Who Is Responsible for Security

Let’s face it. We work in a very Security conscience world. However, I am not sure that is the same thing as awareness.

Phishing is a very popular method for hacking into a system today. In fact, I read an article where North Korea was trying to break into the United States of America electrical grid through phishing attacks. It’s rather amazing how easy it is to be caught up in these kinds of schemes. I know that I won’t open any Email, especially if it has an attachment, from an external email address from my company. I have a personal account used for those purposes, so that any mistake I may make is isolated from my work or professional environments. It’s interesting how few phishing emails I get to my personal accounts :-).

As Stephen pointed out in his earlier editorial, there are so many other methods a devious person may use to attack your system. Some of the holes may be out of your direct control. However, are you responsible if a hole is found, and your company is exploited? Here’s an example.

In 2000 my company was being hacked through one of our development SQL Servers. This was a stand alone machine, without virtualization. To simplify connection to our database servers we were using DNS resolution to an IP Address. The IP Address on the machine was configured to be accessible through the firewall. Moreover, the DNS created for that server was published on the global DNS servers. In short, out dev SQL Server was accessible from outside our firewall.

We detected the intrusion through the SQL Server logs, and found that a hacker was attempting a brute force attempt to discover the SA password for our SQL Server Instance. A quick trip to the firewall solved the intrusion problem quickly, once it was discovered. We were lucky the log size was being monitored.

So, as a DBA I wasn’t responsible for the routing, the DNS, or the IP assignment. Our network engineers were the ones directly responsible. But, that’s just protecting yourself, not the company. What I learned from this event was that I too could have detected the hole. I could easily have attempted to resolve the database address through the DNS, clearly known to me, and if it would resolve, notify our network people to have it resolved. My point is, while security is a pain to deal with, and we all hate the extra effort and inconvenience it causes in our day to day jobs, that doesn’t release us from the obligation as an employee to do what we can to make sure things that must be protected are being protected? We don’t have to wait for a Security Audit to test the obvious questions, do we?

So, who is responsible for security? I propose that we all are.