July 2019 – New Microsoft security update for Spectre variant

If you remember the flurry of news from the beginning of 2018 about side channel attacks called Spectre and Meltdown, Microsoft has included in its July update a patch for a newly discovered Spectre variant 1 attack method. According to Microsoft’s revision announcement, this one does not require a microcode update. Definitely check the security bulletin for the OSes you handle, because there are some known issues.

New Security Update for SQL Server in July 2019 Patches

It doesn’t look like this would affect SQL Server 2008 or SQL Server 2008 R2 since the earliest reported platform is SQL Server 2014, but in Microsoft’s release of patches today, SQL Server is included. Here’s the vulnerability:

CVE-2019-1068 | Microsoft SQL Server Remote Code Execution Vulnerability

It’s a remote code exploit, but the attacker has to be connected to SQL Server because the vulnerability can only be exploited using a specially crafted query. The code would execute in the context of the database engine service account (hopefully not configured to run with administrative rights on the server or elevated rights in Active Directory).

The Microsoft security announcement is here (this is the 2014 GDR link as there other links for other configurations):

Description of the security update for SQL Server 2014 SP3 GDR: July 9, 2019

Why do I mention SQL Server 2008 / 2008 R2? That’s because those versions are no longer under Extended Support and will not receive security updates. If you haven’t migrated, I’ve written an article at Simple Talk talking about your options.

Guidance on Moving Off of SQL Server 2008 and 2008 R2

July 9, 2019 will be here soon. With it comes the end of support, including security updates for SQL Server 2008 and SQL Server 2008 R2 unless you either migrate to Azure or enter into an agreement program with Microsoft. I know quite a few folks are facing this situation, so I wrote a guide covering why to migrate (other than regulatory) as well as what to do if you can’t, over at Simple Talk: The End of SQL Server 2008 and 2008 R2 Extended Support.

Mitre’s ATT&CK Security Framework

Mitre’s ATT&CK security framework was mentioned often at the Techno Security and Digital Forensics Conference. I admit that I’m not well-versed on it, yet. However, its purpose makes sense. It’s a knowledge base for Adversarial Tactics, Techniques, and Common Knowledge, which is what the acronym ATT&CK stands for. Mitre created a short video to explain about ATT&CK and why it was created:

An example of how ATT&CK is a common body of knowledge which folks are striving to keep up-to-date is with respect to identified threat groups. As of this post there is information available about 86 groups, mainly nation state actors.

One of the things I try to do in my security presentations is help folks stop thinking in just what they’re good at. For instance, in my How I Would Hack SQL Server, I point out that as an attacker, going directly against SQL Server is an option of last resort. It’s much easier to find the data I care about on a file share, an Excel spreadsheet, or some other less secure spot. Compromising accounts and then using those accounts is the easier and safer road to success. What ATT&CK details is what attackers do. Therefore, if you’re in charge of security systems or applications, looking over the ATT&CK framework will help you look at your systems more as an attacker would.

Sysinternals – A Swiss Army Knife for IT Pros

I’m at the Techno Security and Digital Forensics conference in Myrtle Beach again this year. I sat in on a presentation about performing malware analysis. The analyst began with using two popular Microsoft tools: Dependency Walker and Process Explorer. He used Dependency Walker to do a quick, static analysis of the malware file, just to see what .DLLs it used. As malware continues to become more and more sophisticated, this type of analysis is limited. We see a lot of noise. However, by watching the behavior in a sandboxed, isolated environment, we can see what a malware does. With the right set of tools, we can even fool malware into thinking its properly online.

Process Explorer is the more interesting tool here because it allows us to see processes in real time. We can see the handles a process has open. We can also examine any built-in strings that could reveal information about what the malware connects to, maybe who the author was, etc. But Process Explorer’s primary reason for existence wasn’t to help with malware analysis. It, like most of the rest of the Sysinternals suite, is designed to by a toolset to help administrators troubleshoot issues on their systems. I have Sysinternals tools available whenever I’m looking at a system.

The two tools I use the most are Process Explorer and Process Monitor. Process Monitor keeps a log of all file system and registry access. This is great for figuring out why a particular application is failing. Often something is missing. Or, the key to figuring out why something is broke is stored in a configuration file or in a registry value. By seeing what a process attempts to access, I can usually find where the issue is. Combined with Process Explorer, I can get a good view of what an application is trying to do.

The best part of these tools is that they are free. They aren’t hard to learn how to use, either. And they aren’t considered “hacking tools,” meaning you can run them on your system, even if you’re a DBA or developer. If you manage Windows systems, I would definitely recommend familiarizing yourself with these tools, if you haven’t already.

Why Security Through Obscurity Is Bad (Alone)

Security through (by) obscurity is where we try to protect an asset by hiding it. Anyone who has ever played the game Capture the Flag knows that a motivated opponent will eventually find the flag. If there were no other deterrents in place, the opponent will scour the playing area and find the flag. If hiding an asset (the flag) doesn’t work for that simple game, it doesn’t work for information security.

