We spend a lot of time and effort trying to clean data. Anyone who has worked on ETL (Extract, Transform, and Load) has wrestled with trying to get good data for downstream systems. Maybe this sign is appropriate after all.
11 May 2016 10 Comments
SQL injection has been around for a long time. One would have hoped that with it having been around so long, that we would have eliminated it as a vulnerability in our applications. This is especially true for financial sites on the Internet. Unfortunately, the reality is that we’re still dealing with it and big stories keep coming out. For instance:
Keep in mind that from an architecture perspective, the primary place to stop SQL injection attacks is by validating the input when it comes in. If the input doesn’t match appropriate patterns, especially in the case of a banking application where the likely patterns for each input should be easily defined, you reject it at that level. It then doesn’t get appended or inserted into a text string which becomes the SQL statement to be executed against a database server.
If you don’t get it at this level, the ability to prevent the SQL injection attack gets much harder. Perhaps IDS/IPS can detect based on some text matches. We might be able to do the same thing within the database, say by using DML triggers. However, if the appended text generates queries that are basically what normally gets sent back, none of the back-end solutions are going to be very effective.
Also, keep in mind that there are plenty of tools out there that helps the adversaries. For instance, the Qatar National Bank attack used an open source SQL injection tool to accomplish the hack. So the adversaries don’t have to be exceptionally skilled to pull off an intrusion. Therefore, that means more and more folks are capable of these sorts of attacks. Not a good trend for the good guys.
10 May 2016 Leave a comment
On Thursday, May 12, 2016, I’ll be presenting a webinar on top down SQL Server Security. You can find the webinar info here. This is a new presentation I’ve put together, looking at how to build a security architecture in SQL Server around a new application or system. Here’s the abstract:
Security, when possible, should follow the KISS principle: Keep It Simple, Stupid! The more unnecessarily complex security is, the more likely for a weakness or vulnerability to work its way in. Therefore, it’s best to start looking at security from the top down. Going the other direction tends to leave us overwhelmed in the details.
In this presentation, we’ll look at SQL Server security from the top down. We’ll consider particular scenarios that come up often in deployed systems and talk through how to implement security using the various options we have available: Windows users and groups, SQL Server logins, server and database roles, and object-level permissions. By covering these examples from a top-down perspective, we’ll be able to delineate our security goals and work towards the best way to implement them. Our scenarios will include examples from 3rd party application deployments as well as home grown solutions.
If you’re interested, the webinar will be held at 3 PM EDT. You can sign-up to view the webinar for free.
09 May 2016 Leave a comment
This past Saturday, May 6, I had the opportunity to speak at a new conference, SyntaxCon. This is a developer-centric conference located in Charleston, SC. If you weren’t able to make it this year, it looks like next year is a go. As soon as I have official word of that, I’ll post on here.
If you attended my talk and wanted a copy of the slides, they are here:
Thanks to those who attended!
18 Apr 2016 Leave a comment
There’s a new conference starting up in Charleston, SC: Syntax Code & Craft Convention or simply SyntaxCon. This conference is primarily for developers and it will occur May 6-7, 2016. Charleston is beautiful this time of year, so if you have the ability to go, please consider doing so.
The cost isn’t much: $175 for a single day or $300 for both days. There are also group and student discounts. See how to obtain those on the website. If you think you might need some help convincing your boss to let you go, the organizers have put together a prospectus indicating why it would be helpful to your career and your organization.
As for me, I’ve giving another security related presentation. Here’s the title and abstract:
BUILDING SECURITY INTO YOUR DATA BACK-END
Every few weeks, we hear about another data breach. You’ve probably been affected – multiple times. If current forecasts are correct, things are only going to get worse. So what can we do about it?
In this talk we’ll focus on the weak points within the back-end that an attacker will likely go after. We’ll discuss why the attacks work, what weaknesses to look for, and what you can do to build security in, whether you are developing a new solution or trying to retrofit something onto an existing system. This isn’t just focused on the database platform such as SQL Server, but the entire data pipeline.
After all, if you’ve secured your database servers like Fort Knox but your file servers like leaky sieves, you’re still vulnerable to a smart adversary. We’ll also discuss the weakest link in information security, humans, and what technology solutions you can use to help mitigate phishing emails and other social engineering techniques.
31 Mar 2016 Leave a comment
- Technology conference… check!
- At Myrtle Beach, SC… check!
- During the Summer… check!
I’ve attended the Techno Security & (various names here) Conference for the last few years and have always come home having learned something important. It’s a relatively small conference but it has the tendency to attract some folks as keynotes and speakers who have some up-to-date knowledge to drop. Some of it is high government, like when the Secret Service comes and tells you about the state of the world with respect to cybercrime. Some of it is lo-tech creativity like when a guy uses a couple of Lego Technic sets to build an apparatus that automatically takes pictures of the pages of a document on an iPad – a document protected by enterprise class rights management.
So I was very happy to be selected to speak at this year’s Techno Security & Forensics Investigation conference. If your job involves IT security and you’ve not heard of the conference, check out the talks and the keynotes. The location is wonderful. And there’s plenty to do in Myrtle Beach and the surrounding area in the summer.
09 Mar 2016 Leave a comment
I hear this response all the time,
“They’re auditors. I’m going to give them exactly what they asked for.”
STOP. Don’t do this. Yes, it gets the auditors off your back this time but it doesn’t help the overall security posture of your organization. After all, if the IT auditors are asking for the wrong things and they don’t know they are asking for the wrong things, then they will look at and render a judgment based on the wrong things. As a result, your organization won’t be any more secure. Logically, all you’ve done is waste their time and YOURS because you’ve delivered something with no intrinsic value.
If you suspect that an auditor is asking for the wrong thing, don’t just deliver what the auditor has asked for. Instead, ask the auditor what he or she is trying to verify or understand. I’ll give you a recent example. I was recently looking at a SQL Server audit script given to me by an external auditor. Within the first 30 seconds I could see huge gaps in what they were auditing for, meaning the audit wasn’t going to achieve its goals. Because it was dealing with SQL Server and because I teach auditors how to audit SQL Server, I didn’t have to ask what they were looking for. So I simply pointed out the scripts weren’t going to do the job and that I could sit down with them and help them understand why and what they actually needed.
Don’t waste your time. If you do, you won’t have work you can be proud of. Be willing to speak up (diplomatically… something I always have to work better on) and let folks know that you think there’s an issue, why you think there’s an issue, and how you might be able to help. That last part is key, too. Otherwise, it will often be dismissed as complaining. So don’t waste your time with your auditors. Train them to understand what they need to understand to make proper calls on the operating environment.