Home > SQL Server Tips > Database Management and Administration > Enhance your SQL Server security skills with five quick steps
SQL Server Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

DATABASE MANAGEMENT AND ADMINISTRATION

Enhance your SQL Server security skills with five quick steps


Kevin Beaver, CISSP
02.28.2007
Rating: -4.00- (out of 5)


Expert advice on database administration
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


Keeping your skills sharp is an essential requirement for a successful IT career. As a DBA or network administrator responsible for SQL
More on this topic:
  • Harden code to prevent SQL injection

  • Database security options to protect SQL Server data

  • Password cracking tools for SQL Server
  • Server, you obviously have to stay on top of the latest features Microsoft delivers, know how to manage Windows servers and keep current, not only with SQL specifics, but also with a certain amount of programming logic. But there's more. It's the element of information security that's being required of practically everyone involved in IT.

    The basic concepts of security are pretty simple to comprehend. But if you're going to run rock solid database systems, you're going to need to know more about security than just the importance of stored procedures, column encryption and strong passwords. Here are five things you can start now to point yourself down the right path of building up your SQL Server security expertise.

    1. Learn, and never forget the basis of information risk: threats exploit vulnerabilities, which lead to business risk. If you can understand this fundamental aspect of security, you'll create the foundation needed to make informed information security decisions. These are decisions affecting your database systems from now, until you retire. Know that a threat is an indication of intent to cause disruption, damage, or loss to your environment. Two simple examples are a "trusted" insider looking for trouble, and a self-propagating worm looking to find its way into your environment. A vulnerability in this context is a database system weakness that can be maliciously exploited by a threat. This could be a missing patch or a misconfiguration on your SQL Server. Risk is the likelihood that database system disruption, damage, or loss would occur if a threat exploits a vulnerability. Use this comparison in every decision you make regarding SQL Server management and you'll be several steps ahead of your competition and the threats going after your environment.

    2. Set up a lab environment to get hands-on practice and experience. You can do this at work, or home, using virtual machine software or an older, unused computer. Installing different SQL Server configurations, experimenting with various security settings, and hacking around to see what you can do with your database, any associated applications, and even the operating system, is an excellent way to learn without disrupting production systems. If you're thinking that you don't have the software licenses or money available to setup your own learning environment, check out Microsoft's Action Pack. It's all the software you need at a heck of a price ($299US). Don't forget about the free -- yet just as functional for this purpose -- SQL Server 2005 Express Edition. You can, and should, also install and run various security testing tools to learn the ins and outs of database security which leads me to my next point.

    3. Get to know the various SQL Server-related security testing tools. Run port scans, reconnaissance scans, vulnerability tests, high-level configuration audits and even penetration tests to see what you can do. You can use tools such as SuperScan, SQLPing, SQLRecon, QualysGuard, WebInspect, AppDetective, NGSSquirreL, Metasploit, and others. There's literally an unlimited array of security testing tools - both commercial and freeware. Even with the commercial tools, you can often get free trials and, as you'll see, you'll tend to get more value out of them. Chip Andrews has a good listing of free SQL Server tools on his SQLSecurity.com site as well. The WebGoat and Foundstone SASS Tools are also excellent application security learning tools you should get to know. I'll be covering them in a future tip.

    4. Attend conferences where industry experts are sharing their independent perspectives and knowledge on information security. This includes national conferences put on by RSA, CSI, and SANS, as well as regional and local conferences put on by SecureWorld Expo, SANS and others. You'll not only learn security essentials, but you'll also stay up on the latest application and database security attacks and tools.

    5. Read, read and read some more. Looking back on everything in my career, nothing stands out as helping me learn more about IT and security than reading what other people are writing. Subscribe to SQL Server-related magazines and newsletters, watch security-focused webcasts, and security books that talk about database security such as the Database Hacker's Handbook and 19 Deadly Sins of Software Security. I think the 2600 Magazine and Blacklisted! 411 magazines are indispensable as well. Bottom line - reading is absolutely the best way to stay up on what's happening, as well as the latest tools and techniques that you can use in securing your databases.

      Think you don't have enough time to read? Then take advantage of your downtime when traveling and listen to database, development and security-related podcasts and audiobooks. In fact, you can essentially turn the time you spend in your car, on the train, or in a bus into a "security university." In just an hour a day, you can get more than six full weeks worth of training in a year's time by simply listening when you have nothing else to do. Podcasts and audiobooks are gold - take advantage of them. All of this will help you maintain your technical edge - something you absolutely have to do - at least to the extent in which you can benefit from it in your job and your career.

    Learn about information security a little at a time and before you know it, SQL Server security will become a way of thinking and working, that's guaranteed to help you stand out above the noise.


    ABOUT THE AUTHOR:   
    Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at kbeaver ~at~ principlelogic.com.
    Copyright 2007 TechTarget


    Rate this Tip
    To rate tips, you must be a member of SearchSQLServer.com.
    Register now to start rating these tips. Log in if you are already a member.


    Submit a Tip




    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



    RELATED CONTENT
    SQL Server Security
    Password cracking tools for SQL Server
    Meet compliance requirements with improved database security practices
    Hardening the network and OS for SQL Server security
    Securing the server and database in SQL Server
    SQL Server security made simple and sensible
    Blog: Protect your databases from the internal threat
    Setting up SQL Server Service Broker for secure communication
    The keys to database backup protection for SQL Server
    Understanding transparent data encryption in SQL Server 2008
    The fine line between not encrypting your databases and breach notification

    Database Management and Administration
    Password cracking tools for SQL Server
    Using traces in SQL Server Profiler
    Meet compliance requirements with improved database security practices
    Hardening the network and OS for SQL Server security
    Securing the server and database in SQL Server
    How SQL Server 2008 components impact SharePoint implementations
    Troubleshooting Distributed Transaction Coordinator errors in SQL Server
    Achieving high availability and disaster recovery with SharePoint databases
    Clearing the Windows page file and its effect on server performance
    Deploying a SQL Server virtual appliance for Microsoft Hyper-V

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    data corruption  (SearchSQLServer.com)
    data hiding  (SearchSQLServer.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary

    DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



    SQL Server Development - .NET, C#, T-SQL, Visual Basic
    HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2005 - 2009, TechTarget | Read our Privacy Policy
      TechTarget - The IT Media ROI Experts