Editorials, Encryption/Data Security, Security, SQL Server

Security Ignorance is Bliss – But Not in a Good Way

I’ve been poking around more and more about security, about best practices and about data protection.  I have spent a good deal of time watching the tried and true “Securing Your SQL Server” type sessions and trying to understand what is critical and what you can do about it.

Security expert Duncan McAlynn (LinkedIn) sent me over a great video that went into the nitty gritty of a couple of exploits.  How it’s done, but even more interestingly, how to prevent it.  Now, call me innocent (I’ll wait) but I was floored at the tools and techniques that are readily available, what types of things can be done and the different things you can easily do to prevent them from working.   But you need to do them.

Check out the video here

My hat’s off, too, to CQURE Academy – it’s a great example of two issues.

I’ve talked about security for quite some time in different mediums.  From writing about it, to presentations and such.

What struck me about the exploits is how very specific they are, how readily available the tools are, and how much access could be gained.

SO, my net suggestion – review those different points of protection.  Remember the different concentric rings of protection – from collection of information to data in transit to data at rest to retrieval and use.  It’s important not only to have the right protections running and in place, but also to understand how your hosting environment supports your security requirements.

This is something that has been a pretty significant learning curve for me personally – when we hosted our own systems, and even when we were in a pure co-location type of environment, I felt like I “owned” the security.  But now, with a cloud based infrastructure also in the mix and evolving access for reporting and such, things are instantly more complex.  Keeping access available, providing data protection and keeping some sort of control over data use adds all sorts of complexity to the process.

When you add in cloud infrastructure, or even applications as a service, or functions as a service or whatever level of cloud usage you decide to move forward with, you introduce some new challenges.  Credit card processors, reporting, analysis, multi-server usage for reporting and analysis, data query tools, PowerBI, Excel, all of it.  It also goes down to the location(s) you store information – be it online storage, local or a mix.  There are profiles to set up to control access, and you have to balance that with usability and protection of personally identifiable information.

All of this to say that, for me, it’s been this constant running back and forth up and down the proverbial wire to see what else can be considered or locked down.  There’s also “one more thing” you can do – and personally, I believe it’s critical to keep tuning and tightening and testing and learning and beating up on your infrastructure.  Make sure you know the implications of the solutions you provide.

And, when you think the little settings don’t matter so much, re-watch the video.

  • Mark Armstrong

    North Korea (with the help of Putin no doubt) hacked into the war plan of South Korea that includes decapitation strategies.

    Over 235 gigabytes of war plans stolen.

    Now those war plans are useless and Trump’s bellicose threats against the North about the “military option” are hollow.

    You can’t just develop 235 gigabytes of new military strategy.

    Our tech savvy and that of our allies is an international joke.

    We are being hacked at every level and the ramifications threaten the free world.

    Nothing bliss about that.

    • I think too many think it won’t happen to them. It’s so commonplace that people give it less credence. 3B accounts at Yahoo, 143M at Equifax, the list goes on and on. It desensitizes people to the point where security folks have a harder time getting attention and resources to do the work that is needed.

      In this case, “bliss” is so many that stick their head in the sand and assume it’ll be ok. It’s not. It’s one of the most challenging aspects of multi-vendor, multi-platform, big data and information use applications, no matter if you’re using the cloud or not, using specific apps or not. That sharing of information between tools, systems and environments, let alone just the daily use of applications and systems that use that information, does nothing to add security layers – it’s the opposite, opening up issues.

      • Mark Armstrong

        I agree

        I worked for a payment card processor for 10 years and just doing PCI compliance was a big deal.

        We had penetration tests performed by 3rd parties, etc. and I’m sure that no matter what we did that there were still vulnerabilities.

        Management would communicate to everyone in the company that security is the single most important thing to consider when building software.

        We had people respond that they thought software feature was the most important thing.

        It had to be beat into their head that no amount of features supercedes data security. We had to explain that if we were ever compromised that the damage to the company would be enormous.

        Banks trusted us with their customers data. Huge multi-national billion dollar companies.

        If anyone hacked our systems those banks would get destroyed by their customers and we would be out of business.

        Plain and simple

      • John Shadows

        Don’t forget the IRS hacks…
        I’ve notice massive resistance to change when you tell architects “hey, that method isn’t secure. You need to push the date back to fix this”

        Or my favorite: SOX compliance.
        Lots of requirements and constraints yet little to no penetration tests.

        Whole app runs as sysadmin and you never change it then you’re surprised when you get hacked?