that database, for example.

    Yes – some throw the DB behind the DMZ (mainly because they’re forced to do so because of PCI requirements), but that’s about it. By the way, PCI requirements state that only the DB storing credit card information (and related critical information) should be behind the DMZ. I’m personally not convinced that throwing the DB behind the DMZ will make it substantially more secure.

    By the way, most clients only consider securing their application when they get hacked. I think it’s the job of the the IT personnel to highlight the importance of investing in periodical security reviews.

  2. Hi Fadi,

    database security as a single item yes, I’m of the belief that security should be a mindset for your whole application and infrastructure (as I will cover in my talk at PLMCE next week, and subsequent webinars / posts).

    W.R.T. PCI it’s there only as an example as to say that it’s something you can ask your hosting provider if they have had any for of regulatory compliance including but not limited to PCI take EC2 as an example: http://aws.amazon.com/compliance/pci-dss-level-1-faqs/ their infrastucture is PCI-DSS level 1 compliant of course if you choose to not implement the standards onto such infrastructure you will not be PCi compliant.

    Look at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf for an example of the latest standard

    9.1 “Use appropriate facility entry controls
    to limit and monitor physical access to
    systems in the cardholder data
    environment. ”

    9.1.1 “Use video cameras and/or
    access control mechanisms to monitor
    individual physical access to sensitive
    areas. Review collected data and
    correlate with other entries. Store for at
    least three months, unless otherwise
    restricted by law. ”

    9.4.4 “A visitor log is used to maintain a
    physical audit trail of visitor activity to
    the facility as well as computer rooms
    and data centers where cardholder
    data is stored or transmitted.
    Document the visitor’s name, the firm
    represented, and the onsite personnel
    authorizing physical access on the log.
    Retain this log for a minimum of three
    months, unless otherwise restricted by
    law. ”

    An that’s only the 9.x section and limited to requirements on physical access to the datacenters; of course the level to which you go is dependant on your PCI requirements as a merchant; however it’s often a good “measure” for the security measures a host has in place.

    And I agree often it is far too true that security is an afterthought after a breach; this is where the change in mindset is key; make things less “alien” make them become part of the “norm”, unless this is achieved the resistance to change will continue.

  3. HI David,

    Great to see that you are pushing Database Security. Would like to mention the Audit Plugin interface of MySQL, which I think is a great way to increase security and meet regulatory needs. Hope you have plans to address this option in future blog posts.

    Best,

    Guy

Speak Your Mind

*