Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Global Insecurities


Global Insecurities

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36093 Visits: 18738
Comments posted to this topic are about the item Global Insecurities

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLRNNR
SQLRNNR
SSC-Insane
SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)

Group: General Forum Members
Points: 21075 Visits: 18259

Now if only the vendors would agree to use the information.


That would be great. It would be great if on the occasions that vendors do publish something, they would take the time to update it. I have seen several BP documents by vendors that were flat wrong. When they are given the information about these inaccuracies, they need to also do something with that.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

call.copse
call.copse
SSCrazy
SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)

Group: General Forum Members
Points: 2843 Visits: 1859
It would not seem hard on the face of it to keep a decent company edited wiki or something with up-to date references to best practices for use on each specific supported version of whatever software.

As a cynic though I would never make the mistake of underestimating the natural laziness of the developer or indeed the human in general. Documentation is exposure after all. I don't exclude myself from this condition either sadly.
Gary Varga
Gary Varga
SSCrazy Eights
SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)SSCrazy Eights (8.3K reputation)

Group: General Forum Members
Points: 8313 Visits: 6146
Quite simple installations should encourage best practice by default and, possibly, allow insecure configurations only through users' deliberate selections. Unattended installations should be secure as well.

This would ensure that releases can modify installation programs with current best practices.

This, of course, doesn't override the need for public vendor highlighted , internal or 3rd party, documentation.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
David.Poole
David.Poole
Hall of Fame
Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)

Group: General Forum Members
Points: 3676 Visits: 3115
I think that vendors should react faster when a vulnerability is identified. Putting it on the some-time-maybe-never inclusion in the next release simply isn't good enough.

Similarly it would be a great to see commercial software relying on a database showing evidence that it has had a thorough going over by a professional DBA. There are a number of systems with flashy front-ends and/or even relatively bug free code but rely on elevated privileges in the database.

One thing I have come to realise is that if you see a DB with weak design then it will be fronted by code with a weak design.

Where a single individual is responsible for a product then you can put it down to individual lack of knowledge. Where it is a team that produces a product then it is more likely to be a systemic attitude within the organisation.

My principles for attempting to design a secure database are as follows:-

  • Look to minimize the attack surface area

  • Make sure that functional interaction with the database is tightly defined, not open ended

  • Make sure the audience for each function is tightly defined

  • Do not abdicate responsibility for security to the n-tiers above the DB. Security is a war of attrition. Every layer of security will lose a proportion of hackers even if it is through loss of interest rather than lack of competence

  • Don't use default settings (including TCP/UDP ports) or accounts

  • [li]Isolate the stuff you want to keep secure, don't keep it in the same schema, preferably not the same DB and even go as far as to have a specific server. If it is that important to you then it is worth the cost.


LinkedIn Profile

Newbie on www.simple-talk.com
TravisDBA
TravisDBA
UDP Broadcaster
UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)

Group: General Forum Members
Points: 1462 Visits: 3069
If your password to anything on a computer is your name or is "password" then you deserve to be hacked IMHO. I mean this is kind of a no brainer.:-D

"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
djackson 22568
djackson 22568
Right there with Babe
Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)

Group: General Forum Members
Points: 739 Visits: 1174
Great posts so far. My issue is with major corporations that refuse to even acknowledge that they use default accounts and passwords that EVERYONE knows! I can go to any hospital that uses (vendor name redacted) software and be in and viewing PHI within minutes. I am prety sure all medical software companies do things this way, we have quite a few. These are the companies that are currently under attack from the government, and if they aren't doing anything, I shudder about how bad it must be in other industries.

Dave
Miles Neale
Miles Neale
SSCrazy
SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)

Group: General Forum Members
Points: 2666 Visits: 1694
djackson 22568 (1/14/2013)
I can go to any hospital that uses (vendor name redacted) software and be in and viewing PHI within minutes.


Do you mean to say that you could go but have not ever really gone?

Not all gray hairs are Dinosaurs!
djackson 22568
djackson 22568
Right there with Babe
Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)Right there with Babe (739 reputation)

Group: General Forum Members
Points: 739 Visits: 1174
Miles Neale (1/14/2013)
djackson 22568 (1/14/2013)
I can go to any hospital that uses (vendor name redacted) software and be in and viewing PHI within minutes.


Do you mean to say that you could go but have not ever really gone?


Um, yeah, that would violate HIPAA! I am not the kind of person to do that. There are a lot of people who would, though.

Worse is that it is pretty easy to find out which hospital uses which vendor's products, then to identify the default user name and passwords. Recently the news had a story about a hospital that had their database encrypted with ransomeware, Steve may have even posted about that. Vendors make it too easy.

Dave
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search