SlideShare uma empresa Scribd logo

Sql server security in an insecure world

Transferir como PPTX, PDF
Gianluca Sartori
Gianluca Sartori

SQL Server security for developers and DBAs

Tecnologia
1 de 34
SQL Server Security in an Insecure World Gianluca Sartori @spaghettidba sqlconsulting.it
Say thank you to our Sponsors :
Gianluca Sartori  Independent SQL Server consultant  SQL Server MVP, MCTS, MCITP, MCT  Works with SQL Server since version 7  DBA @ Scuderia Ferrari  Blog: spaghettidba.com  Twitter: @spaghettidba
Agenda  Security Matters  What should I protect?  How can I prevent attacks?
 Data Breaches are Common  Data Breaches are Costly  $450.000- $850.000 for large business  $35.000 - $65.000 for small businesses  + Reputational damage  + Legal risks -- Source: UK Government Security Matters
Security Matters  Security must be considered from the start  Securing afterwards is extremely costly  Poorly secured ecosystems are not always possible to fix  Security is a process, not a product  No single “magic” solution  Ongoing process  Attackers get smarter  Security must be stronger
Information Security Principles CIA triad
Information Security Principles  Confidentiality  Information cannot be disclosed to unauthorized individuals  Integrity  Data cannot be modified in an unauthorized or undetected manner  Availability  Information must be available when needed
What happens to insecure systems?  Confidentiality  Data leaks  Integrity  Unauthorized data modifications  Frauds  Availability  Outages
Attack Methodology 1. Scan for Vulnerabilities / Access 2. Gain Access 3. Escalate Privileges 4. Maintain Access 5. Cover Tracks Looks complicated? It’s not!
DEMO How fast can a [poorly configured] system be compromised? … damn fast!
How can I prevent it? Implement security policies at all levels  Physical Security  External Network  Internal Network  Host OS  Application  Database
Physical security  Disallow physical access to the infrastructure  Servers  Console  Ports  Disks  Clients  DBA workstation   + L  What about the cloud?  Networking devices  Switches  Routers  Cables
Network Security  Exclude External network as far as possible  Implement proper network segmentation  vLANs separate servers in groups  Role  Sensitivity  Reduce “implied trust” relationships between servers  Users / Servers is NOT proper segmentation  Encrypt communications
Host OS  Regular patching  Antivirus  Configuration  security best practices  Shut down unneeded services  Reduce attack surface  Permissions  Least Privilege  Auditing  Logging
Application Application is the most vulnerable component in the stack  Secure from the start  Thorough design and code security review  Input validation  Authentication  Authorization  Error handling  Auditing  Logging
SQL Injection
SQL Injection
SQL Injection  Has been known for years  …yet N.1 in OWASP TOP 10 security risks  Easy to detect with automated tools (SQLmap)  …yet very common in the wild  Potentially destructive
Injection techniques  OR-based injection  Stacked queries injection  UNION-based injection  Error-based injection  Boolean-based blind injection  Time-based blind injection
DEMO Let’s sneak in!!
SQL Injection –Fixes  Use bind parameters  Enforces parameter data type  Is not affected by regional settings  Allows complex input  Aggressive input sanitation does not
SQL Injection – False fixes  ORMs do not avoid it  Stored Procedures do not avoid it  Input validation is not enough  Obfuscated attacks  Headers / query strings can be manipulated  Not limited to web applications  NoSQL is vulnerable as well!  .NET’s String.Format is just plain concatenation!!!
DEMO Let’s break things!!
What happened?  We damaged the database, the instance and the OS because we could  Apply least privilege  At the Database level  At the Instance level  At the OS level  … at every level!
 Authenticate the user or the application?  Prefer Windows Authentication when possible  No need to provide password  No need to store passwords in config files  SQL Authentication is less secure  Clear text < SQL2005  RC4 < SQL2012  Password policies SQL Server Security - Authentication
SQL Server Security - Authentication  Passwords are problematic  Users tend to forget  Sticky Notes  Same password, multiple places  Have I been pwnd?  Use passwords that you cannot remember  Use a Password Safe  Keepass Password Safe
SQL Server Security - Authorization Principle of least privilege:  Users must be granted only the privileges essential for their work  Typical scenario:  users are granted sysadmin role  users are granted db_owner role  very common!  users are granted built-in database roles  Security must be taken into account from the start!!!
SQL Server Security Best Practices: 1. Create application specific roles with no privileges 2. Grant minimum needed permissions to roles 3. Add users to roles 4. Don’t grant permissions to users 5. Use application roles to enhance security  Windows groups <> database roles  NEVER, EVER grant server roles to “regular” users
SQL Server Security Additional features:  TDE: Transparent Data Encryption Encrypts database files and backup files  SSL Network Encryption Encrypts the communications channel between SQL Server and client computers
SQL Server 2016 New Security Features  Always Encrypted Column-Level encryption Data is encrypted both at rest and in memory Decryption happens on the client  Row-Level Security Filters rows available to users  Dynamic Data Masking Obfuscates sensitive information
Resources  OWASP http://www.owasp.org  Security checklist for the Database Engine http://msdn.microsoft.com/en-us/library/ff848778(v=SQL.105).aspx  Troy Hunt’s blog http://www.troyhunt.com  Troy Hunt’s free Pluralsight webinar: Why SQL Injection Remains the #1 Web Security Risk Today http://www.troyhunt.com/2015/06/free-recorded-webinar-on- pluralsight.html
Q&A Questions?
Stick around for RAFFLE and the AFTER EVENT!  All our volunteers and organisers do not get paid for organizing this event – If you see them, please:  Give them a hug  Shake their hand  Say thank you  Spread the word  Get involved yourself  Don’t forget to thank the sponsors for their support  Thank the speakers for donating their time, energy and expenses  Don’t forget the feedback!

