Consolidating Email Accounts

I am consolidating my professional email accounts into one place. If you’ve previously contacted me using my linchpinpeople.com or either of my sqlpass.org email accounts, please use this instead:

kbriankelley

{at}

acm

{dot}

org

I have been slow to respond at times to the other accounts, because I don’t check them as regularly. Therefore, it only makes sense to consolidate back to one account.

 

SQL Server Security Benchmarks

If you’re not familiar with the Center for Internet Security, here’s the organization’s mission statement:

The Mission of the Center for Internet Security is to enhance the security readiness and response of public private sector entities, with a commitment to excellence through collaboration.

CIS produces consensus-based, best practice secure configuration benchmarks and security automation content, and serves as the key cyber security resource for state, local, territorial and trial governments, including chief security officers, homeland security advisors and fusion centers.  CIS provides products and resources that help partners achieve security goals through expert guidance and cost-effective solutions.

That consensus-based part means it’s mostly community-sourced. That means if you work on a product with a security benchmark, you can contribute. I bring this up because there are security benchmarks for SQL Server available for download and we are always looking for knowledgeable folks to contribute their expertise. This link is to the released version of the benchmark for the relevant SQL Server versions.

Not only are the finalized release versions of the benchmarks available, but we also are actively working on the benchmarks all the time. As a result, the next version of each benchmark is typically available for comments and proposed changes as a draft. The more knowledgeable folks contribute, the better we can make these benchmarks, which hopefully results in more secured SQL Servers around the world.

Also, once a product version has been out long enough, we start a benchmark for it, too. That means we’ve begun the security benchmark for SQL Server 2014. We’d love contributions from the community to make this a solid benchmark with its 1.0 release. If you have the time and experience working with SQL Server 2014 security, please take a look. The current draft is a copy of the 2012 one, so there are definitely changes to be made. Thanks!

 

#TSQL2sday #59 – My Heroes

TSQL2sDay150x150Here is my list of heroes for #TSQL2sday. None of them are directly tied to technology, much less SQL Server. However, all of them have made a deep impact on my life. I am where I am today because of these nine.

1. James Tiberius Kirk

I start my list with a fictional character because he was my first hero. As a three and four year-old I watched Star Trek re-runs every day. I followed the exploits of the USS Enterprise and saw Kirk and crew take on challenge after challenge. Kirk was the one who started me on a love of all things technical.

2. Penny Lake

My family moved to Japan when I was in 4th grade. My 4th grade teacher was Ms. Penny Lake and she saw me and my mom through some hard times. One of the things she did was have me tested, which pushed me into 5th grade halfway through the year. Before the testing, though, she was already handing me the 5th grade math textbook and sending me off to the 9th grade Spanish I class. Her efforts weren’t just limited to me. In her class we learned how to cook, how to run a successful business (lemonade and hot chocolate stand at the school), and a whole host of important life skills that don’t fall under the three R’s.

3. Wesley Felix/Nathaniel Drake

I had these men back-to-back. They were my band directors for 8th grade and 9th grade. I learned most of my lessons on professionalism from these two men. They knew their craft. They cared about their students. They knew the impact the band had on the school’s reception in the community. Between “Felix” and “Drake” you knew the standard was high, they’d get you there, and you’d love the result.

4. Dr. Clyde Smith

He’s my honorary father. Home life situations meant Dr. Smith became more than a physics instructor to me. He became the guy I went to for advice. He was the one who I was most afraid of disappointing. Likewise, he was the man whose praise I cherished the most. His faith for Jesus Christ, especially in the realm of science, was one that I eventually followed in my own life path. Now he’s the honorary grandfather to my children, who adore him as much as I do. How can you not love a grandfather who first teaches you how to walk on glass and then sits down and explains the physics concepts behind what you just did?

5. Judit Polgar

Like Kirk, I’ve never met Ms. Polgar. However, unlike Kirk, she’s real, much to the chagrin of many a chessplayer. Judit has the highest chess rating ever for a female. That’s what gets talked about. I don’t think she ever really cared. She just looked at herself as a chess player and she was awesome (she has retired from the professional ranks), making it to the top ten in the world and slaying world champions like Kasparov, Karpov, and Anand. Her style is aggressive and tactical. Play too passively and she will march her army out and suffocate you in your closed in lines. She is a throwback to Fischer, to Tal, to Morphy. And she is the one I most tried to pattern my chessgame around. When she stepped back a bit from competitive chess to get married and then start a family, she gave me a most needed wake-up call. I had been pursuing my career at the expense of my family. Seeing Judit step back started those deep questions in me.

