Security Interview Prep Series — 6. Infrastructure Security

Database

I. How would you secure a Mongo database?

1. Enable authentication: Require users to authenticate using usernames and passwords. Use role-based access control (RBAC) to assign minimal permissions.
2. Encrypt data:

• In-transit: Use TLS/SSL to encrypt connections between client and the database.
• At-rest: Enable storage-level encryption using MongoDB’s built-in encryption features or disk encryption tools like LUKS.

3. Restrict network access: Bind MongoDB to specific IP addresses (by default, MongoDB binds to all available network interfaces i.e. 0.0.0.0). Setup firewall rules to restrict access. Use a VPN or SSH tunnel for secure remote access. Use IP whitelisting.

4. Secure configuration: Disable default settings like bind_ip: 0.0.0.0 to prevent exposure. Turn off server-side Javascript execution to prevent injection attacks.

5. Audit and monitor: Enable MongoDB’s auditing and logging features to track access and detect anomalies. Use monitoring tools like mongostat or external platforms (e.g. Datadog).

6. Backup safeguards: Encrypt backups and store them in secure locations. Regularly test restore procedures to ensure data integrity.

7. Update and patch: Keep MongoDB and its dependencies updated to protect against known vulnerabilities.

II. How would you secure a PostGRES database?

1. Authentication and access control: Use pg_hba.conf to define connection rules, specifying allowed hosts, users and authentication methods. Enforce strong passwords or use certificate-based authentication.
2. Encrypt data:

• In-transit: Use TLS/SSL to encrypt connections between client and the database.
• At-rest: Use tools like transparent data encryption (TDE) or disk-level encryption.

3. Least privilege access: Create separate roles for different app or users. Assign permissions at the schema or table level using GRANT statements.

4. Secure configurations: Disable unused features like trust authentication and remote connections unless required. Restrict access to postgresql.conf and pg_hba.conf files.

5. Logging and auditing: Enable logging of failed and successful connection attempts. Use pgaudit for detailed query-level auditing.

6. Regular updates and patching: Stay updated witht the latest PostgreSQL releases to address known vulnerabilities.

7. Backup security: Encrypt backups and store them securely. Test recovery procedures regularly.

III. What are the 6 aggregate functions of SQL?

Aggregate functions in SQL perform calculations on a set of rows and return a single value. The six main aggregate functions are:

1. COUNT():

• Counts the number of rows in a dataset.
• Example: SELECT COUNT(*) FROM employees;

2. SUM():

• Calculates the total sum of a numeric column.
• Example: SELECT SUM(salary) FROM employees;

3. AVG():

• Computes the average value of a numeric column.
• Example: SELECT AVG(salary) FROM employees;

4. MIN():

• Returns the smallest value in a column.
• Example: SELECT MIN(salary) FROM employees;

5. MAX():

• Returns the largest value in a column.
• Example: SELECT MAX(salary) FROM employees;

6. GROUP_CONCAT() (or STRING_AGG() in Postgres):

• Concatenates values in a group into a single string.
• Example: SELECT STRING_AGG(name, ‘, ‘) FROM employees;

Aggregate functions are commonly used with GROUP BY to compute values for specific groups.
Example: SELECT department, COUNT(*) AS total_employees, AVG(salary) AS avg_salary FROM employees GROUP BY department;

This query provides a breakdown of employee counts and average salaries by department.

IV. What is Role-Based Access Control (RBAC) and Why is it Covered by Compliance Frameworks?

Role-Based Access Control (RBAC) restricts access to systems and data based on a user’s role within the organization.

How It Works:

• Roles are defined based on job functions (e.g., HR, IT, Finance).
• Permissions are assigned to roles, not individuals.
• Users are assigned roles, inheriting associated permissions.

Benefits:

• Simplifies user management.
• Enforces least privilege access.
• Reduces the risk of insider threats.

Compliance Framework Coverage:

• SOC 2: Requires RBAC to prevent unauthorized data access.
• ISO 27001: Enforces access control policies and periodic reviews.

V. What Are Web Server Vulnerabilities and How to Prevent Web Server Attacks?

Common Vulnerabilities:

1. Default Configurations: Expose sensitive directories or settings.
2. Injection Attacks: SQL or command injection through unsanitized inputs.
3. Cross-Site Scripting (XSS): Execution of malicious scripts in user browsers.
4. Denial of Service (DoS): Overloading the server to disrupt operations.
5. Weak Authentication: Use of default or weak passwords.

Prevention Methods:

1. Regularly patch and update server software.
2. Enforce secure configurations and disable unnecessary features.
3. Use WAFs to block malicious requests.
4. Encrypt communications using HTTPS.

VI. Preferred Method of Giving Remote Employees Access to the Company Network

VPN (Virtual Private Network): Provides secure access to internal resources.

• Weaknesses:

1. Vulnerable to credential theft if MFA is not used.
2. Exposed endpoints if users connect from compromised devices.

• Mitigation: Use zero-trust principles and enforce endpoint security.

VII. Tests to Identify Network Security Flaws

1. Vulnerability Scanning: Use tools like Nessus or OpenVAS to identify vulnerabilities.
2. Penetration Testing: Simulate attacks to evaluate defenses.
3. Network Mapping: Identify open ports and exposed services using Nmap.
4. Password Cracking: Test for weak credentials using tools like Hydra.