The Fallacy of Internal Access Only

In the wake of Shell Shock, I’ve seen some vendor advisories indicate that while their product is vulnerable, it’s only through the management interface but everything is okay because if best practices have been followed, the management interface isn’t/hasn’t been exposed to the Internet.

No, everything is not okay. If best practices have been followed, then management interfaces have been locked down to particular IP addresses and not all internal IPs. However, this is still not a guarantee that everything is okay.

With the prevalence of phishing attacks to get a foot inside the network, and the relative success of those attacks, that means you can expect an attack from the inside at some point. Gone are the days where we honestly felt we could keep the bad guys out. Now we know they will get in and it’s a matter of detection and remediation. The faster the better. The game has changed from keeping them out to keeping them from getting anything useful. Since that’s the way the game is being played now, responses like what I’ve been seeing are worrisome. They show that the vendors in question don’t understand the change in the game.

 

Four Things PASS gets Right

PASS has taken a lot of heat recently. A few folks have pointed out that you only seem to hear when people are upset at PASS at something. So here’s my take on what PASS has done correctly.

The Summit

The Summit is a premier conference for SQL Server professionals. How do I know? Watch all the griping when speaker announcements are made. A lot of folks want to speak at the conference because they perceive it to have a lot of value. A lot of folks attend the conference because they perceive it to have a lot of value. A lot of value + financially affordable to PASS = premier conference.

Virtual Chapters

Virtual Chapters are awesome. Look at how many there are and how much FREE training they provide to the community. Yes, they are staffed by volunteers, however, they are still under the PASS umbrella.

Chapter Tools

First, there’s the free web hosting. It’s been around for a while. Yes, it’s DotNetNuke, but the templates are simple and workable for a chapter.

Second, there is the automated mailing. This allows a chapter leader to get the news out without having to go to MailChimp or some other resource. Also, as folks sign up at the chapter website, they are automatically added to the distro list. Easy all around.

Third, PASS has built the integrated events module. You set up the event details under the PASS Chapter tools and if you’re website is configured, the details automatically appear on your chapter homepage. In addition, the event details appear in the PASS master list of events. You don’t have to go to multiple places to get the word out.

The 24 Hours of PASS

More FREE training. And if you can’t stay around for the whole 24 hours, don’t worry, sessions are recorded and eventually available on-line.

[Off-Topic] Beating Childhood Cancer

Child Cancer AwarenessNote: I feel this post is important enough to post across all my blogs.

September is Childhood Cancer Awareness Month here in the USA. Here are some statistics:

  • In 2014, an estimated 15, 780 children (ages 0-19) will be diagnosed with cancer in the USA.
  • In 2014, an estimated 1,960 will die of cancer here in the United States.
  • That averages to between 5 and 6 children dying of cancer every day, just here in the United States.

There’s a lot of talk about “surviving” cancer, meaning you hit the 5 year mark after diagnosis. That’s a misleading statistic, as I’m about to explain. Here are some more statistics:

  • 12% of children diagnosed with cancer do not survive (don’t make it to the 5 year point).
  • The average age of diagnosis is six years-old.
  • With current treatments, 60% of childhood cancer survivors suffer after-effects.

Campbell’s Story:

A more comprehensive telling of Cam’s story can be found on this blog and on this Facebook group. Here’s the short version: Cam was diagnosed with cancer when she was 3 years old. She beat it. However, certain symptoms came back, which led to re-checks. The cancer had come back. Despite all efforts, including experimental treatments, Campbell died from cancer. Technically, she is a survivor, because she made it past five years (5 years, 2 days). However, Campbell is no longer with us. Therefore, the statistics stating 12% of diagnosed children die of childhood cancer should be higher.

If you do the math, Campbell died at eight years old. She passed away despite heroic efforts from donors to cover expenses and lobby her insurance carrier to cover the experimental treatments, medical personnel performing everything they could do (numerous brain surgeries, clinical trials, experimental treatments), positive thoughts and prayers, and even celebrities taking the time to make some of her wishes come true.

How do I know about Campbell? Campbell’s dad is a Citadel classmate of mine. Because of Campbell’s fight, I became more educated on childhood cancer. Childhood cancer is the leading disease cause of death in children. Every form of childhood cancer we can find a cure for means more bright, young lives saved. Furthermore, given how much damage current treatments do, we need better treatments for survivors. All of this requires research. Research requires funding. As a result, I’m trying to raise awareness about it now.

What We Can Do:

I don’t believe in issuing challenges. If this touches you enough to give, then please do. If not, I realize there are many excellent causes and efforts out there. Please try and give something to one or more that have meaning to you. Here’s what Cam’s family specifically asked for, because this puts research dollars forward for the doctors who were treating Cam and her particular form of cancer. You can mail donations to:

Weill Cornell Medical College with GREENFIELD Ependymoma Research in the memo field.

