Thursday, July 20, 2006

Closing down this blog

I've done more posting on the SQL Server Central side and I've decided to focus my efforts there. You can read my future blog posts at:

Tuesday, July 11, 2006

A Chronology of Data Breaches Reported Since the ChoicePoint Incident

Found this link on one of the security mailing lists I peruse. You can find an archive of the original post here. Here is the link:

A Chronology of Data Breaches Reported Since the ChoicePoint Incident

This should be of interest to not only DBAs, but also system administrators, managers, HR personnel, etc. There are many ways data can be breached... it's not just an insecure database. Quite a few of these are equipment related (stolen backup tapes, stolen laptops, etc.) which underscore the human element. This is further reinforced by the incidents where fraudsters and scam artists have been to penetrate systems, usually through social engineering. Security isn't just a technology solution. It also has to include people solutions.

Microsoft Active Directory Webcasts

If you're looking for a single link to take you to the majority of the Microsoft webcasts on Active Directory, here you go:

http://www.microsoft.com/events/series/adaug.mspx

I say majority because I think there were one or two I didn't see (Active Directory Disaster Recovery part 2 of 2, for instance).

Wednesday, July 05, 2006

New Article: SQL Server 2005 Logins

I wrote a new article for SQL Server Central on SQL Server 2005 Logins. It covers the basics. This is the first in a series of articles on SQL Server 2005 security.

Thursday, June 29, 2006

Microsoft Office 2007 Delayed

It looks like Microsoft Office 2007 will be delayed due to performance issues. It was supposed to release in conjunction with Vista, but that's apparently not going to happen now.

Office 2007 Delayed Again (InternetNews.com)

I don't see anything on the Microsoft's PressPass portion of their web site, but I'm sure something will be posted there soon. This announcement is interesting given the very positive PressPass story from just a few days ago:

Put the Pedal to the Metal: Take the 2007 Microsoft Office System Out for a Spin

Tuesday, June 27, 2006

WinFS rolled into next version of SQL Server

A blog posting from the WinFS team caught me a bit by surprise today. Apparently I wasn't the only one, judging by the comments. WinFS was supposed to give us a relational file system. There are security ramifications with doing that, as demonstrated in this video from BlueHat 2006 (from Channel 9), where the first part has a security program manager from WinFS talks about some of the things he learned.

However, when you consider what the benefits can be (a comment gives the example of deleting thousands of files and how long that takes... this would be near instantaneous with a properly implemented relational database structure), many folks were looking forward to getting WinFS. And Vista was supposed to deliver it. But then Microsoft made the announcement that WinFS wouldn't ship with Vista. Instead, it'd be stand-alone and it could be installed later. Now today we learn that it won't be shipped later. Mature parts of WinFS are being integrated into Katmai, the next version of SQL Server.

I'm still considering what all this means for SQL Server and for the OS. Certainly it's a loss on the OS side. We're not going to get that relational file structure we've been looking forward to. The venerable NTFS is going to have to plod on a bit longer. But on SQL Server's side, there certainly is gain. And with file integration, there is the potential to deal with BLOBs better. That makes sense given that Microsoft is trying to get more into the enterprise document management sector with Sharepoint Server 2007. But I know that integrating a file system hasn't always been as great as it sounds. Exchange Installable File System (ExIFS or just IFS) is an example. It sounded great in Exchange Server 2000, but they scaled it back in Exchange Server 2003. It'll be interesting to see how they make this work in Katmai.

Monday, June 26, 2006

Top 100 Network Security Tools

This is a bit dated (it came out last week), but here is the list of the top 100 network security tools, as compiled from a survey by Fyodor:

http://SecTools.Org

Since Fyodor conducted the survey, nMap was disqualified, so you won't see it on the list. Most of the tools are well known and have been around for a while.

Wednesday, June 21, 2006

SANS Stay Sharp Course - SEC351: Computer and Network Security Awareness

A few years ago I took the SANS GIAC Security Essentials Course on-line. Included in it was an attempt at the GSEC certification itself, something which I finished up. The GSEC certification is SANS' entry level certification, but it isn't an industry entry level certification, if that makes sense. I have found that information provided in the coursework for that certification has proven valuable in my day-to-day job working with servers and server security. This is definitely a course I recommend for anyone who is serious about hands-on security, not a management focus on security, like the CISSP. For those who aren't able to attend a class, there still exists the online option through SANS' OnDemand program. The GSEC coursework is found under SEC 401: SANS Security Essentials.

But what if you're not interested in a hardcore security course but you did want to become more knowledgeable on the subject? You may want to take a look at SANS' SEC351 offering, Computer and Network Security Awareness. It, too, is available on-line. The course is inexpensive and includes a free attempt at the SANS Stay Sharp Program - Computer and Network Security Awareness certificate (SSP-CNSA). This is a course you can go through in a few days without too much trouble and most certainly learn something from. When I took it as a member of the GIAC Awareness Council, I learned a couple of things myself. I will advise that the certificate attempt isn't required. And before you attempt it, review your notes from the course itself. Not all of the questions in the attempt were easy.

By the way, this course is good for any end user who wants to becomes more security aware. If you have someone in your family who doesn't understand phishing attacks, basic social engineering mechanisms, and the importance of keeping systems up-to-date with antivirus definitions and security patches, this course helps teach why. It is as applicable to the home user as the business user, possibly even more so.