Speaking Twice on Oct 1, 2013

Carolina Technology Conference:

To start things off, I’ll be speaking in the morning at the Carolina Technology Conference. I have a 40 minute slot from 10:05 – 10:45 AM Eastern. I’m shooting for a 30-35 minute presentation with 5-10 minutes of questions. Here’s the information on the talk:

Building a Secure Infrastructure for Database Servers

In warfare, understanding your enemy is a supreme advantage. The same is true when it comes to protecting a modern database platform. We’ll get into the mindset of an attacker, looking at the methods and techniques attackers use to go after SQL Server. Once we understanding the threats, we’ll then examine defensive techniques to secure and protect your data (and not just your servers), using both new and creative methods, as well as the tried and true.

For instance, end databases are only one part of the overall Extract, Transform, Load (ETL) pipeline for most organizations. As recent, successful attacks have shown, attackers are now looking at other areas to steal your data. I will walk you through common scenarios and examine the various points an attacker may target, how those points can be attacked, and what you can do to secure them. We’ll look at the whole implementation, from the source system which originates the data all the way through to the database backups.

PASS DBA Fundamentals Virtual Chapter:

During the lunch period here on the East Coast of the USA I’ll be giving a webinar for the DBA Fundamentals virtual chapter. That will be at 12 noon Eastern, 11 AM Central. This will be via LiveMeeting. Here’s the information on the talk:

 What You Absolutely Must Know about SQL Server Security

Data security breaches are in the news regularly. In many cases, these breaches are due to poor or incomplete security configurations. In this session we’ll look at the basic Microsoft SQL Server security model and what you need to look at for your own system. We’ll cover the top things to check both inside and outside of SQL Server to lock down your databases while still providing the access your users need. Finally, we’ll also talk about how what you should be auditing regularly to ensure your SQL Server stays secured.

Installing SQL Server 2008 on a machine with .NET Framework 4.0? Read this.

The SQL Server Premier Field Engineer blog has a post about an issue with installing SQL Server 2008 on a system where the .NET Framework 4.0 is already installed:

 SecurityException / ‘The process was terminated’ errors installing SQL 2008 when .Net Framework 4.0 is installed

The first workaround is probably the easiest for most folks, which is to copy the install files locally and then perform the install. This isn’t a SQL Server problem, per se, as the blog post indicates. Rather, it’s due to the tightening down of some security in .NET.

PASS BoD: I’m voting for Allen Kinsel

There are some very good names up for this year’s PASS Board of Directors. However, I wanted to write a post about one guy in particular: Allen Kinsel. Why Allen?

Allen is “Good People:”

That’s a saying we have in the South when we describe someone we respect and admire. Every opportunity when I’ve been able to work with Allen (and every opportunity has been tied to PASS), I’ve been impressed with:

  • His professionalism towards the task at hand and the people involved.
  • His passion to see PASS succeed.
  • His willingness and desire to work with others.
  • His sound judgment on difficult decisions that someone must make.

Allen Gets the Pain Points:

The first key goal Allen lists is this one:

 Prioritizing and investing more dollars in PASS IT to improve our member-used systems.

As a chapter leader, a PASS volunteer, and a SQL Saturday organizer, I can attest first hand that the PASS IT infrastructure is in great need of some attention and tender loving care. The folks working IT do a lot. They work hard. They’ve made some wise choices, like choosing to go to Office365 rather than maintaining their own Exchange environment. Think about the hours they freed up not supporting Exchange any more. However, I bet they could do even more for us if we could get some more attention to the IT side of things. Allen wants to do just that. That benefits all of us.

Allen Has Experience with PASS Like Few Others:

Visit Allen’s candidate page. Then click the link under his picture for his application. Allen has been serving PASS for almost 10 years. He does an outstanding job, which is why he received the PASSion Award in 2009. He has been on the BoD before. Allen knows how to do the job, can do the job, has the experience for the job, and the passion for the job. I can’t say that about any other candidate, as good as they are. That’s a key reason Allen stands out to me.

Allen Has a Vision to Grow the Community:

Look at Allen’s other two top goals:

  • Making an additional IT investment to bring PASS’s membership roster up-to-date.
  • Convincing the Board to implement committees that mirror the current portfolios.

