December 1, 2011 at 9:40 pm
Comments posted to this topic are about the item A Welcome Intruder
December 1, 2011 at 9:43 pm
I have participated in penetration testing on occasion helping to penetrate and test security. It's fun and scary at the same time. Always take the findings and report them up the chain of command.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
December 1, 2011 at 11:41 pm
I've participated in intrusion/penetration tests, too.
We thought we were in a good shape until the person we got in to perform the test found a piece of software on our system which had silently installed SQL2000 as a back end with login and pwd widely spread across the internet. Even worse, this login had privileges to run xp_cmdshell and could not be altered.
Within a few seconds he had his own login at the system with admin privileges. He asked us if he should escalate to domain admin privileges...
That stuff was way beyond just being scary. Consequence: A few days later the software in question got upgraded to a SQL2005 backend with locked down privileges.
The positive parts about it: any approach to break into our system from the outside failed (And I expect that guy tried more than just the "simple ways"...). And we've learned how to look for such holes and close it.
December 2, 2011 at 12:42 am
We have an external company doing security audits on all external facing systems every three months. Sure, it's canned tests with some manual follow up on potential holes, but it's better than nothing, and they've certainly helped us close several holes in security - including SQL injection on some VERY old web sites. New exploits pop up all the time so it's important to do regular testing I think.
A couple time we've also had a consultant "attack" some very important websites, to ensure that no one could get to restricted information.
December 2, 2011 at 3:13 am
I certainly do perform various tests on our application, database and infrastructure security, but I only see that as the first layer. I'm not a security expert, so my coding, my administration and my testing can only find issues to a certain level. That's good as a means for ensuring we're consistently following best practice, and it's an effective first pass. However, for many of our applications - and particularly anything public-facing - we follow up that first pass with something more rigorous from true experts in that field.
As has been said many a time before, security is a matter of layers. In my opinion, so should the testing be.
Semper in excretia, suus solum profundum variat
December 2, 2011 at 6:44 am
PCI compliance (https://www.pcisecuritystandards.org/) requires periodic scanning by a third party for common/known security issues. We don't store any credit card information, but we still have to get the scans done for compliance purposes. It's essentially penetration testing.
We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
December 2, 2011 at 7:08 am
GSquared (12/2/2011)
We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.
Good for you. A few others were not as lucky.
December 2, 2011 at 7:18 am
The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.
The three biggest mistakes in life...thinking that power = freedom, sex = love, and data = information.
December 2, 2011 at 7:39 am
IMHO (12/2/2011)
The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.
No need to have such technical expertise. Social means, like calling users feigning that you're from IT and requesting user/pwd info is frighteningly effective.
On the flipside, it's also very effective for SAs and DBAs to have automated scanners check your logs every few minutes for errors, like, oh, I don't know, login failures. If anything, it allows me to continue putting down "DB monitoring" into my timesheet without being questioned after catching the penetration testers. 🙂
Rich
December 2, 2011 at 8:23 am
Steve Jones - SSC Editor (12/2/2011)
GSquared (12/2/2011)
We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.
Good for you. A few others were not as lucky.
I'm not sure how anyone would actually know they were unsuccessfully attacked by anonymous. There are plenty of wannabes out there. The only real way to tell is if the attacker is actually unmasked and investigated.
...
-- FORTRAN manual for Xerox Computers --
December 2, 2011 at 10:21 am
jay holovacs (12/2/2011)
Steve Jones - SSC Editor (12/2/2011)
GSquared (12/2/2011)
We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.
Good for you. A few others were not as lucky.
I'm not sure how anyone would actually know they were unsuccessfully attacked by anonymous. There are plenty of wannabes out there. The only real way to tell is if the attacker is actually unmasked and investigated.
You can tell if you are running a decoy server. If they get on the decoy and attempts to break in cease, you can chalk that one up as as thwarted attempt.
December 2, 2011 at 10:55 am
jay holovacs (12/2/2011)
Steve Jones - SSC Editor (12/2/2011)
GSquared (12/2/2011)
We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.
Good for you. A few others were not as lucky.
I'm not sure how anyone would actually know they were unsuccessfully attacked by anonymous. There are plenty of wannabes out there. The only real way to tell is if the attacker is actually unmasked and investigated.
Trust me, it's a known thing. Can't go into details, but we definitely were unsuccessfully attacked a while back, and it was definitely that group. Any more than that would violate NDAs, but there's no doubt on this one.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
December 2, 2011 at 11:08 am
GSquared (12/2/2011)
. . . Any more than that would violate NDAs, but there's no doubt on this one.
I think that is the limitation of the discussion on this topic: if you really do something about security, you are not allowed to talk about it, and even less share what happened or did not happen and with what outcome.
December 2, 2011 at 11:09 am
We use scanning software against our sites and we have also had third parties run scans and other penetration attempts. From this we have made a number of improvements to our security layers.
The probability of survival is inversely proportional to the angle of arrival.
Viewing 14 posts - 1 through 13 (of 13 total)
You must be logged in to reply to this topic. Login to reply