Howard Pincham, MCITP, CISSP Database and Compliance Engineer Hyland Software, Inc.

Slides:

Advertisements

Similar presentations

11 Section D: SQL  SQL Basics  Adding Records  Searching for Information  Updating Fields  Joining Tables Chapter 11: Databases1.

Advertisements

Mr C Johnston ICT Teacher

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Il-Sung Lee Senior Program Manager Microsoft Corporation SESSION CODE: DAT302.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

System and Network Security Practices COEN 351 E-Commerce Security.

Chapter 7 HARDENING SERVERS.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Secure SQL Server configuration Pat Larkin Ward Solutions

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

SiteLock Internet Security: Big Threats for Small Business.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Information Security Information Technology and Computing Services Information Technology and Computing Services

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Module 1: Web Application Security Overview 1. Overview How Data is stored in a Web Application Types of Data that need to be secured Overview of common.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Describe How Software and Network Security Can Keep Systems and Data Secure P3. M2 and D1 Unit 7.

Dell Connected Security Solutions Simplify & unify.

Attacks Against Database By: Behnam Hossein Ami RNRN i { }

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Security Testing Case Study 360logica Software Testing Services.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Security at NCAR David Mitchell February 20th, 2007.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Data Security Overview. Data Security Periphery –Firewalls –Web Filtering –Intrusion Detection & Prevention Internal –Virus Protection –Anti Spy-ware.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 10 Case Study: Conducting an Information Systems Audit.

Database Role Activity. DB Role and Privileges Worksheet.

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

CPT 123 Internet Skills Class Notes Internet Security Session B.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Computer Security Sample security policy Dr Alexei Vernitski.

Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.

Chapter 12 Operating System Security. Possible for a system to be compromised during the installation process before it can install the latest patches.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Information Systems Design and Development Security Precautions Computing Science.

SQL Server Security & Intrusion Prevention

Working at a Small-to-Medium Business or ISP – Chapter 8

Design for Security Pepper.

Secure Software Confidentiality Integrity Data Security Authentication

Introduction to SQL Server 2000 Security

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Business Risks of Insecure Networks

Big Picture How many ways can a system be attacked? What can we do about it?

Teaching Computing to GCSE

I have many checklists: how do I get started with cyber security?

IS4680 Security Auditing for Compliance

Information Security Awareness

CS/IS 196 Final Exam Review

IS4680 Security Auditing for Compliance

Designing IIS Security (IIS – Internet Information Service)

06 | SQL Server and the Cloud

Presentation transcript:

Howard Pincham, MCITP, CISSP Database and Compliance Engineer Hyland Software, Inc.

 Discuss the importance of good security practices.  Provide guidance on how to secure SQL Server.  Demonstrate repeatable techniques that you can use today!

 Hottest-selling ’70s/’80s vehicle  Most likely to be stolen… why?  It was easy to steal  Big market for stolen parts  Worth the effort to strip “..’cuz that’s where the money is” ---Willie Sutton, famed bank robber

CutlassAsset Quarter window and ignition lock Vulnerability Anybody with a screwdriverThreat Likelihood Cutlass is stolenRisk Alarm or kill switch Safeguard

 You want to access tables in a certain database instance on a laptop.  The instance has been hardened by granting access to a single user.  The user will not cooperate with you.  What actions would you take to access the data?

VulnerabilitySafeguard Credentials stored in plaintext Store credentials in a secure store or network Unsecured backup files Apply Least Privilege Secure backup folders Encrypt backup files and/or backup volumes Unsecured database services and files Poor physical security Store critical data on systems located in secure rooms or datacenters.

 You are concerned about the security of data and metadata as it traverses various networks.  You suspect that some systems and applications are vulnerable to network based attacks.  What actions will you take to test these systems?

VulnerabilitySafeguard Untrusted clients can identify and interrogate SQL Server instances “Hide” instances, isolate servers Transaction data and SQL logins are transmitted in plaintext Isolate network traffic and/or use encrypted connections SQL login credentials can be configured to allow blank passwords Apply password policies, use Windows Authentication SQL Injection and other hacks can compromise the server Apply single use servers, least privilege and use secure coding.

Local Area Network SQLSERVERA WEBSERVERA

TrustedUntrusted External/Client SQLSERVERA WEBSERVERA

Access Management Network Access Protection Business Continuity Configuration Management Change Management Content Management Data Protection Data Lifecycle Management Disaster Recovery Encryption Key Management Identity Management Network Access Protection Intrusion Detection Retention Management Issue Management Surface Area Configuration Patch Management Security Updates Separation of Duties

    technet.microsoft.com/en-us/library/cc aspx#BKMK_basic technet.microsoft.com/en-us/library/cc aspx#BKMK_basic  technet.microsoft.com/en-us/security/cc aspx technet.microsoft.com/en-us/security/cc aspx   checklists-on-technet-wiki.aspx checklists-on-technet-wiki.aspx  v1.1.1.pdf v1.1.1.pdf

 Portqry  Network Monitor  Nessus  Metasploit  EPM  Windows Firewall us/library/cc732283(WS.10).aspxhttp://technet.microsoft.com/en- us/library/cc732283(WS.10).aspx