Wow, it’s been a crazy last couple of months with LulzSec running around doing what they do. Oh, what’s that? You’ve never heard of them? Well for many outside of IT this is probably the case. For those of us who ARE in IT have more than likely heard of them as well as their high-profile hacking exploits over the last couple of months.
This weekend TechCrunch posted a pretty good discussion piece on how the media has handled LulzSec’s exploits. To summarize in my own words, the author states that the general media cowered in the coverage of what this group was doing by hacking and leaking info of high profile targets such as the CIA (website), AT&T (internal data leaked) and Arizona Department of Public Safety (internal documents and sensitive information leaked). Carr goes on to say that rather than report on the seriousness of the group’s crimes and activities media would rather cheerlead them due to fear of retaliation from the group itself.
So what does this have to do with SQL Server? Well, if anything, I hope this rash of high-visibility targets has raised your awareness about something that far too many people slack in: Security. When was the last time you did a true security audit of your database servers? Are your web applications authenticating with the sa account (read also: “God” rights)? Are they authenticating with Windows accounts that are backed by stringent and contained groups via Active Directory? If you’re not certain of any of those questions I highly suggest you take a look at Brian Kelley’s (Blog | Twitter) SQL University Security Week posts from this past semester and start to at least formulate some kind of plan.
Security shouldn’t be an afterthought, it should be a base. As data professionals we hold are tasked with protecting the most vital piece of any organization: its data. Do you want to answer to your supervisor, manager and Executives when someone walks away with sensitive information from YOUR databases? Do yourself a favor and if you’re not already discussing security in your offices, start it. How do you handle security in your organization? Afterthought? Hardcore? What’s security? Let me hear your thoughts in the comments.
3 replies on “LulzSec: Why You Should Care”
Thanks for the great info! Do to all the lovely hackers we all have to focus more and more on better security, and for small companies it is costing a lot of productive time and money.
Best,
Judit & Corina
Thanks for your input. Yes, even small companies need to realize that a lot of these hackers prey on small companies just as much as the big ones. Heck, it’s even EASIER for them to steal data from smaller companies because generally security considered a high priority since many take the “I’m too small, nobody would care” mentality. Fact is, if you have sensitive data in your databases on any level, then you need to care.
We started doing the STRIDE methodology recently. I think the hard part of security is that you have to know every angle where someone can come in. Then patch those holes without compromising performance and usability. It takes time and effort.
I agree with Judit & Corina, most companies don’t want to sink resources into security. MORE FEATURES! MORE FORMS! MORE MONIES!