System Advancements at the Monastery

Recently I was involved with testing a companies’ employees susceptibility to a phishing attack using fake Valentine day e-cards. The employees had all undergone training on phishing. Still many people clicked, in hopes of finding out that they were loved. It really is not surprising. This is why we practiced defense-in-depth. Normally, controls would have prevented this e-card from getting through. Other controls would have pulled the phishing attempt before most people would of viewed it. We wanted to test the employees, so those controls were not activated. We had one person tell us that they figured if it was anything bad we would have stopped it, so he felt it was safe to click. The layers had instilled in him a false sense of security. Others went further telling us how security needs to make sure they never get these phishing attempts. It was not their job to worry about security.

Unfortunately, when it comes to installing software, secure design is often the last consideration. I know a gentleman who frequently will state, “I just have to get this done.” When it comes to software installation, he will find packages that will take care of the installation of the software for him. Unfortunately, frequently those packages are design to cause the least problems installing on as many varied systems as possible. Now consider what an importance role that the database plays. Should you not invest some time in configuring it correctly and learning how to properly manage the database?

Like my previous posting, “Securing Apache: References,” I wanted to start off by providing references. My focus is on the security aspects of setting up MySQL. This posting will be followed by a hands on step-by-step posting. The below references will provide a great deal more information than I could ever provide in blog postings. I am only trying to point the way to greater understanding.

Documents and Articles

Podcasts, blogs, and forums are great ways to get specific information. A document, such as a reference manual, will provide a better breadth of coverage. For this reason, when starting any project, I like to start out with documents, books, and articles. Articles are good in that the tend to be somewhat authoritative, and lead to additional articles within the magazine/site.

• MySQL 5.1 Reference Manual - the best place to start is the reference manual. Generally, I prefer printed version verses accessing material online. Since the reference manual is 2372 pages, I would suggest keeping to the electronic version. In relation to security, please pay particular attention to:
  • 2.9. MySQL Installation Using a Source Distribution.
  • 5.3. General Security Issues.
  • 5.4. The MySQL Access Privilege System.
  • 5.5. MySQL User Account Management.
• Center for Internet Security Benchmark for MySQL Versions 4.1, 5.0, and 5.1 Community Editions by Mike Eddington, Leviathan Security Group.
• MySQL: The Complete Reference, chapter 14: Security, Access Control, and Privileges by Vikram Vaswani.
• 10 steps to fortify the security of your MySQL installation.
• Securing MySQL: step-by-step by Artur Maj.
• Secure MySQL Database Design by Kristy Westphal.
• Security and the real world by Kristian Köhntopp.
• How MySQL Treats Security Vulnerabilities by Kaj Arno.
• Getting started with MySQL Proxy by Giuseppe Maxia.

Web Seminars and Podcasts

The MySQL site does offer on-demand web seminars. Of particular interest is “Best Practices for Securing MySQL 5.0” by Jimmy Guerrero, Senior Product Manager, MySQL AB. Sheeri Kritzer Cabral (blog site listed below) made available her presentation to the Boston MySQL user group, titled “MySQL Security“. Sheeri has also made available her podcast, “Basic MySQL Security.” The OurSQL MySQL Database Podcast is a very interesting podcast. It is a great way to keep informed on MySQL. Sheeri will be presenting at the MySQL Conference and Expo “Database Security Using White-Hat Google Hacking.” It should be a great talk.

Forums and Blogs

While most of these forums and blogs might not focus on security, blogs can having postings on a variety of topics. There are many more great MySQL blogs. The list below were chosen because they had some security posts and/or the blogger had written articles, did presentations, or in some way indicated an awareness of security.

• MySQL Forums - this forum is off the MySQL site and there are many forums of special interest, including a Security Forum. If you run into problems with the installation, there is an Install Forum.
• Planet MySQL - offers blogs, news, and opinions on MySQL. If you try to access blogs.mysql.com, you will be redirected to planetmysql.org.
• Sheeri by Sheeri Kritzer Cabral, MySQL and Oracle DBA for The Pythian Group. Also see her podcast, OurSQL MySQL Database Podcast.
• Roland Bouman’s blog, by Roland Bouman, Training Course Curriculum Developer for MySQL AB and contributor to O’Reilly Databases site.
• The Data Charmer by Giuseppe Maxia, Database Analyst and Designer. Contributor to O’Reilly Databases site (and a whole lot more).
• MikeKruckenbery by Mike Kruckenberg, coauthor of Pro MySQL.
• MySQL-dump.
• MyQSL QA by Jonathan Miller, Senior Lead Quality Assurance Developer.
• MySQL Musings by Mats Kindahl, lead developer at MySQL with replication as main focus.
• Senior MySQL DBA Blog by Farhan Mashraqi.
• MySQL Performance Blog by Peter Zaitsev.

Sites

A few sites with articles on MySQL that might be of interest. Their focus is not on security or configuration, but the sites are good sources for MySQL information:

• O’Reilly ONLamp.
• O’Reilly Databases Site.
• Database Journal.
• Dev Shed.
• SitePoint.

Wrap Up

The above sources provide not only a good starting point for MySQL secure installation, but a library for help with MySQL operations.