SQL Server Security: Why Security Is Important

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » Article Discussions » Article Discussions by Author » Discuss Content Posted by Brian Kelley » SQL Server Security: Why Security Is...

SQL Server Security: Why Security Is Important

Rate Topic

Display Mode

Topic Options

Author

Message

K. Brian Kelley

Posted Sunday, July 13, 2003 12:00 AM

Keeper of the Duck

Group: Moderators
Last Login: Friday, May 04, 2012 4:11 PM
Points: 6,553, Visits: 1,729

Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/bkelley/sqlserversecuritywhysecurityisimportant.asp

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Site | Blog |

View Brian Kelley's LinkedIn profile | Twitter

Post #14122

Frank Kalis

Posted Thursday, July 31, 2003 5:42 AM

SSCertifiable

Group: General Forum Members
Last Login: 2 days ago @ 11:15 PM
Points: 5,950, Visits: 226

Hi Brian,

very good research work!

What I like is your fine, yet true distinction between hackers and crackers

From my point of view, a hacker has not malicious intent, but wants to show his ability to do it, while a cracker starts with this malicious intent.

As you've mentioned http://www.sqlsecurity.com , the slogan on their homepage has become you of my all time favorites.

"There is no 'patch' for stupidity."

But not so long ago, somewhere I've read, that attacks on windows system have begun to decline, while attacks on *nix systems are growing in number. Hope I find the link again, so I can post

Cheers,
Frank

P.S.: Is the link to the 'Lifecycle' book valid ???

Edited by - a5xo3z1 on 07/31/2003 05:44:10 AM

--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/

Post #70386

K. Brian Kelley

Posted Thursday, July 31, 2003 6:39 AM

Keeper of the Duck

Group: Moderators
Last Login: Friday, May 04, 2012 4:11 PM
Points: 6,553, Visits: 1,729

The old link just recently died. The new link doesn't paste correctly into the forum. Sad

I'll see about doing some sort of redirect myself from my web site.

K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

Edited by - bkelley on 07/31/2003 06:45:06 AM

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Site | Blog |

View Brian Kelley's LinkedIn profile | Twitter

Post #70387

Steve Jones - SSC Editor

Posted Thursday, July 31, 2003 10:57 AM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 4:22 PM
Points: 30,079, Visits: 12,279

Excellent case for patching systems. It's amazing to me that people still don't take this seriously. I'm struggling with hundreds of MSDE installations that have sa/blank hardcoded into the app.

Why?

The developers didn't think it was a big deal.

Steve Jones
sjones@sqlservercentral.com
http://www.sqlservercentral.com/columnists/sjones
www.dkranch.net

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #70388

Steve Jones - SSC Editor

Posted Thursday, July 31, 2003 10:58 AM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 4:22 PM
Points: 30,079, Visits: 12,279

One more note:

Commentary: People, process secure the enterprise
By Forrester Research
Special to CNET News.com
July 31, 2003, 4:30 AM PT

Michael Rasmussen, Director, Forrester Research

Last week, Microsoft and Cisco Systems announced two major vulnerabilities.

Organizations need an action plan to respond to vulnerabilities and exposures, and should not rely on products alone for protection.

This is a people and process problem that works with technology. The Microsoft vulnerability is a significant exposure into every operating system running the NT code base from NT to 2003.

Related story
Security pros talk,
but can they walk?
A new national policy and
months of Microsoft initiative
haven't shown a significant
improvement in security.

The Cisco vulnerability is an exposure that can crash every router. Both can be devastating to enterprises if used by the miscreants of the world. Additionally, we have seen exploit code in the wild for both. Jumping on the bandwagon, as usual, are myriad security vendors claiming they have the solution to protect the enterprise.

Vendor claims are far-fetched and provide a false sense of security. No vendor today resolves these vulnerabilities, except Microsoft and Cisco with the patches they implement. Security vendor solutions may hold back the evil hordes of hackers should they come knocking, but the deviant will break through given enough time and motive.

The only true answer is to patch systems. Organizations should focus on the process and policy portion of security as much or more than the technology aspect. Do not put blind trust into security vendor claims of protection, rather, honestly evaluate how the product works and the time it potentially buys you.

Develop a patch management process based on business risk so the critical business applications and support systems (e.g., network, desktop) are expedited and patched in accordance with the risk the organization faces.

Steve Jones
sjones@sqlservercentral.com
http://www.sqlservercentral.com/columnists/sjones
www.dkranch.net

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #70389

« Prev Topic | Next Topic »

Permissions