A Welcome Intruder

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQLServerCentral.com » Editorials » A Welcome Intruder

14 posts, Page 1 of 2

1 2 »»

A Welcome Intruder

Rate Topic

Display Mode

Topic Options

Author

Message

Steve Jones - SSC Editor

Posted Thursday, December 01, 2011 9:40 PM

SSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:30 PM
Points: 31,436, Visits: 13,751

Comments posted to this topic are about the item A Welcome Intruder

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #1215110

SQLRNNR

Posted Thursday, December 01, 2011 9:43 PM

SSCoach

Group: General Forum Members
Last Login: Yesterday @ 10:25 AM
Points: 18,754, Visits: 12,337

I have participated in penetration testing on occasion helping to penetrate and test security. It's fun and scary at the same time. Always take the findings and report them up the chain of command.

Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server 2008

SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp

Post #1215113

LutzM

Posted Thursday, December 01, 2011 11:41 PM

SSCertifiable

Group: General Forum Members
Last Login: Wednesday, April 24, 2013 3:17 PM
Points: 6,731, Visits: 12,131

I've participated in intrusion/penetration tests, too.

We thought we were in a good shape until the person we got in to perform the test found a piece of software on our system which had silently installed SQL2000 as a back end with login and pwd widely spread across the internet. Even worse, this login had privileges to run xp_cmdshell and could not be altered.

Within a few seconds he had his own login at the system with admin privileges. He asked us if he should escalate to domain admin privileges...

That stuff was way beyond just being scary. Consequence: A few days later the software in question got upgraded to a SQL2005 backend with locked down privileges.

The positive parts about it: any approach to break into our system from the outside failed (And I expect that guy tried more than just the "simple ways"...). And we've learned how to look for such holes and close it.

Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function

Post #1215144

mpa

Posted Friday, December 02, 2011 12:42 AM

Forum Newbie

Group: General Forum Members
Last Login: Wednesday, May 22, 2013 12:22 AM
Points: 3, Visits: 140

We have an external company doing security audits on all external facing systems every three months. Sure, it's canned tests with some manual follow up on potential holes, but it's better than nothing, and they've certainly helped us close several holes in security - including SQL injection on some VERY old web sites. New exploits pop up all the time so it's important to do regular testing I think.

A couple time we've also had a consultant "attack" some very important websites, to ensure that no one could get to restricted information.

Post #1215175

majorbloodnock

Posted Friday, December 02, 2011 3:13 AM

Ten Centuries

Group: General Forum Members
Last Login: Yesterday @ 9:39 AM
Points: 1,043, Visits: 2,944

I certainly do perform various tests on our application, database and infrastructure security, but I only see that as the first layer. I'm not a security expert, so my coding, my administration and my testing can only find issues to a certain level. That's good as a means for ensuring we're consistently following best practice, and it's an effective first pass. However, for many of our applications - and particularly anything public-facing - we follow up that first pass with something more rigorous from true experts in that field.

As has been said many a time before, security is a matter of layers. In my opinion, so should the testing be.

Semper in excretia, sumus solum profundum variat

Post #1215227

GSquared

Posted Friday, December 02, 2011 6:43 AM

SSCoach

Group: General Forum Members
Last Login: Tuesday, May 21, 2013 1:55 PM
Points: 15,442, Visits: 9,571

PCI compliance (https://www.pcisecuritystandards.org/) requires periodic scanning by a third party for common/known security issues. We don't store any credit card information, but we still have to get the scans done for compliance purposes. It's essentially penetration testing.

We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

Post #1215311

Steve Jones - SSC Editor

Posted Friday, December 02, 2011 7:08 AM

SSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:30 PM
Points: 31,436, Visits: 13,751

GSquared (12/2/2011)

We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.

Good for you. A few others were not as lucky.

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #1215334

IMHO

Posted Friday, December 02, 2011 7:18 AM

SSC Veteran

Group: General Forum Members
Last Login: Wednesday, May 08, 2013 11:45 AM
Points: 212, Visits: 140

The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.

Post #1215341

richj-826679

Posted Friday, December 02, 2011 7:39 AM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, April 03, 2013 8:43 AM
Points: 32, Visits: 142

IMHO (12/2/2011)

The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.

No need to have such technical expertise. Social means, like calling users feigning that you're from IT and requesting user/pwd info is frighteningly effective.

On the flipside, it's also very effective for SAs and DBAs to have automated scanners check your logs every few minutes for errors, like, oh, I don't know, login failures. If anything, it allows me to continue putting down "DB monitoring" into my timesheet without being questioned after catching the penetration testers. Smile

Rich

Post #1215354

jay-h

Posted Friday, December 02, 2011 8:23 AM

Say Hey Kid

Group: General Forum Members
Last Login: Yesterday @ 8:38 AM
Points: 688, Visits: 1,713

Steve Jones - SSC Editor (12/2/2011)

GSquared (12/2/2011)

We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.

Good for you. A few others were not as lucky.

I'm not sure how anyone would actually know they were unsuccessfully attacked by anonymous. There are plenty of wannabes out there. The only real way to tell is if the attacker is actually unmasked and investigated.

...

-- FORTRAN manual for Xerox Computers --

Post #1215396

« Prev Topic | Next Topic »

14 posts, Page 1 of 2

1 2 »»

Permissions