It's fun to just sit and talk with people, never know what you'll learn or be forced to rethink based on a different view point. During a recent conversation somehow we got around to security and went beyond the normal IT stuff to security in the real world. I mentioned that I take routine precautions as part of daily life; my front door is always locked and I lock car doors when I drive. My friend was astounded, he never locks his front door (and thus remains nameless here), which in turn astounded me. Why wouldn't you take a simple precaution?
Being security minded means that you are willing to invest some time and effort to protect against something that could happen, but isn't likely to happen. I work in an office with one other person that I definitely trust, but when I walk away from my desk my PC is locked. Why? If he goes out to lunch, gets distracted, etc, I don't want my machine exposed. I definitely don't want to leave my machine unlocked at night when the cleaning crew is in, so rather than special case locking, I just do it all the time.
A lot of people pooh pooh the idea of things like door locks because they won't stop someone that is determined. True enough. But it's a little more complicated than that. Most criminals look for easy scores. If the bad teenager across the street realizes you don't lock your door, they are a lot more likely to venture over when they see you leave to see what they can find. Not likely you say? Let's say a determined person decides to do a home invasion, if they have to break the front door while you're gone it increases the chances that someone else will notice and call for help. If it happens when you're home, it gives you a precious few seconds that can determine whether you or the invader is about to have a very bad day.
Do a few seconds matter? At worst you have time to dial 911 or hit the panic button. If you've absorbed the ideas of defense in depth you may well gain some additional time that lets you make the fight or flight decision. I don't live in a fortress and I'd just as soon never have to react to a bad situation, but I do what I reasonably can to mitigate risks. We can't eliminate risks, only try to mitigate them. Whether you're protecting your home or your database, you should do the things you can do.
Is it preparation or paranoia? Does having to lock your front door imply that something bad might happen and that in turn generates stress? Is it about time, the time it takes to lock/unlock the door a couple times a day?
Remember that as much as possible security should be hidden. It's fine to let visitors to your office see the lock on the server room door, but don't tell them what you do (or don't) for encryption or your plan for offsite backup. Sure they might be able to figure it out one way or the other, but don't make it easy for them. Equally if you implement layers of defense for physical security, you want one or two that are hidden (and not published in your blog!).
Are you doing the things you can reasonably do?
Of course, I think it depends on your point of view. If you reasonably see there is no (or close to zero) risk, then maybe you can defend taking fewer precautions?
This was actually posted about a week ago, fell behind a little during travelling. Building a Security Philosophy was written to get people to think about they approach security. Do you give the proverbial Junior DBA only partial access? Do you believe in table access? Do you use the built in roles?
I have opinions on the topic, but it's not clear that there are always right answers, and definitely some that are situational. Many of us have the philosophy that we acquired at the first job, or from the first manager or peer - at some point it's worth revisiting to decide if we still agree with those principles held for so long!
If you're not familiar with the term it means to make something safe/secure by using a trick to hide the vulnerability rather than fixing it, or perhaps when "fixing" it is just isn't possible. Over the years I've seen the value of running SQL on a non-standard port, threats drop to just about zero. On the other hand, I've never wanted to go to the extreme of renaming the administrator account or giving my service accounts names that look like "real" people.
This months TechNet Magazine has a great article The Great Debate: Security by Obscurity and I encourage you to read it, they present both points of view well and while no final all encompassing right answer, this will make sure you understand the value - or lack of - in the various ways we might use obscurity. Hoping I can get my friend Brian Kelley to post some notes, as he is the most security minded guy I know in the SQL space.
Many posts including this one about as many as 70,000 sites being hacked using SQL injection and a vulnerability in MDAC that was patched in Sep 2006. You can see what's still out there by searching google for UC8010 and seeing it listed in the link title with a script tag. Definitely a good idea to make sure you're not listed!
