SQL Server Security: Why Security Is Important

  • Comments posted to this topic are about the item SQL Server Security: Why Security Is Important

    K. Brian Kelley

  • Hi Brian,

    very good research work!

    What I like is your fine, yet true distinction between hackers and crackers

    From my point of view, a hacker has not malicious intent, but wants to show his ability to do it, while a cracker starts with this malicious intent.

    As you've mentioned http://www.sqlsecurity.com , the slogan on their homepage has become you of my all time favorites.

    "There is no 'patch' for stupidity."

    But not so long ago, somewhere I've read, that attacks on windows system have begun to decline, while attacks on *nix systems are growing in number. Hope I find the link again, so I can post



    P.S.: Is the link to the 'Lifecycle' book valid ???

    Edited by - a5xo3z1 on 07/31/2003 05:44:10 AM

    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

  • The old link just recently died. The new link doesn't paste correctly into the forum. 🙁 I'll see about doing some sort of redirect myself from my web site.

    K. Brian Kelley


    Author: Start to Finish Guide to SQL Server Performance Monitoring


    Edited by - bkelley on 07/31/2003 06:45:06 AM

    K. Brian Kelley

  • Excellent case for patching systems. It's amazing to me that people still don't take this seriously. I'm struggling with hundreds of MSDE installations that have sa/blank hardcoded into the app.


    The developers didn't think it was a big deal.

    Steve Jones




  • One more note:

    Commentary: People, process secure the enterprise

    By Forrester Research

    Special to CNET News.com

    July 31, 2003, 4:30 AM PT

    Michael Rasmussen, Director, Forrester Research

    Last week, Microsoft and Cisco Systems announced two major vulnerabilities.

    Organizations need an action plan to respond to vulnerabilities and exposures, and should not rely on products alone for protection.

    This is a people and process problem that works with technology. The Microsoft vulnerability is a significant exposure into every operating system running the NT code base from NT to 2003.

    Related story

    Security pros talk,

    but can they walk?

    A new national policy and

    months of Microsoft initiative

    haven't shown a significant

    improvement in security.

    The Cisco vulnerability is an exposure that can crash every router. Both can be devastating to enterprises if used by the miscreants of the world. Additionally, we have seen exploit code in the wild for both. Jumping on the bandwagon, as usual, are myriad security vendors claiming they have the solution to protect the enterprise.

    Vendor claims are far-fetched and provide a false sense of security. No vendor today resolves these vulnerabilities, except Microsoft and Cisco with the patches they implement. Security vendor solutions may hold back the evil hordes of hackers should they come knocking, but the deviant will break through given enough time and motive.

    The only true answer is to patch systems. Organizations should focus on the process and policy portion of security as much or more than the technology aspect. Do not put blind trust into security vendor claims of protection, rather, honestly evaluate how the product works and the time it potentially buys you.

    Develop a patch management process based on business risk so the critical business applications and support systems (e.g., network, desktop) are expedited and patched in accordance with the risk the organization faces.

    Steve Jones




Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply