eBook - ePub
Securing SQL Server
Protecting Your Database from Attackers
Denny Cherry
This is a test
Share book
- 462 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Securing SQL Server
Protecting Your Database from Attackers
Denny Cherry
Book details
Book preview
Table of contents
Citations
About This Book
SQL server is the most widely-used database platform in the world, and a large percentage of these databases are not properly secured, exposing sensitive customer and business data to attack.
In Securing SQL Server, Third Edition, you will learn about the potential attack vectors that can be used to break into SQL server databases as well as how to protect databases from these attacks. In this book, Denny Cherry -a Microsoft SQL MVP and one of the biggest names in SQL server - will teach you how to properly secure an SQL server database from internal and external threats using best practices as well as specific tricks that the author employs in his role as a consultant for some of the largest SQL server deployments in the world.
Fully updated to cover the latest technology in SQL Server 2014, this new edition walks you through how to secure new features of the 2014 release. New topics in the book include vLANs, setting up RRAS, anti-virus installs, key management, moving from plaintext to encrypted values in an existing application, securing Analysis Services Objects, Managed Service Accounts, OS rights needed by the DBA, SQL Agent Security, Table Permissions, Views, Stored Procedures, Functions, Service Broker Objects, and much more.
- Presents hands-on techniques for protecting your SQL Server database from intrusion and attack
- Provides the most in-depth coverage of all aspects of SQL Server database security, including a wealth of new material on Microsoft SQL Server 2014.
- Explains how to set up your database securely, how to determine when someone tries to break in, what the intruder has accessed or damaged, and how to respond and mitigate damage if an intrusion occurs.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Securing SQL Server an online PDF/ePUB?
Yes, you can access Securing SQL Server by Denny Cherry in PDF and/or ePUB format, as well as other popular books in Computer Science & Databases. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1
Identifying Security Requirements
Abstract
This chapter talks about how to figure how what security objectives need to be identified.
Keywords
security
objectives
Information in this chapter
ā¢ What are security objectives?
ā¢ When should security objectives been identified?
ā¢ How to identify security objectives?
What are Security Objectives?
There are two kinds of security objectives that need to be dealt with. The first is the easiest, identify the data which must be protected and why it must be protected. This includes data such as personally identifiable information (PII) such as names, email addresses, usernames, passwords, date of birth, etc. The second is a little more complex as it requires identifying any potential application design problems.
Plainly stated, we need to define the security objectives and locate the security holes within an application.
Personally Identifiable Information
As your application data design process begins the personally identifiable information should be identified, a decision made as to which data should be encrypted (which should be all of it), and plans made to encrypt that data to ensure that the data is protected. This information is generally defined as anything which can be used to identify a specific person. Often times it is assumed that you want to encrypt the usersā password and that is it. In the modern times of data security we need to take a very close look at the data which our customers trust us with. This means that we need to look at encrypting data such as the following.
ā¢ Username
ā¢ Password
ā¢ Customers Name
ā¢ Customers Address
ā¢ Social Security Number
ā¢ Tax ID Number
ā¢ Email Address
ā¢ Spouseās Name
ā¢ Employer
ā¢ Spouseās Employer
ā¢ Social Media Accounts
ā¢ Bank Account Information
ā¢ Telephone Numbers
ā¢ Item Purchase History
ā¢ Password Reset Answers
When working with any sort of medical data there is a whole bunch of additional data which needs to be looked at. This includes data such as:
ā¢ Doctor Patient Relationship
ā¢ Insurance Carrier
ā¢ Diagnosis
ā¢ Test Results
ā¢ Tests Ordered
ā¢ Digital X-Rays, MRIs, Cat Scans
When Should Security Objectives been Identified?
Proper database and application security begins at the beginning of the development process by first identifying what kinds of data will be stored, and how people will access that data. From then we can identify the risks associated with storing that kinds of information and those kinds of access patterns. Once the risks are identified technical solutions to mitigate those risks can be designed and implemented into the application design.
The most general security objective that we can start with is that āall data should remain secure.ā While this is a very broad statement, and an excellent goal, it does not provide us with any insight to the applicationās purpose, the data which we will be processing and storing, and it does not give us any guidance to a technological solution to ensure that the objective is met. For many application development cycles this is about as much thought as it put into security objectives. This is because for many development teams they need to focus on the core business objectives of the application, which is almost never data security. At best the developer is left to self-identify the fields which should be protected through data security, as well as to identify the method by which the data should be encrypted. Often times the security aspects of the application design, beyond items like the ability to log into the application, is left to āthe next phaseā of the project. But by the time the next phase comes around there are business critical processes which need to be worked on instead of dealing with the security holes which were left over from the prior phases of the project.
The big reason for this approach is that the business drives the development process either directly through project plans or indirectly by paying for development time. Due to this the business will only want to pay for development time for items which they see adding value to the customers or the users of the application. As security is typically something which cannot be seen by the customer or the end user the business typically sees no need to focus on security while preventing work on other features which they see as being more important to be worked on.
As time passes the business gets another reason to push back on identifying and implementing security objectives into the application development process. āIf it has been broken this long, why should be focus on fixing it now?ā The problem with this kind of thinking when it comes to security is that by the time the lack of security has become an issue it is too late. The attacker has already broken into the system and exported the data which they want to export. Patching the holes in the system at this point while good is useless for doing anything about the attack.
When systems are smaller with less uses that is the ideal time to fix security problems within the application. Often security features are hard to implement and often require huge amounts of data change. When applications are smaller with less data in the system this becomes the ideal time to fix these problems has the data changes which need to happen are very small compared to after the application has been in use for months or years.
How to Identify Security Objectives?
When using more legacy software design methodologies (basically anything besides SCRUM and Code First) you need to examine your data sets and your tables and identify anything which could be used to identify a single customer, and not just from a login perspective.
Once you have gone and identified the fields which can be used to identify a single customer the same information should be reviewed by the companyās legal department to see if there are any other fields which they feel should be encrypted. When working with the legal department it is best to give them not just the names of the columns, as those may or may not mean anything to them but give them the description of the field as well as several rows of realistic sample data so that they can evaluate the actual data to see based on the data if it needs to be protected.