The fact of the matter is that a lot of folks ask the question, “What’s in it for me?” They join organizations that they perceive as valuable to their goals, their current situation, and their future. Allen wants to increase the value of PASS to its members. I understand that there are no specifics behind that phrase “increase value” because getting specifics has been a hard thing for some time now. I’m sure one of the reasons is because PASS can’t say, “We are certain we have X members,” to which another organization could say, “Great, you qualify for this discount, or we’ll offer this to your members for free.” So getting a hold of accurate membership numbers is key.

Another thing I see is that Allen wants to develop more leaders in the community. That’s the last of the big three. He wants to get committees going under each focus area. As someone who tried to break in and do something that was:

  • Not a transitory task like program selection committee.
  • Above the local chapter level.
  • Wasn’t a regional mentor slot.
  • Didn’t require being a member of the Board of Directors.

I found that there wasn’t anything along these lines earlier this year when I asked. So that means that being able to do long term, above chapter level commitments, volunteer work for PASS was a gap. Allen is looking to fill that gap. That gives us more opportunities to serve and grow. It increases the “warm bodies” that can help move PASS forward. As I have said already, Allen gets it.

Allen Gets My Vote:

As I said, there are other good candidates for the BoD. However, I can’t articulate why I am going to vote for the other candidates on my list like I can Allen. That says something great about Allen. When Allen said he was running, it was a no brainer for me. I’m definitely voting for Allen. If you don’t know much about Allen, I’m not surprised because he does a lot of things for PASS out of the limelight. However, I’d urge you to go check out Allen’s credentials, correspond with him, and make your own call about whether he’s worthy of your vote. I think he’ll stand up to the test.

Don’t Rush When It Comes to Privacy Data

The Dataloss list sent the following article through yesterday afternoon:

 Obamacare Employee Accidentally Sends Out 2,400 Social Security Numbers

This is concerning, but I hate to say it, not unexpected. We know that the weakest link in security is always people. Likely a worker was trying to be helpful and didn’t think. As a result, an email with an Excel spreadsheet full of names and Social Security Numbers was sent out.

What was concerning is that this should have been picked up by any decent Data Loss Prevention (DLP) solution. It sounds like such a solution, even though we’re dealing with privacy data, isn’t in place. Perhaps it is in place but not configured correctly. This isn’t surprising given these quotes from the article:

 “Users of the exchange will need to provide sensitive information, including Social Security numbers, that will be sent to a federal hub to verify such things as citizenship and household income….

“All states and the federal government, which also is setting up exchanges for some states, are scurrying to get the complex system running in less than three weeks.

“‘The people who believe in this are so driven that there’s a subcontext of “Just let us do our job and get as many people signed up as possible, and we’ll pick up the debris later,”’ said Steve Parente, a University of Minnesota finance professor who specializes in health IT issues.

“Parente testified on Capitol Hill earlier this week, urging caution in pushing the federal hub online before it has been thoroughly tested.

I obviously can’t validate the truthfulness of these quotes. That’s not my point. Instead, I want to point out what we see too often with regards to deployments. Most IT folks, especially IT security folks, have seen implementations pushed through before they’re fully vetted. Obviously, there are differing levels of risk depending on what the implementation does. When it comes to privacy data, however, there should be a measured and thoughtful process for deployment that includes testing the system properly. Too often we see data exposed, especially privacy data, because a suit somewhere wanted a system implemented and the staff to “pick up the debris later.” In other words, we see quotes like this often across a multitude of systems. So long as this “full speed ahead” attitude is the majority one for decision makers, and so long as this is generally accepted by the customers of those decision makers, we will continue to see these kinds of leaks.

After all, it’s near impossible to tighten everything down as it is in a properly tested system. We always have to deal with the human element. Then there’s the unknown, such as a bug in the code that no one uncovered during standard user acceptance testing (which is why fuzzing has become more popular over the years). When we accelerate implementation at the cost of testing and other details-oriented tasks, we should expect even more breaches. Given that we can’t avoid sharing this sensitive data in order to get services, we’ve got to push back against this “implement now” attitude. The truth of it is that as IT workers, we typically have little clout. The reason we have little clout is because a decision maker is going to say, “The customers want this now!” Therefore, as customers, we have to push back and say, “We want this, but only when you’ve done your due diligence in tightening the bolts properly.”

Database DoS Whitepaper from Securosis

Securosis has released a whitepaper on their research with regards to database denial-of-service attacks. This whitepaper is platform agnostic. It does mention specific vulnerabilities that have been exposed and attacked with respect to database platform, but only to the extent that they show it’s a universal problem.

