Watch out for your own confirmation bias

First, a true story:

I was a senior in high school, applying for college. One of the colleges I applied for was the Naval Academy. As part of the process, the Navy sent a Blue and Gold Officer (BGO) to interview me and answer any questions that I might have. As the interview proceeded, the BGO learned my father was a Marine avionics chief. He learned that I had a lifelong fascination with aircraft. He also learned that I wanted to be an aerospace engineer. This interview happened as the market plummeted in the military aerospace industry. What he said next surprised me.

“You can be a test pilot!” he exclaimed.

At that time, my left eye was 20/100 with astigmatism. Pilot slots were hard to come by. Getting one as a newly commissioned officer meant you had to have at least 20/20 vision in both eyes. I was already having to go through a medical waiver process to be accepted into Annapolis because of my left eye. Therefore, I knew what he told me wasn’t true. I had done the research. I knew the numbers. I knew that I couldn’t be a test pilot. However, he continued on that thread for about five minutes, telling me that it was possible. I really wanted to believe what he told me.

I didn’t. However, the temptation to believe him was strong. In the end, it didn’t matter. I was accepted to the US Naval Academy (USNA). I chose to go to The Citadel instead. The Citadel was the correct path for me. My conversation with the BGO didn’t sway me to attend USNA. However, if I had let my confirmation bias win, I would have. I would also have chosen the wrong path.

As I see the latest news stories roll out, I see a lot of messages, each targeted to one side or the other of a particular issue. It has become particularly easy to find a message that agrees with one’s position, given by someone who looks to have enough valid credentials. It’s amazing how many times I see the same message reposted on social media as “the truth of the matter.” In reality, the majority of these aren’t the “truth, the whole truth, and nothing but the truth.” There’s often a lot of opinion presented as facts. There are too many cases where key facts that are in conflict with the position are not disclosed. Context is often shaped to promote the “truth” of the message. I’ve seen this irregardless of issue and/or side. Why do these stories, clips, and talking points keep getting posted? The answer is simple: confirmation bias.

Confirmation bias can get all of us. We like hearing messages that reinforce what we believe. We like being told that we are correct. Therefore, it’s easy to give in to confirmation bias. Resist that temptation. Spend some time digging a little deeper. Find messages which disagree with the position you think is correct. See if anything presented in those messages are factual and if so, do any of those facts contradict the position you agree with. Likely you’ll see that the truth is somewhere in the middle between the two opposing positions. Oh, and this doesn’t just apply to social media. We have the same issue wherever we have passionate, committed people: such at information technology.

New Webinar with Kevin Kline: Learning from Data Breaches, a Deeper Dive

I’ve done a follow-on to my webinar with Kevin Kline on Learning from Data Breaches. Here we’ll talk about some specific technologies that come out of the box with SQL Server that you can use, especially to audit activity. A lot of times, detecting the adversary is the hardest step. That’s what this webinar focuses on.

This is scheduled for tomorrow, May 13th, at 11:00 AM Eastern.

Information Link (and registration): https://info.sentryone.com/webinar-learning-from-data-breaches-deeper-dive

 

New Article: Understanding SQL Server Ownership Chaining

Back in January I gave a presentation to a small group of folks on foundational SQL Server security items. The last thing I covered was the concept of ownership chaining. I was surprised that most in the room weren’t familiar with it and how it worked. That led me to write the following article at MSSQLTips.com:

Understanding SQL Server Ownership Chaining

I’m working on the follow-on article now, which gives practical uses for ownership chaining scenarios. That will hopefully be completed and posted soon.

 

Upcoming Webinar: Learning from Data Breaches

Recently I partnered up with Kevin Kline (SentryOne blog | twitter) and SentryOne to record a webinar on learning from data breaches. We start by talking about Mitre’s ATT&CK framework. Then we move in to a selected set of data breaches applying the ATT&CK framework to understand the basic tactics and techniques which were successful in each breach and what mitigation steps could have been taken to prevent the unintended access, or at least, make it more difficult. This is the first of a two part series, so this is an overview of what were the issues, what were done, and how generally accepted security best practices could have made a huge difference.

For the US, the initial presentation will be April 15 at 11:30 AM Eastern. For EMEA, it’ll be April 16 at 11:00 AM Central European Summer Time.

Registration Links:

Webinar Postponement and #SQLPASS group leaders heads up

Yesterday I wrote about three upcoming webinars I’m giving, which you don’t need to be in attendance for. Unfortunately, the one scheduled for next week with Idera and BankDirector has been postponed. I apologize for the scheduling delay. It looks like it should be rescheduled for some time in July.

