Expect an Attack

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQLServerCentral.com » Editorials » Expect an Attack

Expect an Attack

Rate Topic

Display Mode

Topic Options

Author

Message

Steve Jones - SSC Editor

Posted Tuesday, June 23, 2009 9:55 PM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 1:14 AM
Points: 31,433, Visits: 13,746

Comments posted to this topic are about the item Expect an Attack

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #740728

Greg Edwards-268690

Posted Wednesday, June 24, 2009 6:36 AM

Right there with Babe

Group: General Forum Members
Last Login: Yesterday @ 3:21 PM
Points: 788, Visits: 5,196

Steve -
Microsoft does keep people aware of some of the vectors. Note the Patch Tuesday every month. w00t

They also publish some info, don't know if you've browsed these.
http://msdn.microsoft.com/en-us/practices/default.aspx

A couple of weeks ago there was a free online seminar (6 hours of a 5 day course) on Ethical Hacking.
Good overview and demonstrations of some of the techniques used.
http://www.nhmn.com/Courses/CrsSearchResults.aspx?ST=Q&S=false&T=hacking

A lot of information isn't published, or not published until after a fix is available.
Knowing how things work, and break, is part of being a good developer.
I like to see live demos, along with examples of how to fix the issue.
And they always impress that keeping current on patches is a big part of being safe.
Greg E

Post #740979

Manie Verster

Posted Wednesday, June 24, 2009 7:24 AM

Ten Centuries

Group: General Forum Members
Last Login: Monday, May 20, 2013 3:00 AM
Points: 1,151, Visits: 879

Steve, I must say that SQL Server's security is good. When I load logins I tick "Enforce password policy" and I had users many times come to me complaining that they can't log in. When I check their logins I see that they have been locked out. I tested this and saw that after the third unsuccessful login the account is locked out. Now, I am not saying I will never be hacked because I believe that a chain is only as strong as it's weakest link. Wink

Manie Verster
Developer
Johannesburg
South Africa

Life is about choices.... I choose to be happy today

Post #741015

Carl Federl

Posted Wednesday, June 24, 2009 10:08 AM

SSCrazy

Group: General Forum Members
Last Login: 2 days ago @ 2:32 PM
Points: 2,224, Visits: 4,083

Just in today's news:

$9.75 million settlement related to a massive data theft that occurred at the parent company of T.J. Maxx and Marshall's more than two years ago. Under the settlement with a multistate group of 41 attorneys general, TJX also must certify that its computer system meets detailed data-security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.

http://www.chicagotribune.com/business/chi-wed-tjx-data-breach-0624-jun24,0,1332734.story

SQL = Scarcely Qualifies as a Language

Post #741164

Steve Jones - SSC Editor

Posted Wednesday, June 24, 2009 10:39 AM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 1:14 AM
Points: 31,433, Visits: 13,746

Microsoft and others do publish information, but you have to dig for it. The biggest issues I see is that their sample apps are often cut down, and don't always include great coding. That's not universal, and they have some good frameworks, but not all of them.

Any code they put out should be well written, not slapped together.

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #741198

notquitexena

Posted Wednesday, June 24, 2009 11:31 AM

SSC Eights!

Group: General Forum Members
Last Login: Monday, November 02, 2009 8:46 AM
Points: 875, Visits: 313

Carl Federl (6/24/2009)

Just in today's news:

http://www.chicagotribune.com/business/chi-wed-tjx-data-breach-0624-jun24,0,1332734.story

SQL = Scarcely Qualifies as a Language

I love your tag line! I had not seen that before.

Post #741228

MattKent

Posted Wednesday, June 24, 2009 11:40 AM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, October 21, 2009 12:47 PM
Points: 49, Visits: 130

The way I see it, you should never rely on a vendor for security. Whether that is Microsoft or Barracuda, ultimately all vendors systems can be hacked, so it is your responsibility to plan for the worst.

First map your data flow. If your database isn't for your website, it should be isolated from the outside. VLANs are great for this; isolate your data to its own network that has no outside access. Even a web db, shouldn't have web access, your web application can request data from your db network, but that should be the only thing able to connect to it. I know a lot of applications are primitively written and can only work within the local domain, but that really exposes that your application is badly written and probably has other security flaws.

Second, talk with your software developers. I did a data migration from D3 to SQL a few months back and the software developer wanted me to expose my sql data port, so he could easily connect to my DB. I nearly choked on my yogurt. A VPN obviously was the better option. Nonetheless, a lot of software developers will do questionable things because they don't want to disturb what they perceive as your business environment, in other words, they work around the problems. Ask your developer how their software works, and ask them what they think is the best method. Often they don't really know, but sometimes they do.

Third, patching is an ugly but necessary task. Schedule one Tuesday every month to test patches. I can't count the number of times that security patches have broken my apps, so you must setup a virtual environment and test those patches before you role them out. You can't wait and say, "I will do it Friday or next week", just set aside that one special Tuesday for testing all patches M$ or other. Unless you are the middle of a data recovery, you should have time.

Your biggest threat isn't the single hacker, it is the many. I see Chinese net cafes sniffing at my walls every day, while 99.9% of them are amateur script kiddies who couldn't crack a flash app, that .1% is still pretty numerous. Look into multi-layered defenses. OpenDNS and similar services will help stem the flood, but then follow that up with a properly configured firewall. Don't trust your users, so filter outbound traffic as closely as you do inbound. Make sure the individual station is secure and I don't mean installing anti-virus apps. If the anti-virus app is successful, you have failed at your job. If you can, lock down user's stations and require them to store everything on a central file server. You should be able to blow up the users computer and restore them to a new one, without them being able to notice the difference.

Post #741235

D Gillespie

Posted Wednesday, June 24, 2009 5:12 PM

Valued Member

Group: General Forum Members
Last Login: Friday, April 19, 2013 9:22 AM
Points: 52, Visits: 161

Great movie graphic Steve. At the time the movie had cutting edge technology but it really looks ancient now. Hack the Planet! Hack the Planet! Tongue

Post #741444

david_wendelken

Posted Wednesday, June 24, 2009 6:37 PM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, July 05, 2011 1:06 PM
Points: 183, Visits: 478

Books, articles, and forum examples are chock full of extremely insecure practices. Add comments warning about bad practices and point the readers to where they can find good examples to work from.

I'm a regular participant on www.asp.net and a huge percentage of the programmers who ask questions (and not a few who answer them) show that they have absolutely no awareness of sql injection attacks. Not what they are, not how they work, and most certainly how not to code to avoid them.

Much of this is due to the bad security practices in the sample code they learn from.

Post #741465

« Prev Topic | Next Topic »

Permissions