One of the things the whitepaper covers are some potential ideas for attacks. For instance, adding a few thousand items to a shopping cart, then adding a few items and refreshing in a repetitive cycle. The refresh causes stock to be rechecked meaning the DB is hit. With such a large shopping cart you get locking and blocking and if you have enough clients, you can get the DB to stall, thereby bringing down the app. It also considers some of the available countermeasures.

All in all, it’s a high level document that should prompt DB pros to think about how to protect the DB, especially if availability is important (when isn’t) and if unavailability costs the organization money.


Dealing with Database Denial of Service whitepaper

Why Government Required Backdoors Are a Bad Idea

I’ve heard the argument, “I’ve got nothing to hide. If it helps them catch the next guy, I’m all for it.” Even if that’s 100% true and even if every single person in goverment with access to the data is 100% genuine and sincere in doing his or her job, here are four issues that position misses.

The Bad Guys (Cyber Crime) Have Smart People

We know there are smart folks working for cyber criminals. Not all the folks working for them are smart. However, money is a powerful motivator and that does attract some very smart individuals. In some jurisdictions, criminal hacking activity is worn like a badge of honor and can get a person out of poverty. It’s the same idea as why the drug culture is celebrated by some.

What the government is betting on, even if it’s unintentionally, is that the bad guys aren’t smart enough to find and exploit the same back doors. This is a bad assumption. We already see evidence that some of the malware exploits we see are very sophisticated. It’s been assumed that there are backdoors. However, dedicating resources towards an assumption means pulling resources from what should be a sure thing for something that may not exist. As more and more stories come forward that say the backdoors are definitely there, it’s now about assigning more resources towards what should be a bigger sure thing, and one that cannot be stopped.

Consider what we use computer systems for now. You might not have anything to hide from the government. However, do you want your banking login, you credit card number, etc., swiped by a criminal?

The Bad Guys (Cyber Crime) Can Get Lucky

The government is also betting that the bad guys won’t “get lucky” and happen on to the backdoor and break it. Sometimes security vulnerabilities and bugs are found through a slightly uncommon use of a resource. All it takes is one of these and the backdoor is revealed and the criminals are in. And once they are in, they’ve got access to whatever you do on your computer.

Nation State Actors Can Allocate Nearly Unlimited Resources

A nation state actor can pull the code and decompile it and put a team of folks on the code to analyze it. They can take apart hardware components and, again, allocate a team, to figure out how it all works. If they suspect there’s a backdoor, then that team will be looking for said backdoor. And nation state actors can put their own smart people on these teams. This has an appeal that cyber criminals can’t generate – patriotism for one’s nation when one isn’t motivated by the money a cyber criminal can offer.

Why would they target a regular user? They could to provide a hop from inside the right county. They could to get info or access to somebody you do know.

Someone Could Decide to Sell Secrets

Fuchs provided information to the USSR from the British and American Manhattan projects. The Walkers provided classified information for years. A nation state actor can offer some big bucks. They can offer sex and drugs and appeal to other vices. That’s why our intelligence folks constantly run counter-espionage stings. Would they run such activities if their was never anyone to catch? Exactly.

Folks who are responsible for building the backdoors or who are knowledgeable to how they work or where they are can be turned and then the backdoor is no longer a secret. BTW, it doesn’t just have to be a nation state actor. Organized crime has done this, too.

So given these four issues, government required backdoors are a risk to everyone’s security. I can understand the mentality that leads to thinking it’s a good idea. It becomes a type of tunnel vision that filters out the possible negative impacts. Even if you are of the mindset that you have nothing to hide (from the government), you still don’t want those backdoors. And when you consider that the backdoors have been reported in encryption mechanisms as well, it’s just bad all around. That’s why security folks are making such a big deal out of all of this. Yes, we kind of shake our heads and go, “It was inevitable,” however, that doesn’t mean we have to like it or approve of it.

Sometimes I don’t understand Microsoft’s vulnerability classifications

Here’s a great example:

MS13-079 – Vulnerability in Active Directory Could Allow Denial of Service (2853587)

Basically, this patches a vulnerability where an attacker can send a specially crafted LDAP query to an Active Directory domain controller and cause the LDAP service to fail. Here’s the attack scenario I see:

  1. Start or gain control on a domain connected system.
  2. Query DNS for list of DCs.
  3. Send crafted LDAP query to all DCs, thereby dropping LDAP service on all DCs.

