SQLServerCentral Editorial

What Can You Do?

,

I've been looking over some of the recent data breach activity that's occured in the world lately, and I'm a little sad. Almost as soon as I can read about the event and digest the way in which the attack occurred, there's another new breach. In fact, as I was starting this piece to write about the Patreon hack, I saw another release of data from T-Mobile, though because of an attack on Experian. I know I should be used to these, and expect they'll occur, but it seems that the level of security failure is reaching ridiculous levels.

We know that we have issues in our systems. There are always bugs, known or unknown, potential programming mistakes, SQL Injection flaws, and more. We can try to patch software and work on our issues, but that takes conscious effort and regular diligence to ensure that your organization is taking steps to secure your systems. It also takes buy in from management to devote a portion of your time to security.

In the case of the Patreon hack, either developers installed debuggers on production systems, or operational personel mistakenly deployed debuggers on production web servers. This opens a known vulnerability that security researchers notified Patreon about. I realize that five days notice before that hack might not have been enough time to patch the systems, but would it have made a difference if it were 50, or even 500, days earlier?

I've seen lip service payed to security in many ways over my career, and there have been no shortage of cases where management or technical staff avoided securing their systems. Whether it was because of the fear of patches or the inclination to favor new features over security, I've seen vulnerable systems live for long periods of time in production environments. 

As a data professional or developer, we can raise awareness and alerts about issues, but we can't necessarily make the decisions to patch systems. I hope we aren't liable, though I'd also hope that management and organizations would be liable if they do not take steps to remove vulnerabilities when they are made aware of them. 

It's a sticky situation for many of us, and all I can do is recommend that if you report any issues to others, you always do so in writing first to limit your liability.

Rate

5 (1)

You rated this post out of 5. Change rating

Share

Share

Rate

5 (1)

You rated this post out of 5. Change rating