Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP

Author Page 2 Infrastructure and security architect Database Administrator / Architect Former Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Editor for SQL Server benchmarks at Center for Internet Security

Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 3

Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 4

What We Usually Do We describe what can happen General assumptions are made Is this enough? NO!

What We Must Do Answer these questions: How likely is an incident to occur in a year? How much will the damage cost? How much will remediation cost?

How Likely Is Hard Let’s Use a Scale: –High –Medium –Low Let’s Color Code the Scale –Red: High –Yellow: Medium –Green: Low 7

Example from the Community Brent Ozar Unlimited’s sp_blitz: 8

Other Community Resources Security Tips: Audit & Compliance Tips: compliance/ My Tips (Heavily Security & Audit): 9

Risk Assessment Types Qualitative vs. Quantitative 10

Qualitative Example An attacker breaches our web application: –Gets personal identification data –Gets credit card numbers How likely? –Not very. We’re good! What else? –Publicity hit. –Notifications. Can we measure any of this?

Quantitative Example Likelihood Estimate: Once every 3 years (or Medium/Yellow) Total Cost: $43.5M –Customer Notification: $1.5M –Loss of Business: $37M –Fix Security Hole: $5M Annual Loss Expectancy (ALE) = Cost X Likelihood in a Year Our Example: $43.5M X (1/3) = $14.5M Think we can get that extra 6 weeks for code review / security fixes now?

Do Quantitative Risk Assessment Yes, it is harder to do. Yes, it is more time consuming. But what does the Business work on? You provide reasons to justify spending.

Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 14

High Risk Items App/Dev use of sa App/Dev use of any sysadmin role members App/Dev use of securityadmin role members App/Dev use of IMPERSONATE as those logins App/Dev use of logins with CONTROL SERVER 15

Medium Risk Items Windows users (not groups) as logins SQL Server logins for people SQL Server logins when apps use Windows SQL Server logins that don’t use password policies 16

Low Risk Items “Too many” logins BUILTIN\Administrators 17

Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 18

High Risk Items App/Dev Use of DB owner App/Dev Use of db_owner role members App/Dev Use of db_ddladmin role members Sensitive data which is not encrypted Improper backup/recovery scheme 19

Medium Risk Items Use of cross database ownership chaining unnecessarily Users having direct update access 20

Low Risk Items Use of db_datareader and db_datawriter roles Use of dbo schema 21

Agenda Page How to Present to Management Server Level Concerns Database Level Concerns Putting It All Together 22

Putting It All Together You Want a Formal Write-Up Executive Summary Order Your Information Prepare Auxiliary Documents 23

How to Build the Write-Up Order Your Information First Prepare Your Auxiliary Documents Next Then Write the Bulk of Your Report Finish with the Executive Summary 24

Tips for Acceptance “A picture is worth a thousand words” Prioritized charts help Communicate in money Pick your battles 25

Questions and Wrap-up 26