The Fallacy of Internal Access Only

In the wake of Shell Shock, I’ve seen some vendor advisories indicate that while their product is vulnerable, it’s only through the management interface but everything is okay because if best practices have been followed, the management interface isn’t/hasn’t been exposed to the Internet.

No, everything is not okay. If best practices have been followed, then management interfaces have been locked down to particular IP addresses and not all internal IPs. However, this is still not a guarantee that everything is okay.

With the prevalence of phishing attacks to get a foot inside the network, and the relative success of those attacks, that means you can expect an attack from the inside at some point. Gone are the days where we honestly felt we could keep the bad guys out. Now we know they will get in and it’s a matter of detection and remediation. The faster the better. The game has changed from keeping them out to keeping them from getting anything useful. Since that’s the way the game is being played now, responses like what I’ve been seeing are worrisome. They show that the vendors in question don’t understand the change in the game.

 

Four Things PASS gets Right

PASS has taken a lot of heat recently. A few folks have pointed out that you only seem to hear when people are upset at PASS at something. So here’s my take on what PASS has done correctly.

The Summit

The Summit is a premier conference for SQL Server professionals. How do I know? Watch all the griping when speaker announcements are made. A lot of folks want to speak at the conference because they perceive it to have a lot of value. A lot of folks attend the conference because they perceive it to have a lot of value. A lot of value + financially affordable to PASS = premier conference.

Virtual Chapters

Virtual Chapters are awesome. Look at how many there are and how much FREE training they provide to the community. Yes, they are staffed by volunteers, however, they are still under the PASS umbrella.

Chapter Tools

First, there’s the free web hosting. It’s been around for a while. Yes, it’s DotNetNuke, but the templates are simple and workable for a chapter.

Second, there is the automated mailing. This allows a chapter leader to get the news out without having to go to MailChimp or some other resource. Also, as folks sign up at the chapter website, they are automatically added to the distro list. Easy all around.

Third, PASS has built the integrated events module. You set up the event details under the PASS Chapter tools and if you’re website is configured, the details automatically appear on your chapter homepage. In addition, the event details appear in the PASS master list of events. You don’t have to go to multiple places to get the word out.

The 24 Hours of PASS

More FREE training. And if you can’t stay around for the whole 24 hours, don’t worry, sessions are recorded and eventually available on-line.

[Off-Topic] Beating Childhood Cancer

Note: I feel this post is important enough to post across all my blogs.

September is Childhood Cancer Awareness Month here in the USA. Here are some statistics:

• In 2014, an estimated 15, 780 children (ages 0-19) will be diagnosed with cancer in the USA.
• In 2014, an estimated 1,960 will die of cancer here in the United States.
• That averages to between 5 and 6 children dying of cancer every day, just here in the United States.

There’s a lot of talk about “surviving” cancer, meaning you hit the 5 year mark after diagnosis. That’s a misleading statistic, as I’m about to explain. Here are some more statistics:

• 12% of children diagnosed with cancer do not survive (don’t make it to the 5 year point).
• The average age of diagnosis is six years-old.
• With current treatments, 60% of childhood cancer survivors suffer after-effects.

Campbell’s Story:

A more comprehensive telling of Cam’s story can be found on this blog and on this Facebook group. Here’s the short version: Cam was diagnosed with cancer when she was 3 years old. She beat it. However, certain symptoms came back, which led to re-checks. The cancer had come back. Despite all efforts, including experimental treatments, Campbell died from cancer. Technically, she is a survivor, because she made it past five years (5 years, 2 days). However, Campbell is no longer with us. Therefore, the statistics stating 12% of diagnosed children die of childhood cancer should be higher.

If you do the math, Campbell died at eight years old. She passed away despite heroic efforts from donors to cover expenses and lobby her insurance carrier to cover the experimental treatments, medical personnel performing everything they could do (numerous brain surgeries, clinical trials, experimental treatments), positive thoughts and prayers, and even celebrities taking the time to make some of her wishes come true.

How do I know about Campbell? Campbell’s dad is a Citadel classmate of mine. Because of Campbell’s fight, I became more educated on childhood cancer. Childhood cancer is the leading disease cause of death in children. Every form of childhood cancer we can find a cure for means more bright, young lives saved. Furthermore, given how much damage current treatments do, we need better treatments for survivors. All of this requires research. Research requires funding. As a result, I’m trying to raise awareness about it now.

What We Can Do:

I don’t believe in issuing challenges. If this touches you enough to give, then please do. If not, I realize there are many excellent causes and efforts out there. Please try and give something to one or more that have meaning to you. Here’s what Cam’s family specifically asked for, because this puts research dollars forward for the doctors who were treating Cam and her particular form of cancer. You can mail donations to:

Weill Cornell Medical College with GREENFIELD Ependymoma Research in the memo field.

The mailing address:

Ana Ignat
Department Administrator
525 East 68th St, Box 99
New York, NY 10068

Or you could choose another childhood cancer charity/research fund. If you do, please check with a site like Charity Navigator to see how efficiently that charity uses the donations it receives. I know that particular charities in the past have sounded great but when you do the research… not so much. That’ll help you ensure that more of your donated money goes to research.

Audit Webinar Tomorrow (4 September 2014)

I will be given a webinar on how to audit SQL Server through MSSQLTips.com.

Webinar Registration Link

The abstract:

Don’t become a statistic. With the numerous data breaches and internal data theft, securing your SQL Server environment can help keep your company out of the news. Unfortunately, a single SQL Server configuration, coding technique or operational practice in your environment can put you at risk. Now is the time to be proactive for your own peace of mind or prepare for your organization’s next formal SQL Server audit. This session will provide key scripts and reports to build your SQL Server auditing checklist.

In this session you will learn about the following topics:

• Permissions – Elevated permissions for logins at the instance and database level
• Logins – Creation and modification of logins as well as failed login attempts
• Operations – Out of cycle backups, phantom SQL Server Agent Jobs and changes to standard operating procedures that should raise the red flag
• Configurations – Whether it is xp_cmdshell, Linked Servers or password policy changes, these need to be recorded
• Code Changes – Code changes sneaking into production would never happen, so be able to prove it
• Data Auditing – With awareness for confidential data rising, report on who accessed and when