November 17, 2010 at 8:45 pm
Comments posted to this topic are about the item The DBA Disconnect
November 17, 2010 at 11:18 pm
Aw shoot, Steve - I love your editorials but please do not generalize.
How about this: strong passwords have to be changed every 70 days. Giving your password to anybody, no matter how grave the crisis, means being fired on the spot, no severance pay. Printing personally identifiable information and not picking the printed pages up within five minutes, fired on the spot, no severance...
Is that lax?
November 18, 2010 at 6:02 am
Most security breaches I have seen in my career have a primary cause; that thing that haunts us all, all over the country and indeed the world - stupidity. I know of a few companies who really did a fantastic job of security at their site, with all serious intents - and then someone left their laptop in an airport or hotel lobby, and whammo, security was breached so to speak. I've heard stories of data on flash drives being stolen from companies with a real serious focus on security. And most exemplary of all, the recent data heist in my area where two young lads drove through a parking lot with a couple laptops and stole over 300,000 credit card numbers by hacking into a wireless network that was deemed 'highly secure'.
Lets face it, Microsoft could build all sorts of security features into SQL Server, but if some uh, 'professional' (read: idiot) then leaves their laptop where an enterprizing criminal is going to just walk away with it, how do you then blame Microsoft or SQL Server itself?
I am not sure most DBA's are totally up to speed on every possible security tactic, and sure, one might blame them - but in the end if someone is simply going to leave a laptop, flash drive, or other media where a criminal can just pick it up and walk away with it, can you really blame or criticize a DBA? I don't think so.
Sure, there may be a DBA disconnect, but for my two cents its far more likely that a marketing moron, or sales simpleton is going to be the likely point of breaching, than the DBA who is trying his or her best.
November 18, 2010 at 6:04 am
Revenant (11/17/2010)
Aw shoot, Steve - I love your editorials but please do not generalize.How about this: strong passwords have to be changed every 70 days. Giving your password to anybody, no matter how grave the crisis, means being fired on the spot, no severance pay. Printing personally identifiable information and not picking the printed pages up within five minutes, fired on the spot, no severance...
Is that lax?
Not sure what fault you're finding in the editorial here, your suggestions (other than the strong password one) aren't something that a DBA could implement in a company, it would have to come from the HR policies.
Incidentally, that last one could be solved by having a PIN that you have to enter in order to print a job, so that you can send as much as you want to the printer, but it won't print out until you're there to pick it up.
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
November 18, 2010 at 6:45 am
Most "security breaches" are still insider work. People who have legitimate access to data, who misuse that, or who are duped into giving it away. That's not really something any IT person, DBA or otherwise, can proof a company against, nor really can anyone.
Raising awareness of security practices is all you can do in any area you don't have authority over. And have a plan in place, if possible, for what do if there's a breach.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
November 18, 2010 at 7:20 am
Security is one of those things that can so easily get cut. In planning meetings the decision is made to reduce the budget for security because "we have not had a breach so why do we need to spend so much on security?". It is one of those things that is impossible to determine if it is working correctly because when security is working there is no activity. π
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 β Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
November 18, 2010 at 7:34 am
Perhaps it's my blue-collar heritage, but I don't really have all that much concern for how management deals with security issues. I tell them what little I know, tell them about consultants that are well-respected in the field, and then implement as much or as little as they choose.
I try to keep myself (and them) informed as to legal issues and take personal action to protect myself, including always acting to keep myself on the right side of the law.
As long as I've done my duty with respect to informing them to the best of my ability, the rest is their problem. Some people (like me, I hope), learn from others. Some people learn only from direct personal experience. I can't do much to change that, so I try not to worry too much about it.
November 18, 2010 at 8:51 am
Ron,
That's how I've tended to view things. I do what I can, educate people, explain risks and recommendations with a "why" and then let management decide.
I think it helps to make sure they are aware at each point what the security risks or implications are, but beyond that there's not much more to do except follow the path they choose.
November 18, 2010 at 9:13 am
Ron Porter (11/18/2010)
Perhaps it's my blue-collar heritage, but I don't really have all that much concern for how management deals with security issues. I tell them what little I know, tell them about consultants that are well-respected in the field, and then implement as much or as little as they choose.I try to keep myself (and them) informed as to legal issues and take personal action to protect myself, including always acting to keep myself on the right side of the law.
As long as I've done my duty with respect to informing them to the best of my ability, the rest is their problem. Some people (like me, I hope), learn from others. Some people learn only from direct personal experience. I can't do much to change that, so I try not to worry too much about it.
