Enhance your SQL Server security skills with five quick steps

More on this topic: Harden code to prevent SQL injection Database security options to protect SQL Server data Password cracking tools for SQL Server

The basic concepts of security are pretty simple to comprehend. But if you're going to run rock solid database systems, you're going to need to know more about security than just the importance of stored procedures, column encryption and strong passwords. Here are five things you can start now to point yourself down the right path of building up your SQL Server security expertise.

1. Learn, and never forget the basis of information risk: threats exploit vulnerabilities, which lead to business risk. If you can understand this fundamental aspect of security, you'll create the foundation needed to make informed information security decisions. These are decisions affecting your database systems from now, until you retire. Know that a threat is an indication of intent to cause disruption, damage, or loss to your environment. Two simple examples are a "trusted" insider looking for trouble, and a self-propagating worm looking to find its way into your environment. A vulnerability in this context is a database system weakness that can be maliciously exploited by a threat. This could be a missing patch or a misconfiguration on your SQL Server. Risk is the likelihood that database system disruption, damage, or loss would occur if a threat exploits a vulnerability. Use this comparison in every decision you make regarding SQL Server management and you'll be several steps ahead of your competition and the threats going after your environment.

2. Set up a lab environment to get hands-on practice and experience. You can do this at work, or home, using virtual machine software or an older, unused computer. Installing different SQL Server configurations, experimenting with various security settings, and hacking around to see what you can do with your database, any associated applications, and even the operating system, is an excellent way to learn without disrupting production systems. If you're thinking that you don't have the software licenses or money available to setup your own learning environment, check out Microsoft's Action Pack. It's all the software you need at a heck of a price ($299US). Don't forget about the free -- yet just as functional for this purpose -- SQL Server 2005 Express Edition. You can, and should, also install and run various security testing tools to learn the ins and outs of database security which leads me to my next point.

3. Get to know the various SQL Server-related security testing tools. Run port scans, reconnaissance scans, vulnerability tests, high-level configuration audits and even penetration tests to see what you can do. You can use tools such as SuperScan, SQLPing, SQLRecon, QualysGuard, WebInspect, AppDetective, NGSSquirreL, Metasploit, and others. There's literally an unlimited array of security testing tools - both commercial and freeware. Even with the commercial tools, you can often get free trials and, as you'll see, you'll tend to get more value out of them. Chip Andrews has a good listing of free SQL Server tools on his SQLSecurity.com site as well. The WebGoat and Foundstone SASS Tools are also excellent application security learning tools you should get to know. I'll be covering them in a future tip.

4. Attend conferences where industry experts are sharing their independent perspectives and knowledge on information security. This includes national conferences put on by RSA, CSI, and SANS, as well as regional and local conferences put on by SecureWorld Expo, SANS and others. You'll not only learn security essentials, but you'll also stay up on the latest application and database security attacks and tools.

5. Read, read and read some more. Looking back on everything in my career, nothing stands out as helping me learn more about IT and security than reading what other people are writing. Subscribe to SQL Server-related magazines and newsletters, watch security-focused webcasts, and security books that talk about database security such as the Database Hacker's Handbook and 19 Deadly Sins of Software Security. I think the 2600 Magazine and Blacklisted! 411 magazines are indispensable as well. Bottom line - reading is absolutely the best way to stay up on what's happening, as well as the latest tools and techniques that you can use in securing your databases.

   Think you don't have enough time to read? Then take advantage of your downtime when traveling and listen to database, development and security-related podcasts and audiobooks. In fact, you can essentially turn the time you spend in your car, on the train, or in a bus into a "security university." In just an hour a day, you can get more than six full weeks worth of training in a year's time by simply listening when you have nothing else to do. Podcasts and audiobooks are gold - take advantage of them. All of this will help you maintain your technical edge - something you absolutely have to do - at least to the extent in which you can benefit from it in your job and your career.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at kbeaver ~at~ principlelogic.com. Copyright 2007 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server security Secure SQL Server from SQL injection attacks How insiders hack SQL databases with free tools and a little luck Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server source code analysis and management adds database security Ten common SQL Server security vulnerabilities you may be overlooking SQL Server 2008 security and compliance features reduce security risks Get your SQL Server security goals in order How secure is your SQL Server network design? Creating a SQL Server user authentication schema Could a join of encrypted SQL Server data have a problem? Database Administrator Virtual database storage for SQL Server: Friend or foe? How to restore SQL Server database to transition server during upgrade Storage area network (SAN) basics every SQL Server DBA must know SQL Server backups using SAN database snapshots Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server 2005 log shipping setup using the wizard Track changes to SQL Server 2000 and 2005 with one simple utility Tips for scheduling and testing SQL Server backups Ten common SQL Server security vulnerabilities you may be overlooking How to maintain SQL Server indexes for query optimization RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.