The mailing address:

Ana Ignat
Department Administrator
525 East 68th St, Box 99
New York, NY 10068

Or you could choose another childhood cancer charity/research fund. If you do, please check with a site like Charity Navigator to see how efficiently that charity uses the donations it receives. I know that particular charities in the past have sounded great but when you do the research… not so much. That’ll help you ensure that more of your donated money goes to research.

Audit Webinar Tomorrow (4 September 2014)

I will be given a webinar on how to audit SQL Server through MSSQLTips.com.

Webinar Registration Link

The abstract:

Don’t become a statistic. With the numerous data breaches and internal data theft, securing your SQL Server environment can help keep your company out of the news. Unfortunately, a single SQL Server configuration, coding technique or operational practice in your environment can put you at risk. Now is the time to be proactive for your own peace of mind or prepare for your organization’s next formal SQL Server audit. This session will provide key scripts and reports to build your SQL Server auditing checklist.

In this session you will learn about the following topics:

  • Permissions – Elevated permissions for logins at the instance and database level
  • Logins – Creation and modification of logins as well as failed login attempts
  • Operations – Out of cycle backups, phantom SQL Server Agent Jobs and changes to standard operating procedures that should raise the red flag
  • Configurations – Whether it is xp_cmdshell, Linked Servers or password policy changes, these need to be recorded
  • Code Changes – Code changes sneaking into production would never happen, so be able to prove it
  • Data Auditing – With awareness for confidential data rising, report on who accessed and when

4 Attitudes I Wish I Had Earlier as a DBA

I was tagged by Mike Walsh (blog | twitter) in his post 4 Attitudes I Wish I Had Earlier As a DBA.

I Don’t Have to Do It Alone

I’ve always worked hard in my IT career to be knowledgeable in my field. I don’t like not knowing how to do something, and I’ll spend the time and research to figure out how to make something work or how to fix a problem. Early on in my career, whenever my team would encounter an issue, I took it as a personal challenge to solve every issue. At first this sounds great. Brian is being a real go-getter. But there’s a catch.

It hurts the team. When one person is solving all the problems, especially when that one person isn’t giving anyone else a chance, the rest of the team starts to become apathetic about new problems coming in. After all, Brian will solve it. This means one person, me, gets stuck with all the new problems. It destroys my work life balance. It means I don’t have a life. I get stressed out. I miss work. Suddenly there are problems that need solving and Brian is out. Or, two big problems hit at the same time. Brian can only work on one.

Now there’s a big problem. Since others stopped solving problems, the team isn’t prepared to solve the one Brian isn’t working on. As a result, Brian, the team, and the organization suffers. It’s one thing to be a high performer. It’s quite another to try and do it all alone. What I have learned is to be a high performer and to try and bring people along with me to also be high performers. Let’s solve the problems together, so others grow.

The Technical Solution Isn’t Always the Right Solution

This one took a long time for me to get. I like processes. I like solving technical problems. Often times I could see a technical solution to a problem, albeit a complex one. It took my last manager to get through my head this simple concept: sometimes the best solution is a people solution and not a technical one.

There isn’t a standard rule when this is true. However, when you start weighing a technical solution versus a people solution and the people solution looks less complex, it’s time to start seriously considering the people solution. This is especially true when you don’t need 100% adherence or when you have time to offer a few reminders.

People Skills Are Important

One of the reasons I received promotions early in my IT career is that I was able to talk with key business folks. I interacted well with HR when we were putting in a new software package. I could understand the PMs (probably because I was one in the USAF) and could give them estimates in their terms as well as explain variances due to issues being faced. However, I sometimes struggled with developers. Don’t all DBAs? Maybe, but most of the struggles were my own creation. Rather than asking the question, “What are you trying to solve?” and then working with the developer to find the answer, I was quick on the “No, you’re wrong,” stamp. That doesn’t do anyone any good. I have found that when I can remember to engage my people skills and not my rubber stamp, I am more effective at my job.

Remember Who Is the Boss

At the end of the day, I may feel a solution is not the best. I may not like it at all. However, unless I feel that a solution or an instruction causes me to compromise my morality or my integrity, if my management decides to go a certain direction, I’m supposed to execute. I can offer my objection to my management, but if they say, “This is the way it is,” then it’s time to stop fighting and go to it.

I knew this before becoming a DBA. After all, this is the way things work in the military. You can object, if there’s time, to your immediate chain-of-command and if that person says, “This is the way it is,” you are supposed to make the command your own. However, when I got into the civilian workplace, I somehow forgot this way of thinking. I know a few situations earlier in my career would have gone a lot better if, having voiced my objections, I hunkered down and got the work done.