However, Capture the Flag doesn’t just involve hiding the flag. In all variations of the game, all teams have attackers. Therefore, part of the deterrent is acting quicker than your opposition. In a lot of variants, each side also has defenders who have some ability to discourage or thwart attackers. Even if the particular variant doesn’t have the concept of defenders, a team can be sneaky. It can overload one side, trying to trick the opposing forces that the flag is hidden over on that side. Or some of the attackers could mock act in dismay when an opposing team heads into the wrong area of the playing area, leading that team to think they are close to the flag when they aren’t. In other words, there are always additional countermeasures.

The problem in information security with a strategy of security through obscurity alone is we are making the assumption that we are smarter than any adversary with plenty of time and opportunity on his or her hands. We don’t. Therefore, we need to have the other appropriate countermeasures (controls) in order to protect our assets. There’s nothing wrong with making an asset harder to find (obscuring it). However, that can’t be our only mechanism of protection.

Security Controls: CISA vs. CISSP

When looking at the Certified Information Systems Auditor (CISA) exam, we focus on teaching 3 types of controls:

  • Preventative – keeps an incident from occurring
  • Detective – Identifies the occurrence of an event and possibly the actor
  • Corrective – Fixes things after the incident

However, the Certified Information System Security Professional (CISSP) indicates there are also 3 types of controls, but they are different than the ones listed as “types” by the CISA:

  • Administrative – These are management type of controls. They are also known as soft controls and sometimes folks call these manual procedures.
  • Technical – Also, logical. These are controls we attribute to software and hardware.
  • Physical – Controls that protect the physical environment such as guards, locks, fences, and cameras.

So what does the CISSP do with the 3 listed by the CISA? Those are called control functionalities. There are 6 of those:

  • Preventative
  • Detective
  • Corrective
  • Deterrent – A control intended to discourage an attacker.
  • Recovery – A control which returns the environment back to normal operations.
  • Compensating – A control that provides an alternative means when another control isn’t/can’t be used.

In the CISA we often talk about compensating controls but we don’t list them as a specific functionality. However, I like the CISSP breakdown a lot better. Basically, we get a matrix between the 3 types and the first 5 functionalities, with compensating controls being understood to protect an asset when the primary control is unavailable or too costly.

The key takeaway is to understand how our controls are implemented and why they work. Classification helps us better understand what we’ve got protection-wise and it will allow us to spot gaps.

MSSQLTips Webcast on Security

On February 11, 2016, at 3 PM EST, I’ll be giving a security webinar for MSSQLTips. It’s titled Performing a SQL Server Security Risk Assessment. Here’s the abstract:

You have one or more SQL Servers and you want to assess the security of each. What’s a priority? What puts your organization at the greatest risk? What should you attack first?

In this presentation, we’ll look at how to do a security risk assessment of SQL Server. We’ll cover all the common big ticket items, the ones that could lead to a server breach, data loss, or a system becoming unavailable due to mismanagement. Also, we’ll discuss how to assess other items which you may find and how to rank and prioritize them. Armed with this information, you’ll be better equipped to provide a to do list to your management with justifications and relative impact for each proposed change.

If you’re interested in attending the webinar, it’s free but you’ll need to register.

Midlands PASS Meeting: 2016 SQL Server Security Refresher

The Midlands PASS Chapter will hold its next meeting on January 14, 2016 at Microstaff IT. We start the meet and greet at 5:30 PM and the main topic usually kicks off around 6 PM.

2016 SQL Server Security Refresher

Midlands PASS Chapter’s annual SQL Server security refresher! This is an open-ended discussing hosted by Data Platform MVP and resident SQL Server security expert, Brian Kelley. Bring your scenarios and questions and we’ll work through the best ways to build security solutions for and using Microsoft SQL Server.

You can RSVP here so we know how much food and refreshments to bring.

SQL Server Encryption Presentation on July 9, 2015

I will be giving a presentation on SQL Server Encryption through MSSQLTips. It’s at 3 PM EDT on July 9, 2015.

You can register through the MSSQLTips.com page for the webinar.

This sign-up page will allow you to sign up for multiple future webinars.

A rough outline of the presentation:

Data in the Database

  • The case for partial encryption (some data unencrypted)
  • The datatypes we use for encrypted data
  • The options available and who can see decrypted data
  • How we use SQL Server’s built-in functionality
  • Addressing Performance Issues

Encrypting the Whole Database (Transparent Data Encryption)

  • How it works
  • What you need to make it work
  • How do you handle recovery / disaster recovery

Encrypting Backups

  • Don’t wait until after it’s written to disk
  • TDE to the rescue
  • Encrypted backups in SQL Server 2014
  • Don’t reject 3rd party products

Encrypting Connections to SQL Server

  • The options
  • What about POODLE?
  • What about IPSEC?

Previous Older Entries