Keeping your skills sharp is an essential requirement for a successful IT career. As a DBA or network administrator responsible for SQL
Server, you obviously have to stay on top of the latest features Microsoft delivers, know how to manage Windows servers and keep current, not only with SQL specifics, but also with a certain amount of programming logic. But there's more. It's the element of information security that's being required of practically everyone involved in IT.
The basic concepts of security are pretty simple to comprehend. But if you're going to run rock solid database systems, you're going to need to know more about security than just the importance of stored procedures, column encryption and strong passwords. Here are five things you can start now to point yourself down the right path of building up your SQL Server security expertise.
- Learn, and never forget the basis of information risk: threats exploit vulnerabilities,
which lead to business risk. If you can understand this fundamental aspect of security, you'll
create the foundation needed to make informed information security decisions. These are decisions
affecting your database systems from now, until you retire. Know that a threat is an indication of
intent to cause disruption, damage, or loss to your environment. Two simple examples are a
"trusted" insider looking for trouble, and a self-propagating worm looking to find its way into
your environment. A vulnerability in this context is a database system weakness that can be
maliciously exploited by a threat. This could be a missing patch or a misconfiguration on your SQL
Server. Risk is the likelihood that database system disruption, damage, or loss would occur
if a threat exploits a vulnerability. Use this comparison in every decision you make regarding SQL
Server management and you'll be several steps ahead of your competition and the threats going after
- Set up a lab environment to get hands-on practice and experience. You can do this at
work, or home, using virtual machine software or an older, unused computer. Installing different
SQL Server configurations, experimenting with various security settings, and hacking around to see
what you can do with your database, any associated applications, and even the operating system, is
an excellent way to learn without disrupting production systems. If you're thinking that you
don't have the software licenses or money available to setup your own learning environment, check
out Microsoft's Action Pack. It's all the software you need at a heck of a price ($299US). Don't
forget about the free -- yet just as functional for this purpose -- SQL Server 2005 Express
Edition. You can, and should, also install and run various security testing tools to learn the ins
and outs of database security which leads me to my next point.
- Get to know the various SQL Server-related security testing tools. Run port scans,
reconnaissance scans, vulnerability tests, high-level configuration audits and even penetration
tests to see what you can do. You can use tools such as SuperScan, SQLPing, SQLRecon, QualysGuard,
WebInspect, AppDetective, NGSSquirreL, Metasploit, and others. There's literally an unlimited array
of security testing tools -
both commercial and freeware. Even with the commercial tools, you can often get free trials and, as
you'll see, you'll tend to get more value out of them. Chip Andrews has a good listing of free SQL
Server tools on his SQLSecurity.com site as well. The WebGoat
and Foundstone SASS Tools are also excellent application security learning
tools you should get to know. I'll be covering them in a future tip.
- Attend conferences where industry experts are sharing their independent perspectives and
knowledge on information security. This includes national conferences put on by RSA, CSI, and SANS, as well as
regional and local conferences put on by SecureWorld Expo, SANS and others. You'll not only learn security essentials,
but you'll also stay up on the latest application and database security attacks and tools.
- Read, read and read some more. Looking back on everything in my career, nothing stands
out as helping me learn more about IT and security than reading what other people are writing.
Subscribe to SQL Server-related magazines and newsletters, watch security-focused webcasts, and
security books that talk about database security such as the Database Hacker's Handbook and 19 Deadly Sins of Software Security. I think the 2600 Magazine and Blacklisted! 411 magazines are indispensable as well. Bottom line - reading is
absolutely the best way to stay up on what's happening, as well as the latest tools and techniques
that you can use in securing your databases.
Think you don't have enough time to read? Then take advantage of your downtime when traveling and listen to database, development and security-related podcasts and audiobooks. In fact, you can essentially turn the time you spend in your car, on the train, or in a bus into a "security university." In just an hour a day, you can get more than six full weeks worth of training in a year's time by simply listening when you have nothing else to do. Podcasts and audiobooks are gold - take advantage of them. All of this will help you maintain your technical edge - something you absolutely have to do - at least to the extent in which you can benefit from it in your job and your career.
Learn about information security a little at a time and before you know it, SQL Server security will become a way of thinking and working, that's guaranteed to help you stand out above the noise.
ABOUT THE AUTHOR
Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at kbeaver ~at~ principlelogic.com.
Copyright 2007 TechTarget
This was first published in February 2007