Also, if you are a PASS user group leader and you haven’t already seen the email, PASS HQ is offering temporary GoToMeeting accounts for groups to be able to hold meetings virtually. There’s an email address you need to send your request into, so please check your email (and spam folder) to see what you need to do to have that account created. This is the direction Midlands PASS is going to go for the month of April.

SQL Server Security and Performance Webinars – March 17 – April 8, 2020 #FlattenTheCurve

In response to the Coronavirus (COVID-19) epidemic, we’re seeing folks react smartly by cancelling or rescheduling events where a large number of folks gather together. We have even seen this with at least one in-person SQL Server-based user group. Midlands PASS is considering canceling for April as well. Instead of canceling or postponing, some conferences have chosen to go all on-line. That’s a great track: you can still get professional development by attending on-line offerings. Along those lines, here are three webinars I’ll be giving over the next few weeks. There will likely be more to come, so check back!

 

March 17, 2020 2 PM EDT
BankDirector and Idera
Registration Link: https://register.gotowebinar.com/register/8686876738111806477

Protect Your Sensitive Data from the Inside First

Financial organizations handle an immense amount of sensitive data within their databases, and they face significant fines if that data is exposed or breached. The biggest challenge when it comes to cybersecurity risk is that it constantly evolves, as the threats, actors and attacks increase in sophistication. Organizations that prepare for one method of intrusion may find themselves the victim of a different strategy. So how do you ensure that your data assets are protected, not just from external threats, but also from malicious insiders or accidental accesses?

In this webinar led by IDERA, viewers will learn about best practices for putting the proper database controls in place, along with auditing procedures to track user activity within your environment.

 

March 26, 2020 1 PM EDT
MSSQLTips.com and Quest
Registration Link: https://www.mssqltips.com/sql-server-webcast-signup/?id=814

Why Are My SQL Server Queries So Slow?

Performance is horrible. Users are complaining. Your boss wants to know what’s going on with the SQL Server and what can be done about it. Where do you start? What do you look at? What can you tune? More specifically, what can you tune without touching code?

In this webinar, we’ll look at the entire SQL Server holistically, from the “hardware” allocated to the machine down to individual query plans. We’ll cover what tools are provided out of the box, from Performance Monitor to Query Store, that you can use to spot the bottlenecks on your system. Then we’ll talk about what you can do to alleviate the pain you’re feeling. Will throwing hardware at the problem hide it until you can put a real fix in? Or do you need to roll up your sleeves and rewrite some common, poorly performing queries? What/where is the trade-off? Armed with this knowledge, not only will you be able to identify what’s broke, but you’ll be able to give your organization options on how to fix it.

 

April 8, 2020 2 PM EDT
PASS DBA Virtual Group
Registration Link: https://dba.pass.org/MeetingDetails.aspx?EventID=15086

What do you need to know to work with SQL Server security properly?

In this talk, we’ll look at the must knows. We will start with how a person or application connects to SQL Server and the types of authentication SQL Server provides. We will then look at the hierarchical security model SQL Server implements and how this flows down from server all the way down to tables, views, and stored procedures. Afterwards, we will discuss particular security roles which allows access without explicit permissions. Finally, we will look at ownership chaining and how that can also allow a user access to an object because of a reference from a different object.

Cross-Post: Learning From Technology’s Past

Cross-posted from the ISACA Now Blog:

“This is the song that doesn’t end.
Yes it goes on and on, my friends.”

– Lewis, S., “The Song That Never Ends,” Lamb-chop’s Sing Along, Play Along, Norman Martin Music, 1992.

When I think of technological progress, in a lot of cases we are seeing new views and takes on existing ideas. Ideas keep coming back around, just like “The Song That Doesn’t End.”

Take virtualization and cloud computing. Cloud computing often touts a “pay as you go” model where you run cycles on someone else’s hardware. This is the model many an organization ran with for their mainframes and similarly sized computing devices. A classic example applicable to auditors and IT security folks is found in the Cuckoo’s Egg by Clifford Stoll. Stoll happened onto an international intruder due to a small (less than US$1 dollar) accounting error on just such a platform. That was in 1986.

As auditors, we can use this to our advantage when coming up to speed on new technology, new techniques or new anything in information technology. The first thing to do is see if we have a re-implementation of an older idea. If we do, then chances are we have a good idea of how to begin auditing that new technology.

Approaching new technology with the mindset of looking to see what it is already similar to what we already know accelerates our ability to learn the new technology and provides our organizations with services on said technology. It also reduces a lot of the fear factor for us. After all, the technology implements concepts and ideas we already understand.

Editor’s note: For further insights on this topic, read K. Brian Kelley’s recent Journal article, Innovation Governance: In Everything New, There Is Plenty of Old,” ISACA® Journal, volume 1, 2020. (ISACA membership required to view the article)

Previous Older Entries