Recomendados

SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: Security
LearnNowOnline
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
Gabriel Villa
 
SQL Server 2012 Security Task
SQL Server 2012 Security TaskSQL Server 2012 Security Task
SQL Server 2012 Security Task
Yaakub Idris
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
sunitkanyan
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
Gabriel Villa
 
Securing you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTSecuring you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTT
Gabriel Villa
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 

Recomendados

SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: Security
LearnNowOnline
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
Gabriel Villa
 
SQL Server 2012 Security Task
SQL Server 2012 Security TaskSQL Server 2012 Security Task
SQL Server 2012 Security Task
Yaakub Idris
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
sunitkanyan
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
Gabriel Villa
 
Securing you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTSecuring you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTT
Gabriel Villa
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
Iron Speed
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
Eng Teong Cheah
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
Vinod Kumar
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Understanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always EncryptedUnderstanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always Encrypted
Ed Leighton-Dick
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
Stas Lebedenko
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterpriseITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITProceed
 
Stroke mimics
Stroke mimicsStroke mimics
Stroke mimics
Dr Pradip Mate
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
John Sterrett
 

Mais conteúdo relacionado

Mais procurados

Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 

Mais procurados (20)

Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 
Sql injection
Sql injectionSql injection
Sql injection
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Understanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always EncryptedUnderstanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always Encrypted
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterpriseITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
 

Destaque

A review of Zimbabwe's draft minerals policy by ZELA
A review of Zimbabwe's draft minerals policy by ZELA A review of Zimbabwe's draft minerals policy by ZELA
A review of Zimbabwe's draft minerals policy by ZELA
ZELA_infor
 
Jason Tomas by Ryan
Jason Tomas by RyanJason Tomas by Ryan
Jason Tomas by Ryan
Jolinspeeps
 
ASLGConf2014LizDandDonnaOD 2016
ASLGConf2014LizDandDonnaOD 2016ASLGConf2014LizDandDonnaOD 2016
ASLGConf2014LizDandDonnaOD 2016
Liz Dore
 
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TNJoshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
jnash2012
 

Destaque (18)

Stroke mimics
Stroke mimicsStroke mimics
Stroke mimics
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
 
BRAIN CT SCAN
BRAIN CT SCANBRAIN CT SCAN
BRAIN CT SCAN
 
Approach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of strokeApproach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of stroke
 
The Tipping Point - Final Presentation
The Tipping Point - Final PresentationThe Tipping Point - Final Presentation
The Tipping Point - Final Presentation
 
Wilson chemicals ltd
Wilson chemicals ltdWilson chemicals ltd
Wilson chemicals ltd
 
Pregunta de investigacion
Pregunta de investigacionPregunta de investigacion
Pregunta de investigacion
 
Learn software development
Learn software developmentLearn software development
Learn software development
 
Ultimate android app development course
Ultimate android app development course Ultimate android app development course
Ultimate android app development course
 
