As a cybersecurity consultant for APX Data Systems (ADS), you were tasked with leading a project team to implement database systems that conform to the HIPAA security rule for one hospital client. The database system should be capable of hosting highly sensitive information such as personally identifiable information (PII), personal health information (PHI), and electronic personal health information (ePHI) to comply with federal regulations. Part of your responsibility was to review, evaluate, and make recommendations with respect to the maintenance of a secure database system for the client. Based on the knowledge and experience gained from the lab, answer the following questions.



PART 2: STARTING THE LAB—Connecting to MySQL Server and Securing the Initial Root Account, Securing MySQL Account with Automated Secure Installation, Creating a New MySQL Admin Account with Privileges, etc.


1.You now know that the installation of MySQL creates only a root user account that has all privileges and can execute any database statement. However, if the root account has no password, the security of MySQL installation is obviously compromised in the sense that anyone can connect to the server as root and be granted all privileges. Besides configuring the security settings, what other security control measures can you implement to make MySQL more secure?

2.What other ways can you configure the security settings to secure a MySQL server installation?

3.Using the secure MySQL installer script, how can you mitigate against having anonymous users’ unauthorized access to the database system?

4.How do you start and switch to MySQL on Kali Linux or a Linux OS in general? Where are MySQL database files stored in Linux? Also, what is the default port for MySQL Server?

5.Once you set up databases, users, and permissions, consider what the daily management of your MySQL databases, user accounts, and privileges look like. Developers, business users, contractors, vendors, and several others need access on a daily or regular basis. How will you manage database credentials as the infrastructure grows based on your experience in the lab so far?  

6.How will you ensure each user has as much granular access and only performs specific tasks with assigned privileges and nothing more?


PART 3: MANAGING AND SECURING MYSQL DATABASE SYSTEMS (DBMS)—Creating and Accessing MySQL Databases, Evaluating MySQL Access Control Systems and Account Management, Testing MySQL Access Control and Assigned Privileges, etc.


1.Instead of using ‘cst620-admin’@’localhost’ in the create user statement, one can decide to use wildcards as in ‘cst620-admin’@‘%’, where  ‘%’ is the wildcard in place of localhost’. With wildcard, a user can connect from any client host, but this is not a best practice due to potential security risks. In your opinion, what potential security risks are likely to occur and what security control measures would you take to address it?

2.When a user attempts to connect to a MySQL server, the server accepts or rejects the connection based on Whether the user account is locked or unlocked as one condition. During the connection request, what else must happen for the server to verify a user after providing proper credentials? What constitutes a full identification and what role does it play in this regard?

3.The MySQL server performs identity and credentials verification and accepts the connection only if specified conditions are satisfied. What does the server system use to perform identity and credentials verification? [Hint: the columns in the user table can provide a useful clue].

4.Considering MySQL server authentication, is it possible for the client hostname and username combination of an incoming connection request to match more than one row in a user table? Why or why not?

5.In your opinion, and from MySQL security experience gained so far, why do you think creating remote user accounts instead of local-based accounts can create unintended security vulnerabilities and thus potential threats?

6.Which one of the cst620-user, cst620-user1, and cst620-user2 users cannot deleted another user, database, or table? How can you determine this if at all possible?

7.From a MySQL database security standpoint, your frontend applications may use scripts to interact with the backend database system. Assuming a malicious user or a hacker is trying to conduct SQL injection or cross-site scripting attack, even if the front-end application (e.g. forms) is compromised, why do you think it would still be a challenge for this attacker to alter backend MySQL statements and be able to manipulate the user-supplied data.

8.Security misconfiguration related to such endpoints as application servers, web servers, security appliances, and other platforms pose huge security flaws to security professionals and business leaders. If a malicious actor happens to target your internal network, describe how properly configured MySQL database permissions and firewalls can mitigate any potential compromise?

9.Throughout this lab exercise, you witnessed how MySQL misconfiguration can pose security challenges to database security admins and the profession as a whole. Based on this knowledge do you think enhanced security is a by-product of good security administration? If not, why?

10.Considering the access, version_id, plugin, authentication_string, and password_last_changed parameters of the structure of JSON inside the “Priv” column for cst620-user, what is/are the impact(s) on the MySQL security?