Speaking at Syntax Code & Craft Convention

There’s a new conference starting up in Charleston, SC: Syntax Code & Craft Convention or simply SyntaxCon. This conference is primarily for developers and it will occur May 6-7, 2016. Charleston is beautiful this time of year, so if you have the ability to go, please consider doing so.

The cost isn’t much: $175 for a single day or $300 for both days. There are also group and student discounts. See how to obtain those on the website. If you think you might need some help convincing your boss to let you go, the organizers have put together a prospectus indicating why it would be helpful to your career and your organization.

As for me, I’ve giving another security related presentation. Here’s the title and abstract:

BUILDING SECURITY INTO YOUR DATA BACK-END

Every few weeks, we hear about another data breach. You’ve probably been affected – multiple times. If current forecasts are correct, things are only going to get worse. So what can we do about it?

In this talk we’ll focus on the weak points within the back-end that an attacker will likely go after. We’ll discuss why the attacks work, what weaknesses to look for, and what you can do to build security in, whether you are developing a new solution or trying to retrofit something onto an existing system. This isn’t just focused on the database platform such as SQL Server, but the entire data pipeline.

After all, if you’ve secured your database servers like Fort Knox but your file servers like leaky sieves, you’re still vulnerable to a smart adversary. We’ll also discuss the weakest link in information security, humans, and what technology solutions you can use to help mitigate phishing emails and other social engineering techniques.

 

Speaking at the 2016 Techno Security & Forensics Investigation Conference

Let’s see:

  • Technology conference… check!
  • At Myrtle Beach, SC… check!
  • During the Summer… check!

I’ve attended the Techno Security & (various names here) Conference for the last few years and have always come home having learned something important. It’s a relatively small conference but it has the tendency to attract some folks as keynotes and speakers who have some up-to-date knowledge to drop. Some of it is high government, like when the Secret Service comes and tells you about the state of the world with respect to cybercrime. Some of it is lo-tech creativity like when a guy uses a couple of Lego Technic sets to build an apparatus that automatically takes pictures of the pages of a document on an iPad – a document protected by enterprise class rights management.

So I was very happy to be selected to speak at this year’s Techno Security & Forensics Investigation conference. If your job involves IT security and you’ve not heard of the conference, check out the talks and the keynotes. The location is wonderful. And there’s plenty to do in Myrtle Beach and the surrounding area in the summer.

 

Train Your IT Auditors

I hear this response all the time,

“They’re auditors. I’m going to give them exactly what they asked for.”

STOP. Don’t do this. Yes, it gets the auditors off your back this time but it doesn’t help the overall security posture of your organization. After all, if the IT auditors are asking for the wrong things and they don’t know they are asking for the wrong things, then they will look at and render a judgment based on the wrong things. As a result, your organization won’t be any more secure. Logically, all you’ve done is waste their time and YOURS because you’ve delivered something with no intrinsic value.

If you suspect that an auditor is asking for the wrong thing, don’t just deliver what the auditor has asked for. Instead, ask the auditor what he or she is trying to verify or understand. I’ll give you a recent example. I was recently looking at a SQL Server audit script given to me by an external auditor. Within the first 30 seconds I could see huge gaps in what they were auditing for, meaning the audit wasn’t going to achieve its goals. Because it was dealing with SQL Server and because I teach auditors how to audit SQL Server, I didn’t have to ask what they were looking for. So I simply pointed out the scripts weren’t going to do the job and that I could sit down with them and help them understand why and what they actually needed.

Don’t waste your time. If you do, you won’t have work you can be proud of. Be willing to speak up (diplomatically… something I always have to work better on) and let folks know that you think there’s an issue, why you think there’s an issue, and how you might be able to help. That last part is key, too. Otherwise, it will often be dismissed as complaining. So don’t waste your time with your auditors. Train them to understand what they need to understand to make proper calls on the operating environment.

Slides and Links from Yesterday’s Webcast

If you were able to attend yesterday’s webcast, thank you for attending.

Slides for Conducting a SQL Server Security Risk Assessment

If you weren’t the webinar is available on demand, though you will need to sign up on the MSSQLTips website.

Also, some of the relevant links:

 

MSSQLTips Webcast on Security

On February 11, 2016, at 3 PM EST, I’ll be giving a security webinar for MSSQLTips. It’s titled Performing a SQL Server Security Risk Assessment. Here’s the abstract:

You have one or more SQL Servers and you want to assess the security of each. What’s a priority? What puts your organization at the greatest risk? What should you attack first?

In this presentation, we’ll look at how to do a security risk assessment of SQL Server. We’ll cover all the common big ticket items, the ones that could lead to a server breach, data loss, or a system becoming unavailable due to mismanagement. Also, we’ll discuss how to assess other items which you may find and how to rank and prioritize them. Armed with this information, you’ll be better equipped to provide a to do list to your management with justifications and relative impact for each proposed change.

If you’re interested in attending the webinar, it’s free but you’ll need to register.

Midlands PASS February Meeting Cancelled

I woke up this morning feeling rough. Our constantly chaotic weather this winter has done me in again. As a result, I’m not in any condition to present tonight and I’m cancelling the meeting.

I’ll present on the topic of improving query performance at our March meeting. Look for an announcement soon with the meeting details.

 

Midlands PASS February 2016 Meeting

Midlands PASS has changed its meetings from the 2nd Thursday to the 2nd Tuesday of each month. This takes effect with this month’s meeting. We are still meeting at the same location in West Columbia, SC. However, the name of the organization has changed: Microstaff IT has become We Know IT!

For this month’s meeting on February 9th we are looking at improving queries. Here’s the abstract:

We want queries to run fast. The faster queries run, the less likely they are to get in the way of other queries (blocking). The faster queries run, the less likely they are to collide where one will have to be rolled back (deadlocking). And the faster queries run, the more queries we can pump through the system, thereby improving performance. In this presentation we’ll look at how the SQL Server query engine works: how it breaks down a query, how it uses indexes, and how it puts all this together to produce an execution plan. By understanding how the engine works, we’ll understand how to improve our queries.

If you can make it out, please RSVP so we’ll know how many refreshments to bring.

Previous Older Entries

Follow

Get every new post delivered to your Inbox.

Join 4,360 other followers