SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Badly Encrypted Databases


Badly Encrypted Databases

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (682K reputation)SSC Guru (682K reputation)SSC Guru (682K reputation)SSC Guru (682K reputation)SSC Guru (682K reputation)SSC Guru (682K reputation)SSC Guru (682K reputation)SSC Guru (682K reputation)

Group: Administrators
Points: 682150 Visits: 21588
Comments posted to this topic are about the item Badly Encrypted Databases

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
dsor
dsor
Mr or Mrs. 500
Mr or Mrs. 500 (590 reputation)Mr or Mrs. 500 (590 reputation)Mr or Mrs. 500 (590 reputation)Mr or Mrs. 500 (590 reputation)Mr or Mrs. 500 (590 reputation)Mr or Mrs. 500 (590 reputation)Mr or Mrs. 500 (590 reputation)Mr or Mrs. 500 (590 reputation)

Group: General Forum Members
Points: 590 Visits: 816
Personally I would be more worried when a new query shows up, as opposed to similar queries being repeated. One solution to this could be banning ad-hoc queries completely and exposing everything through stored procedures. Security may not always be at odds with performance, but I think it is at odds with flexibility.
roger.plowman
roger.plowman
SSCrazy Eights
SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)SSCrazy Eights (9.9K reputation)

Group: General Forum Members
Points: 9865 Visits: 2039

The whole paradigm of security as currently envisioned is "not even wrong", the wonderful phrase by Dr. Pauli.

It should not be the job of company IT staff to design and implement security, to pile one pile of slop on top of another and hope there's enough crap to drown hackers.

The whole security issue needs to be redone, from the ground up. The companies who create OSes should be the ones creating solutions to the problems in their own code that let attackers through. It should be the database software creators that provide impenetrable security.

It should be, but it can't be. Because the way software has been designed has always had security as a poor cousin, tossed a few crumbs when the PTB deign to think about it.

The current approach is broken. TDE is worthless, it's a performance hog, guarding the keys introduces yet another point of attack, and it only reduces (not eliminates) another attack vector.

Layered security is a good thing, don't get me wrong, but expecting every Tom, Dick, and Harry end-user/IT staffer to be security experts isn't just stupid, it's criminally negligent on the part of software vendors. As proven by the security apocalypse we find ourselves in.


Doug Bishoop
Doug Bishoop
SSC-Enthusiastic
SSC-Enthusiastic (102 reputation)SSC-Enthusiastic (102 reputation)SSC-Enthusiastic (102 reputation)SSC-Enthusiastic (102 reputation)SSC-Enthusiastic (102 reputation)SSC-Enthusiastic (102 reputation)SSC-Enthusiastic (102 reputation)SSC-Enthusiastic (102 reputation)

Group: General Forum Members
Points: 102 Visits: 65
Not a security guy, but had to make a comment on the article. How about a better job of proofreading. When you have to re-read a sentence 3-4 times and guess what was trying to be said, it gets frustrating. The first time, you think, "Okay, we are all human and can make mistakes." The second time, you wonder, and the third time, you imagine maybe the article was put together while the author was sleeping.
"I think that security a series of layers, and as noted by the author of the blog,most criminals are lazy."
"We shouldn't be most clients to make large queries of all data in a table."
"Really at this point, we ought to have build in limitations of queries to ensure thatusers are exporting all data from a table."

Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum









































































































































































SQLServerCentral


Search