[cs615asa] Meetup Summary

Patrick Grasso pgrasso at stevens.edu
Fri May 4 10:46:36 EDT 2018 

Meetup Title: Inside the Head of a DB Hacker
URL: https://www.meetup.com/mysqlnyc/events/248972260/

The main speaker for the talk was Mark Fallon, Lead Security Architect
for Oracle Database. His talk was a general overview of the security of
database systems, focusing on the perspective of a hacker and how using
this perspective helps when building a threat model and setting up
defense mechanisms. While the talk focused on database systems, most of
the lessons can be applied to systems in general.

I chose this meetup because of my degree's focus on cybersecurity. The
talk was reminiscent of our lecture on security, with many of the same
points being made (e.g. monitoring, reducing attack surface,
inter-system barriers to deter lateral movement). The talk progressed
sequentially through the phases of an attack. Mark began by discussing
an attacker's motivation and intent. He asked the audience, "what do you
think is the number one motive for attackers?" Somewhat comically, and
in resounding unanimity, the audience responded, "crypto mining!!" His
general message with regard to intent was that "if the data is valuable
to you, it's valuable to somebody else," which applies to non-database
systems as well. Data and computational power alike, both resources can
be described this way.

Another important lesson I learned from this talk is that humans are the
most vulnerable, risky components in many systems. Although I forget the
exact statistic, an incredible percentage of recent attacks involved
phishing.

Mark made several recommendations to defend against the attackers he
identified throughout the talk.

- Know what data/resources you have and where they are (all of them).
- Don't rely on secure defaults (take time to ensure proper setup).
- Reduce attack surface.
- MAKE BACKUPS and make sure that they work.
- Start with encryption, because it's "easy to setup and provides a huge
  benefit."
- Mitigate risk of password loss.
- Compartmentalize.

This talk was an awesome opportunity to learn new aspects of (database)
system security and to reinforce specific topics we had covered in class.

Regards,
Patrick Grasso

More information about the cs615asa mailing list