[Cross post] Innovating Yourself as an IS Auditor

This is also posted to the ISACA Journal blog, Practically Speaking:

As new technologies are developed, we have to stay up to date with them. More so than almost any other practitioner interfacing with information technology, auditors have to work hard at continual education. It is not just the technology, though. We are also seeing orders of magnitude more data. More data to process means we have to be more efficient at sifting through those data to ensure we can protect our organizations. So how do we stay up with what is current?

First and foremost, we need to use technology for our benefit when we can. Data is a big deal, but as it has exploded, it is a big deal for just about everyone. That means companies are investing a lot of capital in developing systems to handle the reams and reams of information we have at our fingertips. These systems are able to spot trends and exceptions both. Why should these solutions be limited just to the folks doing financial forecasting? We can use them, too. That is a key attitude for us to take: When technology helps us, we have to come up to speed on it and leverage it for all its worth.

Second, speaking of learning new technology, we are being exposed to new ideas, new protocols and new standards all the time. We have to set aside the time to understand all of these new things. It is not practical to try to learn any of them in great detail. However, we have to understand them well enough to understand what they provide, where they have issues and what they should actually be used for. If we are relying on what we learned just 5 years ago, some of our knowledge is already out of date.

Finally, we have to understand that with the changes we have in technology, whole disciplines may be completely upended. I can remember a time when organizations were on the Internet and firewalls were a very uncommon thing. Now we are in an era where we know the firewall is not enough. These concepts are more abstract than a protocol definition. However, it is just as important that we stay up-to-date in these concepts as well.

All of this adds up to continually innovating yourself to maintain your knowledge and skills. The good news is that if you keep up, you will never be bored. Technology is changing at a break neck pace. There is always something new to learn and pick apart!

Read related Journal article:

Innovation Governance: Innovate Yourself—Using Innovation to Overcome Auditing Challenges,” ISACA Journal, volume 6, 2019.  (requires access to ISACA Journal via ISACA membership)

Azure – BGP Community for Application Insights (Need Votes)

Working with Microsoft, we determined that there is no BGP community for Azure’s Application Insights. As a result, I’ve created a feedback request for Microsoft to consider doing just that.

Without this BGP community, you can’t route all Application Insights traffic across an ExpressRoute connection without routing for the entire region, something you may not want to do. Other offerings do have their communities, and I mention a few in the feedback request.

Some may ask, “What’s the risk?” Yes, the connection to Application Insights is encrypted. So it’s not so much about a security risk unless you have compliance requirements to keep traffic contained. Really, the risk is more about performance. For instance, we observed that when Application Insights routes over the Internet, sometimes the path chosen is less than ideal because a different region ends up being routed to based on DNS resolution. For instance, Microsoft observed cases where Application Insights traffic did not go to IPs within the region where Application Insight resources are provisioned (such as to West US when Application Insights was provisioned to Central US).

Feedback Request: Add BGP community for api.applicationinsights.io (Please upvote)


Personal Goal Accomplished: Speaking at the PASS Summit

I mentioned on twitter that a family tragedy about a decade ago had resulted in a false start with respect to this goal:

Ten years ago, we were expecting a baby, our fourth. Then an ultrasound revealed that we were having twins. Because we had “MoMo” twins, we immediately moved into the high risk category and that meant an appointment with specialists. Sadly, at that appointment we received devastating news: our twins had passed. If you’ve lost a child to miscarriage, you understand how painful and shattering that is. As the father, it tore my heart in two. The reality, though, is that it’s always worse for the mother. As the father, it took a long time before it was something I could fully come to terms with. I stand by the statement that it’s always worse for the mother. Anything can spark a grief reaction again, even many years afterwards. I’ve seen it with my wife and others I’ve talked to have shared the same thing.

Needless to say, this has always been in the background with me attempting to get back to PASS. There have been other, more prominent reasons. But the loss of the twins so close to going to a PASS Summit always held me in its grasp. A decade is a long time. Though I had faced my grief, our loss still affected me. As a result, when I applied again to speak at PASS, my wife and I talked. It was important for me to try and move forward here. So with much trepidation I made the journey, spoke today, and am glad for it.

So why do I share this? Kevin Kline gave a talk about how much of a family the SQL Server community is. It truly is. Members of the community helped me face my grief. Folks who had been through it, too. And they’ve been supportive over the years. If you’re dealing with something non-technical, chances are someone else in the community has dealt with it or is dealing with it, too. And you might be surprised how quickly they are to walk alongside of you if they just knew. We aren’t just here to help each other technically. We’re here to help each other, no predicate applied.

Should I Be Worried About skip-2.0?

A new piece of malware which hooks into SQL Server, skip-2.0, has been making the tech media rounds. If you’ve not read about it yet or you’re looking for more details, I’ve written a quick article discussing the finer details:

Skip-2.0 Malware Impacts SQL Server – Should I Be Worried?

The big takeaway I’ve been telling folks who have asked about it: skip-2.0 can only be deployed successfully *AFTER* the adversary has administrative rights to the OS. Therefore, it’s not a new way of getting in. It’s a way to maintain access and cover tracks. The real concern is how the adversary can get in. That’s not a SQL Server problem. That’s an OS and account management one.


July 2019 – New Microsoft security update for Spectre variant

If you remember the flurry of news from the beginning of 2018 about side channel attacks called Spectre and Meltdown, Microsoft has included in its July update a patch for a newly discovered Spectre variant 1 attack method. According to Microsoft’s revision announcement, this one does not require a microcode update. Definitely check the security bulletin for the OSes you handle, because there are some known issues.

New Security Update for SQL Server in July 2019 Patches

It doesn’t look like this would affect SQL Server 2008 or SQL Server 2008 R2 since the earliest reported platform is SQL Server 2014, but in Microsoft’s release of patches today, SQL Server is included. Here’s the vulnerability:

CVE-2019-1068 | Microsoft SQL Server Remote Code Execution Vulnerability

It’s a remote code exploit, but the attacker has to be connected to SQL Server because the vulnerability can only be exploited using a specially crafted query. The code would execute in the context of the database engine service account (hopefully not configured to run with administrative rights on the server or elevated rights in Active Directory).

The Microsoft security announcement is here (this is the 2014 GDR link as there other links for other configurations):

Description of the security update for SQL Server 2014 SP3 GDR: July 9, 2019

Why do I mention SQL Server 2008 / 2008 R2? That’s because those versions are no longer under Extended Support and will not receive security updates. If you haven’t migrated, I’ve written an article at Simple Talk talking about your options.

Guidance on Moving Off of SQL Server 2008 and 2008 R2

July 9, 2019 will be here soon. With it comes the end of support, including security updates for SQL Server 2008 and SQL Server 2008 R2 unless you either migrate to Azure or enter into an agreement program with Microsoft. I know quite a few folks are facing this situation, so I wrote a guide covering why to migrate (other than regulatory) as well as what to do if you can’t, over at Simple Talk: The End of SQL Server 2008 and 2008 R2 Extended Support.

Previous Older Entries