Since communicating with Active Directory requires LDAP and you can effectively DoS the AD infrastructure, this isn’t a small issue. I’m assuming it’s not rated critical because:

  • It was a privately reported vulnerability.
  • There is no public exploit yet.
  • There is no attack in the wild, targeted or otherwise, yet.
  • It’s not easy to craft the exploit. (I hope this is the case).

However, I would still think this should have been rated critical given the impact if exploited.

Good Advice on “Certification”

Buck Woody (blog | twitter) is often seen as one of the wise men of the SQL Server community and with good reason: he often brings a perspective filled with great wisdom. Take for instance, his post to the MCM news:

 Create your own MCM program – Learning to Learn

Buck’s point is that “certification isn’t required to learn” and that learning is the key. Experience has shown he’s right. Many IT folks who are high up in their careers aren’t carrying certifications and it doesn’t seem to hurt them. Folks aren’t coming to them asking them if they have this certification or that certification. The reason is because they have demonstrated expertise in their subject areas. You only get this through learning. Having a certification, at least not a “pinnacle certification,” isn’t a guarantee that someone has those skills.

Certifications should be testing skills, which is Steve’s point, and Steve also points out that it doesn’t seem like the certifications are doing that. The gist of both posts is that you want to develop your skills. Therefore, that should be the focus of any IT professional who wants to improve his or her position. As you improve your skills, certainly attempt the appropriate certifications. So how do you get there? That’s what Buck’s post is all about.

Is Microsoft’s Certification Program Value Microsoft’s Fault?

I’d be interested if anyone says, “No,” to that question. Gail Shaw raised a few points in this post about trust and value in Microsoft’s certification brand. Having been on the hiring side in recent years, I’d have to agree with the general sentiment that a Microsoft certification does not show competency in a candidate. The pinnacle exams, MCM/MCSM and MCA, were the exceptions. With the MCM/MCSM you had to pass a lab exam. In other words, you had to put your expertise to the test. The MCA, well, that’s a whole different animal. To earn an MCA, you must first submit evidence that you have the needed expertise and then you have to go in front of a review board. If that sounds like defending a college dissertation, that’s what it sounds like to me. In other words, you can’t cheat to get those certifications. Now they are gone.

So that raises the question, “Why do Microsoft certifications have so little value in the eyes of the community?”

The Testing Method Doesn’t Do a Good Job of Discouraging Cheating

I last took a Microsoft exam at the end of 1999. By then, braindump sites and the candidates using braindumps to pass had become rampant. Microsoft tried to go into “shut down the braindumps” mode but really, this is an impractical strategy. If we can’t shut down criminals stealing banks and people blind, trying to kill briandump sites is even more impossible. Then they tried to add simulations to the mix. However, if folks are still requesting braindumps in 2013 (see Gail’s post), then obviously the technques that are being used are not sufficient.

The question that raises in my mind is why is Microsoft the one with such an impugned reputation when we know this is an issue with other certs, too? It’s probably because if you’re reading this, you’re more in the Microsoft community than the others. I know this sort of discussion happens on the Cisco side and I’ve seen posts to indicate that “if you use a braindump to pass your A+ you violate…” so it’s not just Microsoft. The truth of the matter is that as long as there are certifications, there are going to be people who will cheat to get them.

What about Boot Camps?

I personally don’t like boot camps. When I see a boot camp for a week long MCITP: Enterprise Admin certification, I just shake my head. To be a solid Active Directory administrator takes years. I’m not sorry that it does. When you look at what AD does, I don’t see how you can develop the skills in one short week. It took me nearly 18 months to train my replacement so I could move back over to be a DBA. He was already an experienced AD admin, just not to the level of the organization we were working in. So is it doable in one week? No.

Again, is this just a Microsoft issue? No, it’s not. I’ve seen Cisco boot camps offered for years. Same with Oracle. Again, as long as there are certifications there will be folks looking to take a short cut, if not outright cheat (and I’m defining cheating as anything that would violate the agreement you commit to for taking the exam(s) and becoming certified).

So What’s Microsoft’s Problem?

