TomThomson (8/13/2014)

---

Yeah, sure, so...

venoym (8/13/2014)

---

K. Brian Kelley (8/12/2014)

---

patrickmcginnis59 10839 (8/12/2014)

---

I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and...

patrickmcginnis59 10839 (8/12/2014)

---

I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and recommended practices. Could you...

venoym (8/12/2014)

---

K. Brian Kelley (8/11/2014)

---

venoym (8/11/2014)

---

I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level...

John Hanrahan (8/11/2014)

---

That sounds like Auditors who know their stuff. I have been through audit after audit the last few years and have found from an IT perspective the...

JoeS 3024 (8/11/2014)

---

The points about Education and Core garbage is right, there is a lot of fighting and unnecessary stuff going on about that. Which is why it's a...

Eric M Russell (8/11/2014)

---

Microsoft, after taking some hits for their "insecure by default" configurations and applications, tightened things up greatly. It caused project time lines to be extended and delayed...

JoeS 3024 (8/11/2014)

---

If we really want this to start changing then get it into the schools (grade schools where computer learning starts now a day) and start explaining to the...

venoym (8/11/2014)

---

I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot...

chrisn-585491 (8/11/2014)

---

It doesn't help if a DBA or developer cares about security, if their boss and the rest of the org table doesn't. It's time for the C-levels to actually...

HASHBYTES() itself does not support a parameter for a salt. You'll have to be a little creative, like so:

Adding Salt to HASHBYTES() (StackOverflow)

Jeff,

I wouldn't make that assumption. We've only been given limited info from the forensics done thus far. We've been told:

- tcp/1433 was exposed.

- A SQL Server Agent...

In that case, you should also make it so that DBAs only have read privs. 😉 There's no difference here between running a bad xp_CmdShell command...

muthyala_51 (4/3/2014)

---

If we disable sa login on the server and all the database owners are sa. Do we see any conflicts in the reboot of the machine or restart of...

Dealing with the compromise

If you're only worried about this individual SQL Server, you all are thinking too narrowly.

What typically happens is an attacker gets control of one system and then...