Presentation is loading. Please wait.

Presentation is loading. Please wait.

Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP.

Published byOswin Parker Modified over 7 years ago

Similar presentations

Presentation on theme: "Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP."— Presentation transcript:

1 Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP

2 Author Page 2 Infrastructure and security architect Database Administrator / Architect Former Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Editor for SQL Server benchmarks at Center for Internet Security

3 Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 3

4 Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 4

5 What We Usually Do We describe what can happen General assumptions are made Is this enough? NO!

6 What We Must Do Answer these questions: How likely is an incident to occur in a year? How much will the damage cost? How much will remediation cost?

7 How Likely Is Hard Let’s Use a Scale: –High –Medium –Low Let’s Color Code the Scale –Red: High –Yellow: Medium –Green: Low 7

8 Example from the Community Brent Ozar Unlimited’s sp_blitz: 8

9 Other Community Resources Security Tips: https://www.mssqltips.com/sql-server-tip-category/19/security/ Audit & Compliance Tips: https://www.mssqltips.com/sql-server-tip-category/35/auditing-and- compliance/ My Tips (Heavily Security & Audit): https://www.mssqltips.com/sqlserverauthor/25/k.-brian-kelley/ 9

10 Risk Assessment Types Qualitative vs. Quantitative 10

11 Qualitative Example An attacker breaches our web application: –Gets personal identification data –Gets credit card numbers How likely? –Not very. We’re good! What else? –Publicity hit. –Notifications. Can we measure any of this?

12 Quantitative Example Likelihood Estimate: Once every 3 years (or Medium/Yellow) Total Cost: $43.5M –Customer Notification: $1.5M –Loss of Business: $37M –Fix Security Hole: $5M Annual Loss Expectancy (ALE) = Cost X Likelihood in a Year Our Example: $43.5M X (1/3) = $14.5M Think we can get that extra 6 weeks for code review / security fixes now?

13 Do Quantitative Risk Assessment Yes, it is harder to do. Yes, it is more time consuming. But what does the Business work on? You provide reasons to justify spending.

14 Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 14

15 High Risk Items App/Dev use of sa App/Dev use of any sysadmin role members App/Dev use of securityadmin role members App/Dev use of IMPERSONATE as those logins App/Dev use of logins with CONTROL SERVER 15

16 Medium Risk Items Windows users (not groups) as logins SQL Server logins for people SQL Server logins when apps use Windows SQL Server logins that don’t use password policies 16

17 Low Risk Items “Too many” logins BUILTIN\Administrators 17

18 Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 18

19 High Risk Items App/Dev Use of DB owner App/Dev Use of db_owner role members App/Dev Use of db_ddladmin role members Sensitive data which is not encrypted Improper backup/recovery scheme 19

20 Medium Risk Items Use of cross database ownership chaining unnecessarily Users having direct update access 20

21 Low Risk Items Use of db_datareader and db_datawriter roles Use of dbo schema 21

22 Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 22

23 Putting It All Together You Want a Formal Write-Up Executive Summary Order Your Information Prepare Auxiliary Documents 23

24 How to Build the Write-Up Order Your Information First Prepare Your Auxiliary Documents Next Then Write the Bulk of Your Report Finish with the Executive Summary 24

25 Tips for Acceptance “A picture is worth a thousand words” Prioritized charts help Communicate in money Pick your battles 25

26 Questions and Wrap-up 26

Download ppt "Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP."

Similar presentations

TIPS Threat Assessment, Incident Management and Prevention Services.

TIPS Threat Assessment, Incident Management and Prevention Services.
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Introduction to Network Defense

Introduction to Network Defense
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.

Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.

[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Secure Data Sharing What is it Where is it What is the Risk – Strategic > What Policy should be enforced > How can the process be Audited > Ongoing Process.

Secure Data Sharing What is it Where is it What is the Risk – Strategic > What Policy should be enforced > How can the process be Audited > Ongoing Process.
Agenda Last class: Internet Literacy Lab Today: Internet Safety.

Agenda Last class: Internet Literacy Lab Today: Internet Safety.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.

Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Enterprise Security for Microsoft Dynamics GP Jeff Soelberg

Enterprise Security for Microsoft Dynamics GP Jeff Soelberg
Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Www.harlingen.tstc.eduwww.westtexas.tstc.eduwww.tstc.edu Surviving Reaffirmation: Two TSTC Approaches to Compliance & the QEP Texas Association for Institutional.

Surviving Reaffirmation: Two TSTC Approaches to Compliance & the QEP Texas Association for Institutional.

Similar presentations

Ads by Google