 

Nothing earth-shattering, but hopefully it’ll help someone else.

Continuous Integration/Delivery without Testing!

Anything we can do to automate our builds and deployment should be considered. After all, the point isn’t just to write code, but to deploy working code. So what if we did the automated builds and deployed them to development or QA? No errors, so I’m good, right?

Not so fast. Go back to what Martin Fowler says about testing in continuous integration. Builds should be self-testing. For instance, simply deploying T-SQL code to a database without errors is not the end. That’s merely the beginning. At this point you know that there aren’t any obvious syntactical errors. That doesn’t mean the T-SQL code works according to specification. It doesn’t mean that a view that you didn’t drop and create is okay. After all, if you change the underlying objects, that view might not work any more. Testing the build is important. And having all the tests needed to sufficiently check out the functionality of the code is essential.

Actually, more testing should be done that just checking bits of functionality like we typically do with unit or module tests. At some point during the process you should also be testing in production-like conditions. Can you have Continuous Integration (CI) or Continuous Delivery (CD) without proper testing? No, you can’t. You can have something that looks like CI or CD, and you may even call what you have by one of those names, but you don’t have CI or CD.

The fact of that matter is that you want testing; actually, you want as much automated testing as is feasible. Speeding up the process doesn’t mean end users are suddenly okay with getting buggy code. And we as IT professionals shouldn’t be okay with that, either. We can still ship and test. We just have to commit to test. Yes, testing will add time to every build cycle. However, it’s a necessity for every build cycle if you’re doing builds right. Simply compiling the code isn’t adequate testing. It’s merely the first test of many more.

Still a Need for a SQL Server Specific Organization

If you haven’t already, please read Denise McInerney’s post about why PASS no longer stands for the Professional Association for SQL Server.

The Growth of an Organization

If you’ve been involved with PASS lately, you’ve probably seen this change coming. When I read the post, I wasn’t surprised. PASS wants to grow. One area of growth is in data analytics and there’s a lot of non-Microsoft technologies out there in that space. There are a few non-SQL Server technologies belonging to Microsoft in that space, too. Therefore, at least for me, the change was expected.

Do I think PASS will be fine? I do. I think it’ll embrace the change and it’ll grow and things will continue to expand with regards to the organization. Am I disappointed? I am.  I’m not the only one.

The Need for a SQL Server Specific Organization

I am not disappointed because the organization is growing and expanding to encompass more people. I think that’s great. I think PASS, with its new mission and expanded focus, fills a need.

I am disappointed because there will no longer be a SQL Server-specific (or even centric) organization and I think there’s a need for that. SQL Server itself continues to get bigger and there’s a lot of folks using it. Therefore, I think an organization that supports the growth of the SQL Server community is a needed one. It’s not just about job security. As an infrastructure and security architect I work with a lot of different technologies. I learn about far more. If you aren’t already doing this, you should be. Don’t get tied to one technology. With that said, if a particular technology continually makes your job easier and helps you “ship,” by all means champion it.

Going Forward

I still love Microsoft SQL Server. I love a lot of the roadmap I see going forward. Look at the feature set for SQL Server 2014, for instance. Think through how and where you could use some of those technologies. Because of this, I think SQL Server is going to continue to grow and flourish. Because of this, I’d like to see a new, SQL Server specific organization come into being. However, as Grant points out, it does need to do a better job of making itself known. What Grant expresses from his own experience is what I’ve seen as well when I step away from the formerly Professional Association for SQL Server events that I have participated in. When I spoke at code camps, for instance, few in my sessions knew about PASS. I found the same thing to be true at many developer user groups as well. In the IT auditor community, it seemed like no one had heard of PASS. So if a new organization does rise up, it needs to get its name out there. The more involvement, the more recognition, the better.

Should the organization be about the big events? I don’t think so, at least, not as a focal area. There’s a lot of opportunities at the grassroots level. I’m not just thinking about user groups and the equivalent of SQL Saturdays. I’m also thinking about code camps and non-SQL Server-specific conferences where SQL Server is still a heavily leveraged technology. I think learning, networking, and occupation growth would function better at a more organic level. But maybe that’s just me. Big conferences are great, but they shouldn’t be the focus.

In Conclusion (or, the TL;DR version):

I wish PASS well in its “new” direction. I’ll be a part of it where I fit in. I also want to see a SQL Server-specific organization be founded. I’d definitely be a part of that. Regardless of whether or not that organization comes into being, we should continue to network, continue to teach, continue to learn, and continue to work together as a community.

 

Previous Older Entries

Follow

Get every new post delivered to your Inbox.

Join 3,899 other followers