6 Summer Projects You'll Love
6 Summer Projects You'll Love6 Summer Projects You'll Love
6 Summer Projects You'll Love
 
A review of Zimbabwe's draft minerals policy by ZELA
A review of Zimbabwe's draft minerals policy by ZELA A review of Zimbabwe's draft minerals policy by ZELA
A review of Zimbabwe's draft minerals policy by ZELA
 
Multilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
Multilevel Marketing Success Suggestion : Averting Burnout And DissatisfactionMultilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
Multilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
 
Topdown parsing
Topdown parsingTopdown parsing
Topdown parsing
 
Learn angularjs step by step
Learn angularjs step by stepLearn angularjs step by step
Learn angularjs step by step
 
Jason Tomas by Ryan
Jason Tomas by RyanJason Tomas by Ryan
Jason Tomas by Ryan
 
ASLGConf2014LizDandDonnaOD 2016
ASLGConf2014LizDandDonnaOD 2016ASLGConf2014LizDandDonnaOD 2016
ASLGConf2014LizDandDonnaOD 2016
 
Codflorestal port digital
Codflorestal port digitalCodflorestal port digital
Codflorestal port digital
 
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TNJoshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
 

Semelhante a Sql server security in an insecure world

香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 

Semelhante a Sql server security in an insecure world (20)

Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Security testing
Security testingSecurity testing
Security testing
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
SqlSa94
SqlSa94SqlSa94
SqlSa94
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Database security2 adebiaye
Database security2 adebiayeDatabase security2 adebiaye
Database security2 adebiaye
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Database security
Database securityDatabase security
Database security
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Safe Internet Banking Cyber Security
Safe Internet Banking Cyber SecuritySafe Internet Banking Cyber Security
Safe Internet Banking Cyber Security
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 

Mais de Gianluca Sartori

Mais de Gianluca Sartori (10)

Benchmarking like a pro
Benchmarking like a proBenchmarking like a pro
Benchmarking like a pro
 
Sql server infernals
Sql server infernalsSql server infernals
Sql server infernals
 
SQL Server 2016 New Security Features
SQL Server 2016 New Security FeaturesSQL Server 2016 New Security Features
SQL Server 2016 New Security Features
 
Responding to extended events in near real time
Responding to extended events in near real timeResponding to extended events in near real time
Responding to extended events in near real time
 
SQL Server Worst Practices - EN
SQL Server Worst Practices - ENSQL Server Worst Practices - EN
SQL Server Worst Practices - EN
 
TSQL Advanced Query Techniques
TSQL Advanced Query TechniquesTSQL Advanced Query Techniques
TSQL Advanced Query Techniques
 
My Query is slow, now what?
My Query is slow, now what?My Query is slow, now what?
My Query is slow, now what?
 
SQL Server Benchmarking, Baselining and Workload Analysis
SQL Server Benchmarking, Baselining and Workload AnalysisSQL Server Benchmarking, Baselining and Workload Analysis
SQL Server Benchmarking, Baselining and Workload Analysis
 
A performance tuning methodology
A performance tuning methodologyA performance tuning methodology
A performance tuning methodology
 
SQL Server Worst Practices
SQL Server Worst PracticesSQL Server Worst Practices
SQL Server Worst Practices
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

