Who Is Responsible for Security

Let’s face it. We work in a very Security conscience world. However, I am not sure that is the same thing as awareness.

Phishing is a very popular method for hacking into a system today. In fact, I read an article where North Korea was trying to break into the United States of America electrical grid through phishing attacks. It’s rather amazing how easy it is to be caught up in these kinds of schemes. I know that I won’t open any Email, especially if it has an attachment, from an external email address from my company. I have a personal account used for those purposes, so that any mistake I may make is isolated from my work or professional environments. It’s interesting how few phishing emails I get to my personal accounts :-).

As Stephen pointed out in his earlier editorial, there are so many other methods a devious person may use to attack your system. Some of the holes may be out of your direct control. However, are you responsible if a hole is found, and your company is exploited? Here’s an example.

In 2000 my company was being hacked through one of our development SQL Servers. This was a stand alone machine, without virtualization. To simplify connection to our database servers we were using DNS resolution to an IP Address. The IP Address on the machine was configured to be accessible through the firewall. Moreover, the DNS created for that server was published on the global DNS servers. In short, out dev SQL Server was accessible from outside our firewall.

We detected the intrusion through the SQL Server logs, and found that a hacker was attempting a brute force attempt to discover the SA password for our SQL Server Instance. A quick trip to the firewall solved the intrusion problem quickly, once it was discovered. We were lucky the log size was being monitored.

So, as a DBA I wasn’t responsible for the routing, the DNS, or the IP assignment. Our network engineers were the ones directly responsible. But, that’s just protecting yourself, not the company. What I learned from this event was that I too could have detected the hole. I could easily have attempted to resolve the database address through the DNS, clearly known to me, and if it would resolve, notify our network people to have it resolved. My point is, while security is a pain to deal with, and we all hate the extra effort and inconvenience it causes in our day to day jobs, that doesn’t release us from the obligation as an employee to do what we can to make sure things that must be protected are being protected? We don’t have to wait for a Security Audit to test the obvious questions, do we?

So, who is responsible for security? I propose that we all are.




  • The easy answer is that “it takes a village” – but that would be cheating.

    I think it does take everyone to stop and take time to consider what needs to be reviewed and then add it to a checklist and keep updating and inspecting that list and the things it points to. I don’t think there is any way someone could know all possible entry points, but many heads together could go a long way toward that, especially if people are always learning about new things to consider.

    The whole writing it down and documenting some sort of test/check plan is where a lot of people fail to capitalize on the intellectual capital of their group. If you don’t write it down, you’re left to “re-discover” the things that matter each and every time. If you do write it down and share it and teach it, you raise and multiply the intelligence of all – it’s truly an exponential multiplier vs. just you knowing the things you do.

    We have something we call “Mind the Gap.” It’s an intranet site where, every time we learn something new about systems, or put new things in place or find something new or whatever – we document it and tell people about it. This has been an incredibly powerful tool for sharing knowledge and growing the collective knowledge in a leveraged way.

    The “gap” we’re minding is that space between what I know and what you know – the hand-off and overlap. By documenting and discussing as we go along, we help mind that gap and keep the group intellect growing in a safe and sane way.