Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Rant: Security Isn't Sexy and It's a Shame

I grew up immersed in security. My father was a US Marine and going on and off base meant... security. My father worked avionics, which meant I was also exposed to flightline security. On a Marine Air base, you will definitely see a base within a base with respect to security. That's a good thing. I then went off to college at The Citadel and guess what? More security. Security like barracks and campus lockdown if a rifle count came up wrong. Then into the US Air Force and once again, more security. It was in the USAF that I saw the real need for IT security.

We had a vendor working on an application which had its data in a Sybase database. This was when Sybase was still a major player. My management wasn't so sure that the application was being developed securely and the servers were properly protected. That application was to process orders on computer equipment. Some of the information would be considered sensitive, but not Secret. So while it was in development but about to go live, I was called into my major's office along with a hotshot senior airman. Our orders: hack the servers if we could. They wanted us to start after lunch.

Ten minutes into the penetration attempt, we had the database server. We broke in via the administrator account because it had a weak password. What were we doing the first 9.5 minutes? Trying to find Mountain Dew. Our management was less than pleased, but at least we had caught the issue before the system went live. The vendor was brought in and read the riot act. Of course, they couldn't deny we had been in, because we left a text file on the desktop of the Administrator account. It simply read, "Hacked by Lt Kelley and SrA Silva," if I remember right.

That event happened in the 1990s. It's ancient history in terms of IT security. Today the world is a lot more frightening place. Every day I see multiple reports of sensitive data being compromised. Hospitals. Financial institutions. Educational Facilities. The information gathered is useful for identity theft. It can be sold. And as a result, IT security has evolved from the days when you had to worry about rambuctious teenagers with too much time on their hands to now where we are facing the fact that organized crime groups are involved.  

Even with this realization, security still takes a back seat in most circles. None of us want our personal data in the hands of folks who will sell it off. We expect that the organizations in question should do the right thing and lock things down. We know better. Playstation Network, anyone? What about in our own organizations? How are we doing? Are we cooking security into our application design from the start? Are we actively working to build good security models for our databases? I think most of us would say, "Not like we should." And that's a shame.

I took a look at the PASS Summit offerings for this year and I think I found 3 security focused talks. Other than mine, I recognize the other two: Denny Cherry (blog | twitter) and Don Kiely. No new names in that field. I've kept an eye on a lot of the SQL Saturday sessions, too. Same deal. Just not a lot on the security side. And this worries me, especially as attacks continue to evolve and technology continues to become more complex. It really feels like everyone is saying security is important, but that it isn't, until it's breached. Then it's too late. That's a shame.

I've thought about how to make security more appealing. Far smarter folks than I have considered this, too. No real success on that front, I'm afraid to report. We know this because we continue to have poor security awareness, not just among end users, but also among developers and IT pros. Quite often, we find that it is the developers and IT pros using their knowledge to bypass security controls rather than setting the example and sticking by them. If we, the pros, don't consider it worth our time, why should they? And that's a shame, too.

 

Comments

Posted by patrick.townsend on 3 August 2011

Really good comments about the state of security in the SQL Server database area. A couple of things are interesting to me: 1) Microsoft partners are losing deals because they don't have a security focus and credible story to tell, and 2) Microsoft SQL Server EKM provides the hook that is needed to do security. Vendors like us are adding solutions into this mix, but it is still an uphill battle to get the message to partners and MVPs. Personally I think security and compliance are important pieces of the puzzle to move SQL Server market share in the right direction.

Posted by Lara Rubbelke on 3 August 2011

Personally - I think security is the MOST sexy part of SQL Server:-)  Thanks for raising the topic - I am in full agreement with you on every point.  

Posted by Tim Plas on 4 August 2011

I'm afraid it's the American way-- People typically won't spend the resources on something until AFTER it's a crisis, until they HAVE to do something about it. You'd think by now that something would have been major enough to grab people's attention. I don't know what it'll take; some major lawsuits? But so far even that seems to get cooked into just the cost of doing business. I dunno; you're right, but what's it going to take?

Posted by Rob Sullivan on 4 August 2011

I don't think the 500 people or so that have read this are the problem... it's the tens of thousands that are not.

I also find bothersome that most managers have a complete brain gap when it comes to the following notion:  If bad guys are easily and effectively able to automate attacks on your system, why is that you don't easily and effectively automate scanning of your code/app.

Posted by Kenny on 8 August 2011

Increased legal and financial liability would be the most effective change to improve software security. Bruce Schneier has been saying that for years now. But because there is no significant liability, it's actually arguably rational for everyone to give lip service to security (to signal that they 'care') without bothering to implement it, because customers aren't truly demanding it. It also doesn't help that security is a largely invisible feature.

Posted by K. Brian Kelley on 8 August 2011

Kenny, that gets to the point of my rant. We shouldn't be required by law to do what we know is right. If we would desire others to protect our data carefully, then we should do the same.

Posted by Long passwords for cut and paste! on 8 August 2011

Given the state of GPU brute forcing, for any passwords which are rarely used (sa, application passwords), is there any reason not to use an excessively long, completely random password, preferably with accented/extended ASCII characters?  Cut and paste it when you need it.  SQL Server accepts over a hundred characters!  

8 character passwords, however complex, are completely insufficient due to SQL Server's very old single-SHA1 hashing, even on 2008 R2.

Note that good security is very expensive to design and build, and also very expensive to test properly with simulated attacks, and impacts productivity and processes compared to "everyone uses the sa account" simplicity.  We should do it... but realize it's not free.

Then realize that in many corporate worlds, "not free" and "impacts productivity/deliverables/staffing levels" means "don't do that".  Unfortunate, but I agree with kenny; deliver monetary penalties, and then the risk/benefit assessment on the purely financial side looks different.

Leave a Comment

Please register or log in to leave a comment.