Sql server security in an insecure world

  • 1. SQL Server Security in an Insecure World Gianluca Sartori @spaghettidba sqlconsulting.it
  • 2. Say thank you to our Sponsors :
  • 3. Gianluca Sartori  Independent SQL Server consultant  SQL Server MVP, MCTS, MCITP, MCT  Works with SQL Server since version 7  DBA @ Scuderia Ferrari  Blog: spaghettidba.com  Twitter: @spaghettidba
  • 4. Agenda  Security Matters  What should I protect?  How can I prevent attacks?
  • 5.  Data Breaches are Common  Data Breaches are Costly  $450.000- $850.000 for large business  $35.000 - $65.000 for small businesses  + Reputational damage  + Legal risks -- Source: UK Government Security Matters
  • 6. Security Matters  Security must be considered from the start  Securing afterwards is extremely costly  Poorly secured ecosystems are not always possible to fix  Security is a process, not a product  No single “magic” solution  Ongoing process  Attackers get smarter  Security must be stronger
  • 8. Information Security Principles  Confidentiality  Information cannot be disclosed to unauthorized individuals  Integrity  Data cannot be modified in an unauthorized or undetected manner  Availability  Information must be available when needed
  • 9. What happens to insecure systems?  Confidentiality  Data leaks  Integrity  Unauthorized data modifications  Frauds  Availability  Outages
  • 10. Attack Methodology 1. Scan for Vulnerabilities / Access 2. Gain Access 3. Escalate Privileges 4. Maintain Access 5. Cover Tracks Looks complicated? It’s not!
  • 11. DEMO How fast can a [poorly configured] system be compromised? … damn fast!
  • 12. How can I prevent it? Implement security policies at all levels  Physical Security  External Network  Internal Network  Host OS  Application  Database
  • 13. Physical security  Disallow physical access to the infrastructure  Servers  Console  Ports  Disks  Clients  DBA workstation   + L  What about the cloud?  Networking devices  Switches  Routers  Cables
  • 14. Network Security  Exclude External network as far as possible  Implement proper network segmentation  vLANs separate servers in groups  Role  Sensitivity  Reduce “implied trust” relationships between servers  Users / Servers is NOT proper segmentation  Encrypt communications
  • 15. Host OS  Regular patching  Antivirus  Configuration  security best practices  Shut down unneeded services  Reduce attack surface  Permissions  Least Privilege  Auditing  Logging
  • 16. Application Application is the most vulnerable component in the stack  Secure from the start  Thorough design and code security review  Input validation  Authentication  Authorization  Error handling  Auditing  Logging
  • 19. SQL Injection  Has been known for years  …yet N.1 in OWASP TOP 10 security risks  Easy to detect with automated tools (SQLmap)  …yet very common in the wild  Potentially destructive
  • 20. Injection techniques  OR-based injection  Stacked queries injection  UNION-based injection  Error-based injection  Boolean-based blind injection  Time-based blind injection
  • 22. SQL Injection –Fixes  Use bind parameters  Enforces parameter data type  Is not affected by regional settings  Allows complex input  Aggressive input sanitation does not
  • 23. SQL Injection – False fixes  ORMs do not avoid it  Stored Procedures do not avoid it  Input validation is not enough  Obfuscated attacks  Headers / query strings can be manipulated  Not limited to web applications  NoSQL is vulnerable as well!  .NET’s String.Format is just plain concatenation!!!
  • 25. What happened?  We damaged the database, the instance and the OS because we could  Apply least privilege  At the Database level  At the Instance level  At the OS level  … at every level!
  • 26.  Authenticate the user or the application?  Prefer Windows Authentication when possible  No need to provide password  No need to store passwords in config files  SQL Authentication is less secure  Clear text < SQL2005  RC4 < SQL2012  Password policies SQL Server Security - Authentication
  • 27. SQL Server Security - Authentication  Passwords are problematic  Users tend to forget  Sticky Notes  Same password, multiple places  Have I been pwnd?  Use passwords that you cannot remember  Use a Password Safe  Keepass Password Safe
  • 28. SQL Server Security - Authorization Principle of least privilege:  Users must be granted only the privileges essential for their work  Typical scenario:  users are granted sysadmin role  users are granted db_owner role  very common!  users are granted built-in database roles  Security must be taken into account from the start!!!
  • 29. SQL Server Security Best Practices: 1. Create application specific roles with no privileges 2. Grant minimum needed permissions to roles 3. Add users to roles 4. Don’t grant permissions to users 5. Use application roles to enhance security  Windows groups <> database roles  NEVER, EVER grant server roles to “regular” users
  • 30. SQL Server Security Additional features:  TDE: Transparent Data Encryption Encrypts database files and backup files  SSL Network Encryption Encrypts the communications channel between SQL Server and client computers
  • 31. SQL Server 2016 New Security Features  Always Encrypted Column-Level encryption Data is encrypted both at rest and in memory Decryption happens on the client  Row-Level Security Filters rows available to users  Dynamic Data Masking Obfuscates sensitive information
  • 32. Resources  OWASP http://www.owasp.org  Security checklist for the Database Engine http://msdn.microsoft.com/en-us/library/ff848778(v=SQL.105).aspx  Troy Hunt’s blog http://www.troyhunt.com  Troy Hunt’s free Pluralsight webinar: Why SQL Injection Remains the #1 Web Security Risk Today http://www.troyhunt.com/2015/06/free-recorded-webinar-on- pluralsight.html
  • 34. Stick around for RAFFLE and the AFTER EVENT!  All our volunteers and organisers do not get paid for organizing this event – If you see them, please:  Give them a hug  Shake their hand  Say thank you  Spread the word  Get involved yourself  Don’t forget to thank the sponsors for their support  Thank the speakers for donating their time, energy and expenses  Don’t forget the feedback!