6. Major Herbert L. Day, USMC, Retired

Major Day was the Director of Bands at The Citadel, the Military College of South Carolina, when I reported there as a freshmen. Only he wasn’t on campus as the band was in Scotland at the Edinburgh Military Tattoo. A US college band at the premier military tattoo in the world? Yes, sir, and that tells you the level of excellence expected of Major Day. Between Major Day and Sandy Jones (in charge of the Pipe Band and former Pipe Major for the USAF), we had out butts reguarly kicked militarily and musically. Major Day got the most out of us. He knew when to be stern and when to be sympathetic. He rode us hard. He had phrases like, “It’s not a promise, it’s a prophecy,” and “Play it right or I’ll rip your lips off!” I miss Major Day every day.

7. Dr. David Allen/Dr. Tony Redd

Dr. Allen and Dr. Redd where two of my English professors at The Citadel. Both encouraged me to write, write, write. Whether it was poetry or prose, they wanted to see what I had penned and they were quick to offer suggestions for improvement, to tell me what I had done well, and to point me at others to draw inspiration from. I owe a lot to these men.

Slides and Code for SSIG Talk

Thank you for those who made it out to the SQL Server Innovators Guild last night in Greenville, SC. I hope you enjoyed the talk and that it’ll create conversations about how we better secure the ETL pipeline. With attacks against data becoming more and more prevalent, I only see this area growing in concern, especially as we understand that attackers will get through the perimeter or are already there (like the life change issues we talked about).

 

ZIP file: ETL_Pipeline_Security_Slides_Code.zip (585 KB)

Carolina Technology Conference: Presentation Materials

For those able to attend my session at this year’s Carolina Technology Conference, thank you! As promised, here are the slides, sample code, and audit scripts from my presentation on What You Absolutely Must Know about SQL Server Security:

ZIP file: What You Absolutely Must Know about SQL Server security

The Fallacy of Internal Access Only

In the wake of Shell Shock, I’ve seen some vendor advisories indicate that while their product is vulnerable, it’s only through the management interface but everything is okay because if best practices have been followed, the management interface isn’t/hasn’t been exposed to the Internet.

No, everything is not okay. If best practices have been followed, then management interfaces have been locked down to particular IP addresses and not all internal IPs. However, this is still not a guarantee that everything is okay.

With the prevalence of phishing attacks to get a foot inside the network, and the relative success of those attacks, that means you can expect an attack from the inside at some point. Gone are the days where we honestly felt we could keep the bad guys out. Now we know they will get in and it’s a matter of detection and remediation. The faster the better. The game has changed from keeping them out to keeping them from getting anything useful. Since that’s the way the game is being played now, responses like what I’ve been seeing are worrisome. They show that the vendors in question don’t understand the change in the game.

 

Four Things PASS gets Right

PASS has taken a lot of heat recently. A few folks have pointed out that you only seem to hear when people are upset at PASS at something. So here’s my take on what PASS has done correctly.

The Summit

The Summit is a premier conference for SQL Server professionals. How do I know? Watch all the griping when speaker announcements are made. A lot of folks want to speak at the conference because they perceive it to have a lot of value. A lot of folks attend the conference because they perceive it to have a lot of value. A lot of value + financially affordable to PASS = premier conference.

Virtual Chapters

Virtual Chapters are awesome. Look at how many there are and how much FREE training they provide to the community. Yes, they are staffed by volunteers, however, they are still under the PASS umbrella.

Chapter Tools

First, there’s the free web hosting. It’s been around for a while. Yes, it’s DotNetNuke, but the templates are simple and workable for a chapter.

Second, there is the automated mailing. This allows a chapter leader to get the news out without having to go to MailChimp or some other resource. Also, as folks sign up at the chapter website, they are automatically added to the distro list. Easy all around.

Third, PASS has built the integrated events module. You set up the event details under the PASS Chapter tools and if you’re website is configured, the details automatically appear on your chapter homepage. In addition, the event details appear in the PASS master list of events. You don’t have to go to multiple places to get the word out.

The 24 Hours of PASS

More FREE training. And if you can’t stay around for the whole 24 hours, don’t worry, sessions are recorded and eventually available on-line.

Previous Older Entries

Follow

Get every new post delivered to your Inbox.

Join 3,919 other followers