Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

More Data Security Issues Expand / Collapse
Author
Message
Posted Saturday, June 22, 2013 2:45 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:06 PM
Points: 33,169, Visits: 15,304
Comments posted to this topic are about the item More Data Security Issues






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1466488
Posted Tuesday, June 25, 2013 1:33 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 1:34 PM
Points: 2,899, Visits: 1,797
Its a sad fact that a percentage of any population will be morally challenged.

Another percentage will be opportunistic. If you had a piece of software and a licence key would you install it on your home kit. How about an illicit MP3, CD or DVD? For those of you who are legitimately outraged and indignant at the aspersion you are in a worrying small minority.

Then there is the behaviour that manifests when a relationship breaks down.

Years back I did a module on employee relations and a story (hopefully an urban legend/myth) was told about a dispute at a steel works. Apparently cyanide is routinely used in some processes and because of the dangers involved flasks of a liquid to counteract the effects of cyanide poisoning were within easy reach.

In the event of cyanide poisoning speed is of the essence so the idea was that the liquid was drunk but the inevitable consequence was that the human body would expel whatever it could by whatever method it could via every pore and orrifice it could. During an acrimonious industrial dispute management learnt to fear the coffee urn, canteen food and the drinking fountain.


LinkedIn Profile
Newbie on www.simple-talk.com
Post #1467013
Posted Tuesday, June 25, 2013 6:45 AM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Yesterday @ 1:55 PM
Points: 643, Visits: 1,639
There has been a large decline in ethical leadership worldwide and a growing lack of loyalty towards employees and citizens. Considering this environment, it's pretty much a given that theft and breaches will happen. It doesn't help that our government discourages accountability and massively funds data theft.

The problem with encryption and other measures is that people are lazy and management doesn't want to spend money on tools and training. When a large percentage of technical professionals I met don't even understand the basics of PKI and topics of that ilk, it's evident that the industry as a whole is only pay lip service to security and is cargo-culting on a minimal as needed basis.
Post #1467103
Posted Tuesday, June 25, 2013 7:55 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Friday, August 1, 2014 9:06 AM
Points: 248, Visits: 194
I'd be interested to know what the main motivation is for insider data breaches. Is it random vandalism, retaliation, greed, a sense that something the company is doing is wrong and needs to be exposed. Something else?
I would also like to know how much data is secured that doesn't really need to be secured. I've met many people who seem to have a fixation on securing things that don't really need to be. Some DBAs tend to have a warrior mentality when there may not be any actual war.
Post #1467159
Posted Tuesday, June 25, 2013 7:58 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:06 PM
Points: 33,169, Visits: 15,304
IMHO (6/25/2013)
I'd be interested to know what the main motivation is for insider data breaches. Is it random vandalism, retaliation, greed, a sense that something the company is doing is wrong and needs to be exposed. Something else?
I would also like to know how much data is secured that doesn't really need to be secured. I've met many people who seem to have a fixation on securing things that don't really need to be. Some DBAs tend to have a warrior mentality when there may not be any actual war.


I doubt it's one thing. In the restaurant business, we'd see lots of inside issues, and it ranged from vandalism (throwing things away) to theft/greed (stealing money or alcohol), but the latter might be because someone needs money (not making enough), or they feel entitled (they're not paying me enough) to fun (my friends and I want free drinks).







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1467162
Posted Tuesday, June 25, 2013 8:43 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 1:46 PM
Points: 1,649, Visits: 4,697
By and large, employees are granted more access to data than they really need to perform their job functions. I'm surprised when people talk about a database with dozens or hundreds of users. Do individual users really need access to the database?
All you need are a handful of service accounts, one for each security role. Users should access data via the application, and auditing is used to keep track of what requests users make.
Post #1467203
Posted Tuesday, June 25, 2013 10:16 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 2:52 PM
Points: 5,317, Visits: 3,006
Eric M Russell (6/25/2013)
By and large, employees are granted more access to data than they really need to perform their job functions. I'm surprised when people talk about a database with dozens or hundreds of users. Do individual users really need access to the database?
All you need are a handful of service accounts, one for each security role. Users should access data via the application, and auditing is used to keep track of what requests users make.


This is another cost of the departmental Access/Excel application.

Also a cost of the lack of ethics in business from top to bottom. I particularly see people being forced (or pressured is probably more fair) to stay longer than both necessary to perform their job and longer than agreed (by employment contract). This results in people using some of their time at their desks for their own purposes, if only training.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1467268
Posted Tuesday, June 25, 2013 10:44 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 1:46 PM
Points: 1,649, Visits: 4,697
Gary Varga (6/25/2013)
Eric M Russell (6/25/2013)
By and large, employees are granted more access to data than they really need to perform their job functions. I'm surprised when people talk about a database with dozens or hundreds of users. Do individual users really need access to the database?
All you need are a handful of service accounts, one for each security role. Users should access data via the application, and auditing is used to keep track of what requests users make.


This is another cost of the departmental Access/Excel application.

Also a cost of the lack of ethics in business from top to bottom. I particularly see people being forced (or pressured is probably more fair) to stay longer than both necessary to perform their job and longer than agreed (by employment contract). This results in people using some of their time at their desks for their own purposes, if only training.

It's late in the evening, an employee is disgruntled about being asked to work overtime, and they have an open query window with select permission on every table in the database, if not full sysadmin privillage. It's a bad scenario, and employee training won't fix it. It's management and sysadmins who need to be trained on how to avoid this.
Post #1467287
Posted Tuesday, June 25, 2013 1:22 PM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Wednesday, August 20, 2014 10:43 AM
Points: 479, Visits: 786
I agree that developers need to get better at using proper techniques.

That said, companies are the real root cause of poor software. The opposition to allowing time to code, test and validate is the largest issue. I know a lot of developers that WANT TO write better code, but are not allowed to.


Dave
Post #1467342
Posted Tuesday, June 25, 2013 2:52 PM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 1:46 PM
Points: 1,649, Visits: 4,697
djackson 22568 (6/25/2013)
I agree that developers need to get better at using proper techniques.

That said, companies are the real root cause of poor software. The opposition to allowing time to code, test and validate is the largest issue. I know a lot of developers that WANT TO write better code, but are not allowed to.

Developers may be a members of DBO or even SYSADMIN when they login to development database using their domain account. They need that for creating tables, procedures, etc. However, when unit testing or performing QA, they should login using a seperate account that has the same name and least privillages as the application account (should have) in production. If testing is not done under a least privillage account like this, then many organization will punt and grant full DBO or SYSADMIN rights to the application account.
Post #1467388
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse