Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

Cyberwar Expand / Collapse
Author
Message
Posted Saturday, November 9, 2013 11:35 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: 2 days ago @ 12:34 PM
Points: 31,181, Visits: 15,626
Comments posted to this topic are about the item Cyberwar






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1512920
Posted Monday, November 11, 2013 1:39 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 5:47 AM
Points: 5,600, Visits: 3,451
I fully agree...and although I am in the UK I am not a Cyber Commando...just a software engineer

For too long has there been no entry barrier into IT and no driver for proper company lead training. Maybe if this was only the case for front end developers then appropriately qualified/trained/experienced application, enterprise and database developers as well as DBAs and infrastructure engineers could ensure that, at the very least, the corporate technical backbone and back office systems would be less vulnerable.

Will we know that the level of aggression has reached a certain threshold when ones own government forces a free market to enforce these standards? Will they claim that this is for professionalism reasons whereas others might believe that they are protecting the economy of the state?


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1513025
Posted Monday, November 11, 2013 4:03 AM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, October 17, 2014 1:16 AM
Points: 106, Visits: 782
Yes and No

While I do think you should have a walled off area I am strongly of the opinion that every organsation should have a fully open pool database / test environment open to absolutely everyone as well this allows the talented to teach themselves and make mistakes.

Only then will you be able to develop the staff to a level where they have both technical competency of database management skills and the perspective of understanding the data.

I have seen too many companies that bunker the SQL Server knowledge and access resulting in the IT department having a lack of perspective on the tasks required by operations and operations having a lack of understanding of things like primary keys audit trails etc. This is also a recipe for excell hell. Where operations start developing whole processes in excell.

I think we need to encourage Dev Ops - its really in everyone's interest.
Post #1513058
Posted Monday, November 11, 2013 4:41 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Today @ 2:18 AM
Points: 54, Visits: 369
Know of various companies that have lost data. And I know more who turn a blind eye to everything because it will never happen/we trust are staff/etc

Best one I have heard is third party suppliers saying its not their responsibility to secure the database. Yet it is their code, their security, their incompetence that allows are one to hack the system. Pity the Information Commissioner in the UK doesn't give any guidance on this.
Post #1513074
Posted Monday, November 11, 2013 6:10 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 5:47 AM
Points: 5,600, Visits: 3,451
There is plenty of guidance. There are plenty of opportunities to gain and develop the correct skills. What is lacking are suitable commercial pressures to ensure that the appropriate effort is authorised to be put into quality secure development. Without a governance directive, similar to Sarbanes-Oxley (SOX) if only in the resultant shift in emphasis to open and accurate financial reporting, there will be no change.

I am not looking to dissect and analyse SOX, only use it as an example of regulatory driven improvements. (...and, yes, it does have its flaws and detractors [like the ones who will ignore that I have pleaded this not to turn into a review of the effects of SOX].)


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1513111
Posted Monday, November 11, 2013 8:06 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Friday, October 10, 2014 7:31 AM
Points: 492, Visits: 812
You are very correct about teaching. I do believe there is a place for a very simple bit of code to explain how to do something. However, those should be limited in scope. For example, VB Script help contains a lot of examples on how to use the File System Object. An example with 3-4 lines of code restricted to just what is minimally required to get it working, can be helpful to someone using it for the first time. Any larger examples, for instance an entire script, would be better off filled with correct coding practices. Every class I have ever taken uses only the simplest code, no error checking, no security, nothing. I can see showing a short example to introduce the class to a function, but actually the class would benefit by having real world examples including best practices for security.

I have to point out something you said that I do not believe is reflective of reality. Not only has china been attacking us for quite a while, including stealing data from JPL back under Clinton, but they are doing so much that a recent honey pot was found and attacked by them within days. Our "allies" have been hacking our infrastructure for years as well, including France, Germany and others. Britain may be "formerly" announcing their plans, but don't believe for a second that they have not been engaged in this for quite a while. Countries have hacked into our corporate databases and provided information to companies in their own countries in order to gain an advantage.

The only thing "new" is that people are starting to talk about it a bit more. I don't want to get into a debate about right or wrong, or which side is doing what. The fact is that our leaders have known about these risks for quite a while, and have decided to ignore the attacks. Our corporate leaders don't want to spend the money. Google is a great example as they just decided to start encrypting data between their data centers due to hacking attempts (quite successful ones) by our own government! They knew of the risks when they chose the path they went down, and only now are they doing anything because they are concerned about a loss of business.

