July 2019 – New Microsoft security update for Spectre variant

If you remember the flurry of news from the beginning of 2018 about side channel attacks called Spectre and Meltdown, Microsoft has included in its July update a patch for a newly discovered Spectre variant 1 attack method. According to Microsoft’s revision announcement, this one does not require a microcode update. Definitely check the security bulletin for the OSes you handle, because there are some known issues.

Advertisements

New Security Update for SQL Server in July 2019 Patches

It doesn’t look like this would affect SQL Server 2008 or SQL Server 2008 R2 since the earliest reported platform is SQL Server 2014, but in Microsoft’s release of patches today, SQL Server is included. Here’s the vulnerability:

CVE-2019-1068 | Microsoft SQL Server Remote Code Execution Vulnerability

It’s a remote code exploit, but the attacker has to be connected to SQL Server because the vulnerability can only be exploited using a specially crafted query. The code would execute in the context of the database engine service account (hopefully not configured to run with administrative rights on the server or elevated rights in Active Directory).

The Microsoft security announcement is here (this is the 2014 GDR link as there other links for other configurations):

Description of the security update for SQL Server 2014 SP3 GDR: July 9, 2019

Why do I mention SQL Server 2008 / 2008 R2? That’s because those versions are no longer under Extended Support and will not receive security updates. If you haven’t migrated, I’ve written an article at Simple Talk talking about your options.

Guidance on Moving Off of SQL Server 2008 and 2008 R2

July 9, 2019 will be here soon. With it comes the end of support, including security updates for SQL Server 2008 and SQL Server 2008 R2 unless you either migrate to Azure or enter into an agreement program with Microsoft. I know quite a few folks are facing this situation, so I wrote a guide covering why to migrate (other than regulatory) as well as what to do if you can’t, over at Simple Talk: The End of SQL Server 2008 and 2008 R2 Extended Support.

Amazon’s Concept of Ownership and Technical Debt

I’m reading Think Like Amazon: 50 1/2 Ideas to Become a Digital LeaderIn talking about Amazon’s pursuit of a second headquarters, John Rossman wrote the following regarding ownership:

Amazon’s second leadership principle is “Ownership,” by which leaders at Amazon strive to never sacrifice long-term value for short-term results.

Where I think this is appropriate is the issue of technical debt. Technical debt is when we choose a less efficient approach for expediency or where we have a situation where some aspect of our system needs an update. This can occur, for instance, as a particular software product we depend on is about to move into Extended Support or move out of support altogether.

Too often I’ve heard there is too much focus on features and new functionality. However, when this selection is done at the expense of paying down technical debt, we are sacrificing long-term value for short-term results. Technical debt carries with it the same concept as monetary debt. There’s an interest rate for technical debt. It may be in how long it takes folks to do some task. It could be in the additional cost to support a product. It could be that the organization is less responsive to change because the technical debt becomes a roadblock for moving forward. As a result, teams start using workarounds just to move forward, which incurs more technical debt. At some point, we have to address that technical debt to reduce what we’re paying in interest.

As an architect, I’m always going to push for this concept of ownership. We can look at the success of organizations like Amazon, Toyota, etc. which take ownership seriously. That track record is my justification for focusing on long-term value.

#tsql2sday – A Letter to My 20 Year-Old Self

T-SQL Tuesday LogoSelf,

I am writing this to you in my mid 40s. I know when I was 20, I wasn’t thinking about 30, much less 40. Here’s some advice I’d give you to learn from.

You’re going to have some doors close that you think should be open. That’s okay. When those doors close, others will open. You will be in ministry, but not full time. Again, this is okay. You will still be in IT. This is how you will be able to do what you do in ministry. Remember, we don’t live to work. We work to live.

Keep being eager to learn. At 45 you are not focused in any one technology area. You often joke that you haven’t been able to figure out what you want to be when you grow up. However, your myriad of skill sets is what allows you to do what you do. As an architect, being well-rounded is key. That’s true of IT in general.

Make peace with leaving the military. It’s not your path. Yes, you will always have a longing to be back. It’s one of those doors that will close. Take what you have learned from your time on Active Duty and apply them in the civilian world. It’s not good to live in the past. Rather, move forward into the challenges of the present for a more exciting future.

Work on your soft skills. You can’t fall back on the excuse of being an extreme introvert. You’re also going to find plenty of validation supporting you being the way you are. However, that doesn’t mean the people you need to influence are going to see your viewpoint unless you can have empathy enough to understand theirs.

Learn to balance your time between work and life outside of work. Work will always ask for more and more and more. You are going to be forced into the position where you will be Choosing to Cheat either work or family. Choose to be faithful to your family first.

That’s a good enough set of action items. Carry them out. Enjoy the journey as you do. And don’t forget to celebrate the wins, especially the wins of people around you.

Basic SQL Server Configuration Help for Involuntary DBAs

After my presentation at the Techno Security and Digital Forensics conference, I had a information security professional stop by to ask a few questions. He’s in the position where he supports other clients since he works in a third-party security operations center (SOC). The reason most of these clients pay for a SOC instead of developing one of their own is cost. Since they don’t have the money to splurge on a lot of IT positions, another one that’s usually missing is the DBA.

Often times, as a SOC provider, when they interact with clients they can tell fairly quickly that the SQL Servers aren’t configured well. However, they don’t have the knowledge to go in and help their clients in a quick and easy way. He asked for advice. I pointed him to something that we have in our community: sp_Blitz. It’s part of the First Responder Toolkit from Brent Ozar.

Why did I recommend that particular tool? There are several reasons:

  1. It’s designed to provide a quick health check of your SQL Server.
  2. It’s a free tool (yes, you have to register), meaning budget isn’t an issue.
  3. The community has worked on and contributed to it.
  4. It provides explanations and recommendations on how to fix what’s wrong.

For someone such as an involuntary DBA or a consultant trying to assist a client when that’s not your primary skill set, it lets you make solid recommendations immediately that will improve the SQL Server setup. And it’s not hard to setup and run:

If you haven’t looked at this tool before, grab it, put into a non-prod environment, and see if it can help you.

Mitre’s ATT&CK Security Framework

Mitre’s ATT&CK security framework was mentioned often at the Techno Security and Digital Forensics Conference. I admit that I’m not well-versed on it, yet. However, its purpose makes sense. It’s a knowledge base for Adversarial Tactics, Techniques, and Common Knowledge, which is what the acronym ATT&CK stands for. Mitre created a short video to explain about ATT&CK and why it was created:

An example of how ATT&CK is a common body of knowledge which folks are striving to keep up-to-date is with respect to identified threat groups. As of this post there is information available about 86 groups, mainly nation state actors.

One of the things I try to do in my security presentations is help folks stop thinking in just what they’re good at. For instance, in my How I Would Hack SQL Server, I point out that as an attacker, going directly against SQL Server is an option of last resort. It’s much easier to find the data I care about on a file share, an Excel spreadsheet, or some other less secure spot. Compromising accounts and then using those accounts is the easier and safer road to success. What ATT&CK details is what attackers do. Therefore, if you’re in charge of security systems or applications, looking over the ATT&CK framework will help you look at your systems more as an attacker would.

Previous Older Entries