Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Expect an Attack


Expect an Attack

Author
Message
Steve Jones
Steve Jones
SSC-Forever
SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)

Group: Administrators
Points: 40288 Visits: 18846
Comments posted to this topic are about the item Expect an Attack

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Greg Edwards-268690
Greg Edwards-268690
SSC Eights!
SSC Eights! (906 reputation)SSC Eights! (906 reputation)SSC Eights! (906 reputation)SSC Eights! (906 reputation)SSC Eights! (906 reputation)SSC Eights! (906 reputation)SSC Eights! (906 reputation)SSC Eights! (906 reputation)

Group: General Forum Members
Points: 906 Visits: 8317
Steve -
Microsoft does keep people aware of some of the vectors. Note the Patch Tuesday every month. w00t
They also publish some info, don't know if you've browsed these.
http://msdn.microsoft.com/en-us/practices/default.aspx

A couple of weeks ago there was a free online seminar (6 hours of a 5 day course) on Ethical Hacking.
Good overview and demonstrations of some of the techniques used.
http://www.nhmn.com/Courses/CrsSearchResults.aspx?ST=Q&S=false&T=hacking

A lot of information isn't published, or not published until after a fix is available.
Knowing how things work, and break, is part of being a good developer.
I like to see live demos, along with examples of how to fix the issue.
And they always impress that keeping current on patches is a big part of being safe.
Greg E
Manie Verster
Manie Verster
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1401 Visits: 1021
Steve, I must say that SQL Server's security is good. When I load logins I tick "Enforce password policy" and I had users many times come to me complaining that they can't log in. When I check their logins I see that they have been locked out. I tested this and saw that after the third unsuccessful login the account is locked out. Now, I am not saying I will never be hacked because I believe that a chain is only as strong as it's weakest link.;-)

:-PManie Verster
Developer
Johannesburg
South Africa

I can do all things through Christ who strengthens me. - Holy Bible
I am a man of fixed and unbending principles, the first of which is to be flexible at all times. - Everett Mckinley Dirkson (Well, I am trying. - Manie Verster)
Carl Federl
Carl Federl
SSCrazy
SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)

Group: General Forum Members
Points: 2480 Visits: 4349
Just in today's news:
$9.75 million settlement related to a massive data theft that occurred at the parent company of T.J. Maxx and Marshall's more than two years ago. Under the settlement with a multistate group of 41 attorneys general, TJX also must certify that its computer system meets detailed data-security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.


http://www.chicagotribune.com/business/chi-wed-tjx-data-breach-0624-jun24,0,1332734.story

SQL = Scarcely Qualifies as a Language
Steve Jones
Steve Jones
SSC-Forever
SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)SSC-Forever (40K reputation)

Group: Administrators
Points: 40288 Visits: 18846
Microsoft and others do publish information, but you have to dig for it. The biggest issues I see is that their sample apps are often cut down, and don't always include great coding. That's not universal, and they have some good frameworks, but not all of them.

Any code they put out should be well written, not slapped together.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
notquitexena
notquitexena
SSC Eights!
SSC Eights! (885 reputation)SSC Eights! (885 reputation)SSC Eights! (885 reputation)SSC Eights! (885 reputation)SSC Eights! (885 reputation)SSC Eights! (885 reputation)SSC Eights! (885 reputation)SSC Eights! (885 reputation)

Group: General Forum Members
Points: 885 Visits: 313
Carl Federl (6/24/2009)
Just in today's news:
$9.75 million settlement related to a massive data theft that occurred at the parent company of T.J. Maxx and Marshall's more than two years ago. Under the settlement with a multistate group of 41 attorneys general, TJX also must certify that its computer system meets detailed data-security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.


http://www.chicagotribune.com/business/chi-wed-tjx-data-breach-0624-jun24,0,1332734.story

SQL = Scarcely Qualifies as a Language


I love your tag line! I had not seen that before.
MattKent
MattKent
Valued Member
Valued Member (53 reputation)Valued Member (53 reputation)Valued Member (53 reputation)Valued Member (53 reputation)Valued Member (53 reputation)Valued Member (53 reputation)Valued Member (53 reputation)Valued Member (53 reputation)

Group: General Forum Members
Points: 53 Visits: 130
The way I see it, you should never rely on a vendor for security. Whether that is Microsoft or Barracuda, ultimately all vendors systems can be hacked, so it is your responsibility to plan for the worst.

First map your data flow. If your database isn't for your website, it should be isolated from the outside. VLANs are great for this; isolate your data to its own network that has no outside access. Even a web db, shouldn't have web access, your web application can request data from your db network, but that should be the only thing able to connect to it. I know a lot of applications are primitively written and can only work within the local domain, but that really exposes that your application is badly written and probably has other security flaws.

Second, talk with your software developers. I did a data migration from D3 to SQL a few months back and the software developer wanted me to expose my sql data port, so he could easily connect to my DB. I nearly choked on my yogurt. A VPN obviously was the better option. Nonetheless, a lot of software developers will do questionable things because they don't want to disturb what they perceive as your business environment, in other words, they work around the problems. Ask your developer how their software works, and ask them what they think is the best method. Often they don't really know, but sometimes they do.

Third, patching is an ugly but necessary task. Schedule one Tuesday every month to test patches. I can't count the number of times that security patches have broken my apps, so you must setup a virtual environment and test those patches before you role them out. You can't wait and say, "I will do it Friday or next week", just set aside that one special Tuesday for testing all patches M$ or other. Unless you are the middle of a data recovery, you should have time.

Your biggest threat isn't the single hacker, it is the many. I see Chinese net cafes sniffing at my walls every day, while 99.9% of them are amateur script kiddies who couldn't crack a flash app, that .1% is still pretty numerous. Look into multi-layered defenses. OpenDNS and similar services will help stem the flood, but then follow that up with a properly configured firewall. Don't trust your users, so filter outbound traffic as closely as you do inbound. Make sure the individual station is secure and I don't mean installing anti-virus apps. If the anti-virus app is successful, you have failed at your job. If you can, lock down user's stations and require them to store everything on a central file server. You should be able to blow up the users computer and restore them to a new one, without them being able to notice the difference.
D Gillespie
D Gillespie
Valued Member
Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)

Group: General Forum Members
Points: 59 Visits: 192
Great movie graphic Steve. At the time the movie had cutting edge technology but it really looks ancient now. Hack the Planet! Hack the Planet! :-P

Smooooth
david_wendelken
david_wendelken
SSC Veteran
SSC Veteran (210 reputation)SSC Veteran (210 reputation)SSC Veteran (210 reputation)SSC Veteran (210 reputation)SSC Veteran (210 reputation)SSC Veteran (210 reputation)SSC Veteran (210 reputation)SSC Veteran (210 reputation)

Group: General Forum Members
Points: 210 Visits: 480
Books, articles, and forum examples are chock full of extremely insecure practices. Add comments warning about bad practices and point the readers to where they can find good examples to work from.

I'm a regular participant on www.asp.net and a huge percentage of the programmers who ask questions (and not a few who answer them) show that they have absolutely no awareness of sql injection attacks. Not what they are, not how they work, and most certainly how not to code to avoid them.

Much of this is due to the bad security practices in the sample code they learn from.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search