SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

The Weakest Link

By Steve Jones,

I noticed another data breach recently. This breach was from PageUp, a firm that helps companies find employees. This means that they have lots of information, potentially PII data, and some of it might be out there. Since they provide job sites for many other companies, you might have used them to apply for a job and not realized it. Certainly if you have used them, you might keep an eye out.

The company notes that no personal information was lost, though encrypted usernames and passwords were disclosed. These were salted values encrypted wtih bcrypt, which is secure, but all encryption can be broken given time and effort. Some people see bcrypt as secure, but others disagree. However,  the strength of bcrypt depends on how the hashing was set up, and I wouldn't depend on this to be foolproof. If you used a password to apply for a job that you use on other sites, change it.

The bigger issue for me is near the end of the BBC piece. A bank notes that a third party supplier had a security issue, so that means they need to check their systems. To me this means one thing.

Their security depends on the security of their business partners.

Depending on the level of access and integration, this might mean that your security is compromised by a link much weaker than the weakest link in your internal environment. Or that your security depends on the weakest human link not only inside your organization, but also within your partners. Despite all the work you've done to increase the security of your systems, you might have other holes out there.

It doesn't appear this breach is as bad as originally thought, but the point is still valid. The more interconnected you are with partners, especially with shared access, the larger your attack surface area. I take away the need from this that I need to ensure a limited API and protected access with minimal privileges for internal systems that are connected to any other networks. Production level security is important not only to public facing systems, but also those that are semi-private with business partner access.

Total article views: 46 | Views in the last 30 days: 1
Related Articles

Stairway to SQL Server Security Level 10: Row-Level Security

Unlike some other industrial-strength database servers, SQL Server lacks a built-in mechanism for pr...


find the views dependency on other views

find the views dependency on other views


Give users access to databases depending on which Active Directory group they are a member of.

Give users access to databases depending on which Active Directory group they are a member of.


Physical Security

The physical security of our systems might be a bigger problem in the future as more and more hacker...


find the views dependency on other views:

in order to create the script, there is a need to put them in order of dependency, other wise the s...