I think there are three. The first problem is the absolute mess Microsoft has made with certification names. For instance, these used to be the certs with the last two being the top level certifications:

  • Microsoft Certified Professional (MCP)
  • Microsoft Certified Systems Engineer (MCSE)
  • Microsoft Certified Solutions Developer (MCSD)

They added Microsoft Certified Database Administrator (MCDBA) to the list because no one wanted confusion between a Systems Engineer (operating system) and a DBA or between a developer and a DBA. That made sense. If we had just stayed with that, I think we would be in better shape. But Microsoft is always tinkering in a space where you need to build a long-term brand. In other words, tinkering with names and meaning of names is very, very bad. How have they tinkered?. One example is evident when the “plus” certifications are added to the list:

  • MCSE+I (plus Internet)
  • MCSE+SB (plus Site Building)
  • MCP+SB

Note, when I say added, I’m not speaking of timelines. I am simply speaking of the fact that these were “plus” certs. And then Microsoft came along and scrapped the MCDBA, MCSD, and MCSE. They went with:

  • Microsoft Technology Associate (MTA)
  • Microsoft Certified Technology Specialist (MCTS)
  • Microsoft Certified Information Technology Professional (MCITP)
  • Microsoft Certified Application Developer (MCAD)

These are generic names. Only the last one tells you anything about what the individual does. By looking at the names, can you tell which is a higher level certification? Not unless you do some research and even then it may not be perfectly clear. And while the MCSD and MCSE had some recognition because they had been around a while, I talk to HR professionals and recruiters regularly who don’t know these 4. Or if they do know these 4, they only know they are Microsoft certifications but don’t know what any of them mean. This reveals problem #2. The new certifications haven’t been marketed well and they don’t tell the story for a candidate.

I think Microsoft realized that, and so we’re now back to MCSD and MCSE. Only they mean something totally different. If you tell me you’re an MCSE now, you could be one for Business Intelligence. That’s because MCSE now stands for Microsoft Certified Solutions Expert. It’s an obvious play on the well known acronym that gets a candidate through a recruiter’s filter. Unfortunately, it now means that’s a generic certification. This just devalues the MCSE. Also, it serves to anger those of us who earned the MCSE as a Systems Engineer. At least MCSD still refers to development.

So what’s the third problem? I mentioned it at the beginning.

A Lack of Trust

I think Gail hits the nail on the head when she points out that if Microsoft does roll out a new pinnacle certification in six months that folks are going to be wary. At least in some part, folks get a certification to make themselves more marketable, to give them the ability to find another job quicker if they want to or have to do so. However, when you see what Microsoft has done with the certifications over the years, when they up and cancel their pinnacle certifications without notice, you start to get a sense that there is no long term plan with regards to Microsoft certification. That may be untrue. There may be. However, my USAF days taught me this maxim, “If there’s a perception of a problem, there’s a problem.” And there’s definitely the perception that it’s all a flail-fest (you could call it a fail-fest, too, I guess). Why should I go for a certification with Microsoft when I can’t expect that they will be pushing that certification a year from now, much less three years from now?

Also, there’s a lack of trust in what skills the exam actually measures. Gail points out that she passed an exam with a technology focus that should have required experience with skills she had no experience in. Gail doesn’t cheat. So when someone who doesn’t cheat can pass an exam in technologies she has never worked with, how can you trust the exams? That’s an easy one: you can’t. I can speak from experience with Security+, seen as an entry level certification, that I had to know Kerberos and cryptography well. It was a good thing I took it *after* being an AD and security architect for 3-4 years. This is just one area of several where I saw some pretty detailed knowledge and understanding being required in regards to security. And now CompTIA has gone to a recertification process for any of their exams. Why did CompTIA change for new candidates? They wanted to increase the validity and trust in their exams. They wanted to increase the validity and trust for what is seen as an entry level certification. By the way, if you want to see what the exam objectives are for that entry level certification are, here you go. Here’s an important question: Do you see Microsoft putting a similar level of effort into making their exams more valid and trustworthy?

In Summary

When you look at all of those factors, they’re all within Microsoft’s control. Microsoft has to fix them and it’s going to take a long time. That requires a long term plan. I hope they have one, because otherwise, Microsoft certifications are going to continue to not see the traction Microsoft wants.

Good Intro Podcast on Hadoop

Have you heard about Hadoop but don’t know much about it? What about “big data?” Would you like an intro at the 20,000 foot level that won’t take more than an hour of your time?

Jeremiah Peschka (blog | twitter) was recently on .NET Rocks, a podcast that publishes twice a week which focuses mainly on technologies of interest to Microsoft-centric developers. You can find his talk here:

Show 898 – Big Data with Hadoop with Jeremiah Peschka

If you’re not familiar with .NET Rocks, they’ve recently crossed over 900 shows and are on their way to show #1,000. I’ve listened to the podcast on and off for years and have always gotten a lot out of it. If you haven’t listened to it, it’s worth giving a shot.