βThere are three kinds of men. The one that learns by reading. The few who learn by observation. The rest of them have to pee on the electric fence for themselves.β
-Will Rogers
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
November 18, 2010 at 10:13 am
Sean Lange (11/18/2010)
Security is one of those things that can so easily get cut. In planning meetings the decision is made to reduce the budget for security because "we have not had a breach so why do we need to spend so much on security?". It is one of those things that is impossible to determine if it is working correctly because when security is working there is no activity. π
I've seen this at a couple of places. It's kind of like when a community won't do anything about a dangerous intersection until a serious accident or death occurs. Then, it's time.
It's also like the Y2K problem. January 2, 2000, many people were saying that all the money spent on reprogramming for Y2K was useless because nothing happened. Well, nothing happened because money was spent reprogramming.
November 18, 2010 at 10:36 am
How many of you have implemented/installed software that "requires" one or more of the following to work:
1) "sa" as the login
2) Default unchangeable login names that can be found via Google
3) Default unchangeable passwords that can be found via Google
4) "sysadmin" server role
5) "db_owner" DB role
Once upon a time, an ERP vendor had the audacity to brag how they had a secure setup, and when I demonstrated a gaping hole in the "security", I was labeled an obstructionist by the vendor. And then I got thrown under the bus by my employer.
Security schmecurity! Who cares?
[sigh]
Rich
November 18, 2010 at 10:40 am
richj-826679 (11/18/2010)
How many of you have implemented/installed software that "requires" one or more of the following to work:1) "sa" as the login
2) Default unchangeable login names that can be found via Google
3) Default unchangeable passwords that can be found via Google
4) "sysadmin" server role
5) "db_owner" DB role
Once upon a time, an ERP vendor had the audacity to brag how they had a secure setup, and when I demonstrated a gaping hole in the "security", I was labeled an obstructionist by the vendor. And then I got thrown under the bus by my employer.
Security schmecurity! Who cares?
[sigh]
Rich
Well, most of our commercial installs use those kinds of 'security' models. The vendors don't like me, but at least my boss understands that I'm not just being obstructionist.
November 18, 2010 at 10:42 am
Thanks for summing up this week's internal battle in one paragraph!
Developers wanting sysadmin rights and I can't override it as they come under a different management chain and their boss overrides mine. Petty politics that I really hate. I'm now locking other bits down so they can't harm anything else. But I wish something would happen to make them more aware.:angry:
November 18, 2010 at 11:47 am
P Jones (11/18/2010)
Thanks for summing up this week's internal battle in one paragraph!Developers wanting sysadmin rights and I can't override it as they come under a different management chain and their boss overrides mine. Petty politics that I really hate. I'm now locking other bits down so they can't harm anything else. But I wish something would happen to make them more aware.:angry:
I just document my issue, keep track, and when things break, I give them the "I told you so, would you like to change this." If they don't, we repeat. I can do this all day. Ultimately the developers take the hit.
If they never screw up, I'm OK with that. I'm not trying to ruin their lives, just trying to make things more stable and protected. If the developers respect that, then they can have admin rights. Note I'm not confident they well, so I document things.
November 19, 2010 at 9:44 am
I'm surprised no one has commented on the actual article that Steve referenced. Personally it annoyed the hell out of me, especially the headline grabbing conclusions which to my mind show a complete disconnect with the real world, and a rose tinted view of how things should be within large organisations.
For instance, "a full 40 percent of them couldn't even tell surveyors the state of their security budget growth during the past year. And 57 percent had no clue how much security breaches cost their organizations in the past year."
"And yet at the same time, they lack a grasp of the overall security objectives, budget details, and strategies across the entire organization."
Ignoring the fact that depending on how it was worded, that sounds like the kind of question I wouldn't be happy answering in a simple survey, why is it a surprise that they don't know? I've only worked in small companies, and we've never known ALL the details of what goes on in terms of budgets, costs etc, in a large organisation, why would you expect them to know that kind of detail about complete company budgets.
"A lot of these people could not tell us what's going on across the organization in information security. What's happening is they're taking good care of their particular domains: Their production databases, for example, are well-locked down. But they don't have a sense of what's going across the organization, and management isn't open to the sharing of information across the organization."
How is that a DBA disconnect? Do all the Server, Systems, Network, Telecomms admins / engineers / managers know those details? They also have a role to play in security just as much as the DBA's. Our job surely is to look after the things we are responsible to the best of our ability, keep things secure, and where we see something is required, raise it up the line as a concern. There are lots of things we can do without ever needing to know about budgets, we recommend things, explain the need, the benefits and the costs, and those above choose whether to accept that recommendation. Unless you're in a budget controlling position which I doubt many of us are, that's all you can hope to do.
Viewing 15 posts - 1 through 15 (of 15 total)
You must be logged in to reply to this topic. Login to reply