The Tethered Goat

A few years ago, I developed a SQL Server database application that supported a web application. It was a huge database and quite a popular application that sadly no longer exists, because it didn't get the long-term funding. The reason I remember it so well now was that we built a good intrusion detection system to support it. We were able to detect every attempt at intrusion and examine the forensics in detail.

We were intrigued by the sort of attacks that could occur and, out of curiosity, created a 'tethered goat' database application to understand the predators out there (a tethered goat was once used as a lure to attract predators to where the hunter lay concealed).

This 'tethered goat' database, also known as a Honeypot, was deliberately left entirely detached from our intranet, with several vulnerabilities. We had a lot of fun with SQL Data Generator to create a database that was apparently full of personal information. We made it very plausible: I've since published some of the techniques we used. We introduced a great deal of logging and monitoring to examine what intruders did.

It brought home to us forcefully that it was a big bad world out there on the internet. There are a lot of systems out there probing for all sorts of potential vulnerabilities on public-facing servers, and it paid dividends to detect any attempt that penetrated the first line of defence. Even experienced developers can forget to nail down every potential vulnerability.

The 'tethered Goat' database was fascinating because we could follow intrusions through to table access. There is some clever but wasted talent out there. For us, it was a useful education to observe a range of attacks.

We adapted our nascent database application based on what we observed, and ended up with something so watertight that we could leave it running unattended for several years subsequently, without a hiccough. It is to my shame that before the production release, one clever attacker got through the second line of security but no further. He would have done had we not had an intrusion detection system that alerted us. Oops.

In the ten years since, I've been amazed that no company seems to have developed a database intrusion detection system that comes anywhere near the one that we devised to ensure the security of our system. If you're a data person and you haven't observed attempts to penetrate a database, it is well worth getting an opportunity to do so. It will give you a new and even greater respect for database and application security. It gave me an abiding interest in the topic.

Phil Factor

One Milly-yon IOPS - Database Weekly (Sept 1, 2008)

by Steve Jones

SQLServerCentral.com

Editorial

IBM is testing a new hardware disk array that vastly outperforms any current arrays. What does this mean for the database world?

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2008-09-01

227 reads

Discuss

Solid State Replacements - Database Weekly (August, 18, 2008)

by Steve Jones

SQLServerCentral.com

Editorial

New SSD (Solid State Device) hard drives are infiltrating enterprise servers more and more, but are they a good fit for database instances? Steve Jones comments a bit on some news from this past week.