Good coding practices are a necessity. Unfortunately it is far too late to start. By the time any country or corporation fixes things, they will have already suffered loss in some form.


Dave
Post #1513151
Posted Monday, November 11, 2013 8:35 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 5:47 AM
Points: 5,600, Visits: 3,451
djackson 22568 (11/11/2013)
...Unfortunately it is far too late to start...


Ignoring the US bias (well, almost ), statements like this are not helpful. It is too late to start on time but unless a journey is started the destination will never be reached. A late resolution is still a resolution and, therefore, better than no resolution.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1513162
Posted Monday, November 11, 2013 9:02 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 11:56 AM
Points: 880, Visits: 2,435
Interesting article - not bad overall, though it again conflated stored procedures with parameterization, and completely missed not giving the service account admin permissions.

Password security wasn't mentioned (and given the Adobe breach, it's clearly still a critical area) - suffice it to say, use PBKDF2/PKCS#5/RFC2898 with tens of thousands of iterations total, or bcrypt or scrypt with the equivalent.

I have to agree with the posters above - the #1 problem I really see is that it is very difficult to get anywhere close to less-insecure code if you're learning and using any kind of normal sources (classes, books, Internet searches, forums), because even the top quartile of normal sources stop cold at "it compiles and it runs (de minimus)". Try a search on how to use AES encryption in .NET - even setting aside the articles that simply break functionally, you'll almost always see hardcoded salt/nonce and IV (Initialization Vector) values, which are a major security problem, and often you'll see ECB mode (another major security problem - see Adobe).

It's difficult enough to learn to write maintainable or robust or efficient code, given the examples prevalent in almost all sources - adding secure on top of that is a almost impossible unless you look very specifically for secure code... and you can judge the bad articles.

Testing security is also much more difficult that any other coding tests. Testing correctness - well, if you knew what it's supposed to do, you've got your first set of test cases. Testing efficiency - code it three to five different ways, and measure that. Testing maintainability - try to pretend you haven't seen anything about it for 5 years, or show it to any other developer/DBA. Testing security - first you have to know all the attack types, then you have to recognize them, then you have to be able to duplicate them as a test condition...

I do like SQLServerCentral, though - the articles vary, the ratings vary, but the discussions on the articles are very often extremely useful and high quality, pointing out mistakes, oversights, improvements, and alternatives.
Post #1513172
Posted Monday, November 11, 2013 9:11 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Friday, October 10, 2014 7:31 AM
Points: 492, Visits: 812
Gary Varga (11/11/2013)
djackson 22568 (11/11/2013)
...Unfortunately it is far too late to start...


Ignoring the US bias (well, almost ), statements like this are not helpful. It is too late to start on time but unless a journey is started the destination will never be reached. A late resolution is still a resolution and, therefore, better than no resolution.


Well I apologize for my inadvertant wording. I am having difficulty putting my thoughts to words.

We clearly need to start. However, I think it is important to note that probably all countries, and probably most companies, have already suffered some loss. Few are expending any resources to fix things due to the method used to weigh the costs versus the benefits.

As to a late resolution being better than none, I disagree in some cases. But the reason I disagree is because sometimes a late resolution is too late. Assume a company gets hacked and goes out of business. That they were weeks from deploying a fix is irrelevant. I understand that isn't what you are saying. I assume you mean starting late, as long as you finish prior to any catastrophic event, is better than not starting at all.

The difference between what I tried to say, and what you are presumably saying, is whether starting late is still starting in time to prevent major issues.

If I am saying things wrong, please don't take it as disagreeing with your points. I am not. I am trying to say that sometimes starting late means not finishing at all.

Not sure what you mean by US bias. Snowden clearly showed the US is going too far both internally and externally. However, other countries have been doing the same thing for a long time. I admit to bias against some countries, but certainly not GB.


Dave
Post #1513176
Posted Monday, November 11, 2013 9:38 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 11:56 AM
Points: 880, Visits: 2,435
All coding aside, in many to most of our cases, the real question is:

What is the best business case to present to management on why the increased cost, lengthened timelines, increased developer skill requirements, increased testing, and other limitations secure coding entails are worthwhile, and to what degree?
Post #1513180
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse