Presentation is loading. Please wait.

Presentation is loading. Please wait.

Performing a SQL Server Security Risk Assessment

Published byLucinda Morrison Modified over 6 years ago

Similar presentations

Presentation on theme: "Performing a SQL Server Security Risk Assessment"— Presentation transcript:

1 Performing a SQL Server Security Risk Assessment
K. Brian Kelley

2 About Me Infrastructure and security architect
Database Administrator / Architect Former Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Editor for SQL Server benchmarks at Center for Internet Security

3 Contact Information K. Brian Kelley Infrastructure/Security Blog: Personal Development Blog:

4 Agenda Page How to Present to Management Server Level Concerns
Database Level Concerns Putting It All Together

5 Agenda Page How to Present to Management Server Level Concerns
Database Level Concerns Putting It All Together

6 What We Usually Do NO! We describe what can happen
General assumptions are made Is this enough? NO!

7 What We Must Do Answer these questions:
How likely is an incident to occur in a year? How much will the damage cost? How much will remediation cost?

8 How Likely Is Hard Let’s Use a Scale: Let’s Color Code the Scale High
Medium Low Let’s Color Code the Scale Red: High Yellow: Medium Green: Low

9 Example from the Community
Brent Ozar Unlimited’s sp_blitz:

10 Qualitative vs. Quantitative
Risk Assessment Types Qualitative vs. Quantitative

11 Can we measure any of this?
Qualitative Example An attacker breaches our web application: Gets personal identification data Gets credit card numbers How likely? Not very. We’re good! What else? Publicity hit. Notifications. Can we measure any of this?

12 Our Example: $43.5M X (1/3) = $14.5M
Quantitative Example Likelihood Estimate: Once every 3 years (or Medium/Yellow) Total Cost: $43.5M Customer Notification: $1.5M Loss of Business: $37M Fix Security Hole: $5M Annual Loss Expectancy (ALE) = Cost X Likelihood in a Year Our Example: $43.5M X (1/3) = $14.5M Think we can get that extra 6 weeks for code review / security fixes now?

13 Do Quantitative Risk Assessment
Yes, it is harder to do. Yes, it is more time consuming. But what does the Business work on? You provide reasons to justify spending.

14 Agenda Page How to Present to Management Server Level Concerns
Database Level Concerns Putting It All Together

15 High Risk Items App/Dev use of sa
App/Dev use of any sysadmin role members App/Dev use of securityadmin role members App/Dev use of IMPERSONATE as those logins App/Dev use of logins with CONTROL SERVER

16 Medium Risk Items Windows users (not groups) as logins
SQL Server logins for people SQL Server logins when apps use Windows SQL Server logins that don’t use password policies

17 Low Risk Items “Too many” logins BUILTIN\Administrators

18 Agenda Page How to Present to Management Server Level Concerns
Database Level Concerns Putting It All Together

19 High Risk Items App/Dev Use of DB owner
App/Dev Use of db_owner role members App/Dev Use of db_ddladmin role members Sensitive data which is not encrypted Improper backup/recovery scheme

20 Medium Risk Items Use of cross database ownership chaining unnecessarily Users having direct update access

21 Low Risk Items Use of db_datareader and db_datawriter roles
Use of dbo schema

22 Agenda Page How to Present to Management Server Level Concerns
Database Level Concerns Putting It All Together

23 Putting It All Together
You Want a Formal Write-Up Executive Summary Order Your Information Prepare Auxiliary Documents

24 How to Build the Write-Up
Order Your Information First Prepare Your Auxiliary Documents Next Then Write the Bulk of Your Report Finish with the Executive Summary

25 Tips for Acceptance “A picture is worth a thousand words”
Prioritized charts help Communicate in money Pick your battles

26 Visualized Data

27 Prioritized Chart Example

28 Agenda Page How to Present to Management Server Level Concerns
Database Level Concerns Putting It All Together

29 Contact Information K. Brian Kelley Infrastructure/Security Blog: Personal Development Blog:

Download ppt "Performing a SQL Server Security Risk Assessment"

Similar presentations

Florida CRD Updates April 1, 2011 Telamon Corporation.

Florida CRD Updates April 1, 2011 Telamon Corporation.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
U-Mail System Design Specification Joseph Woo, Chris Hacking, Alex Benson, Elliott Conant, Alex Meng, Michael Ratanapintha April 28, 2008 1.

U-Mail System Design Specification Joseph Woo, Chris Hacking, Alex Benson, Elliott Conant, Alex Meng, Michael Ratanapintha April 28,
Network security policy: best practices

Network security policy: best practices
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Introduction to Network Defense

Introduction to Network Defense
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.

Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
ORACLE SECURITY TIPS NZOUG’ 2010 Rotorua, NZ By: Francisco Munoz Alvarez.

ORACLE SECURITY TIPS NZOUG’ 2010 Rotorua, NZ By: Francisco Munoz Alvarez.
[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.

[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.
Your First Azure Application Michael Stiefel Reliable Software, Inc.

Your First Azure Application Michael Stiefel Reliable Software, Inc.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Agenda Last class: Internet Literacy Lab Today: Internet Safety.

Agenda Last class: Internet Literacy Lab Today: Internet Safety.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.

Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
SQL Server Security By Mattias Lind 2015-08-20 For PASS Security VC.

SQL Server Security By Mattias Lind For PASS Security VC.
October 1-2 Ølensvåg. AppFrame SQL – Security Session Code: SQL-201-Security Speaker(s): Jekaterina Golouchova.

October 1-2 Ølensvåg. AppFrame SQL – Security Session Code: SQL-201-Security Speaker(s): Jekaterina Golouchova.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Similar presentations

Ads by Google