January 4, 2017 at 9:26 am
... I think ultimately some of the ways in which we can protect our individual data come from being able to analyze query patterns. Machine learning and an integration with the Query Store maybe helpful in performing this analysis. If we know what queries we expect from a system, then we can detect anomalous behavior, which may let us know there are attacks being performed. While we might not be able to prevent all information from being disclosed, being aware and limiting future access can be valuable in preventing the impact of a data breach from growing too large...
One aspect of least privilege; is VIEW DEFINITION permission. By default it's denied, even for those tables an account can read from. If a hacker compromises an account in an unfamiliar database, the ability to leverage the account for a data breach is severely handicapped if they have no way of exploring what databases and objects are available.
It's also important escalate and immediately investigate "permission denied" or "Invalid object" errors in a production environment. That type of error should never happen in a production where ad-hoc querying is not typically performed.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
January 4, 2017 at 10:59 am
Gary Varga (1/4/2017)
I feel that security by financial institutions are not keeping pace. I can understand caution and not implementing every security idea that comes along, however, many of the security mechanisms employed by financial institutions that I use are a decade or more older.Is it wrong that my Xbox gamer account is better protected than my bank account?
Well in all fairness many financial institutions are running on systems more than decades 😀
January 4, 2017 at 11:28 am
ZZartin (1/4/2017)
Gary Varga (1/4/2017)
I feel that security by financial institutions are not keeping pace. I can understand caution and not implementing every security idea that comes along, however, many of the security mechanisms employed by financial institutions that I use are a decade or more older.Is it wrong that my Xbox gamer account is better protected than my bank account?
Well in all fairness many financial institutions are running on systems more than decades 😀
Not too many kids (or even gray haired DBAs) know how to hack into a DEC VAX these days.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
January 4, 2017 at 11:32 am
Eric M Russell (1/4/2017)
ZZartin (1/4/2017)
Gary Varga (1/4/2017)
I feel that security by financial institutions are not keeping pace. I can understand caution and not implementing every security idea that comes along, however, many of the security mechanisms employed by financial institutions that I use are a decade or more older.Is it wrong that my Xbox gamer account is better protected than my bank account?
Well in all fairness many financial institutions are running on systems more than decades 😀
Not too many kids (or even gray haired DBAs) know how to hack into a DEC VAX these days.
Eventually the problem will really become of finding people to support a DEC VAX system. I know Mainframe Cobol programmers are getting harder and harder to find and they can simply name their price.
January 4, 2017 at 11:39 am
Markus (1/4/2017)
Eric M Russell (1/4/2017)
ZZartin (1/4/2017)
Gary Varga (1/4/2017)
I feel that security by financial institutions are not keeping pace. I can understand caution and not implementing every security idea that comes along, however, many of the security mechanisms employed by financial institutions that I use are a decade or more older.Is it wrong that my Xbox gamer account is better protected than my bank account?
Well in all fairness many financial institutions are running on systems more than decades 😀
Not too many kids (or even gray haired DBAs) know how to hack into a DEC VAX these days.
Eventually the problem will really become of finding people to support a DEC VAX system. I know Mainframe Cobol programmers are getting harder and harder to find and they can simply name their price.
I guess the problem will eventually be, not how to find a programmer, but how to find replacement parts.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
January 4, 2017 at 11:48 am
Eric M Russell (1/4/2017)
I guess the problem will eventually be, not how to find a programmer, but how to find replacement parts.
Can't you just create a virtual machine?
412-977-3526 call/text
January 4, 2017 at 11:53 am
robert.sterbal 56890 (1/4/2017)
Eric M Russell (1/4/2017)
I guess the problem will eventually be, not how to find a programmer, but how to find replacement parts.
Can't you just create a virtual machine?
Actually, yes, one could. If it can be done on a Raspberry PI, then it could be done on larger scale in Azure with no on-premises hardware.
https://www.raspberrypi.org/forums/viewtopic.php?t=7552&p=93217
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
January 5, 2017 at 12:52 am
There's a challenge in balancing security with accessibility.
In the UK just because a company holds data for one purpose it cannot legally decide to use that data for any purpose. That means that the data can be locked down at a finer level of granularity.
The big problem with security is that there's no visual benefit in a world obsessed by shiny shiny. In fact the shiny shiny obsession poses a threat to many IT areas worthy of greater attention.
I could encrypt each record in a customer database using an attribute of that customer as a key. That would render the database a single-record access system. Queries with broad WHERE clauses simply wouldn't work. Unfortunately the shared nature of data would quickly turn this into a nightmare
January 5, 2017 at 1:04 am
David.Poole (1/5/2017)
...I could encrypt each record in a customer database using an attribute of that customer as a key. That would render the database a single-record access system. Queries with broad WHERE clauses simply wouldn't work...
Again in the UK, that is unacceptable in the financial sector as it is common to use the broad searches across customer data to size an issue by the number of customers affected. This is driven by the regulators.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
January 5, 2017 at 8:34 am
Couldn't you replicate off the data the regulators want?
412-977-3526 call/text
January 5, 2017 at 9:22 am
David.Poole (1/5/2017)
There's a challenge in balancing security with accessibility.In the UK just because a company holds data for one purpose it cannot legally decide to use that data for any purpose. That means that the data can be locked down at a finer level of granularity.
The big problem with security is that there's no visual benefit in a world obsessed by shiny shiny. In fact the shiny shiny obsession poses a threat to many IT areas worthy of greater attention.
I could encrypt each record in a customer database using an attribute of that customer as a key. That would render the database a single-record access system. Queries with broad WHERE clauses simply wouldn't work. Unfortunately the shared nature of data would quickly turn this into a nightmare
Broadly speaking, I'm free market and libertarian when it comes to cultural freedom and limiting government. However, when it comes to privacy and data security, I believe the US should follow the lead of Europe and the state of California. Left unchecked, institutions that hoard data like Facebook, Google, and the NSA threaten the privacy and well being of the public. We should regulate how institutions acquire, store, and use personal data for the same reasons that we regulate things like hazardous chemicals, because a data breach is no different from a toxic spill in terms of how it impacts the public.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
January 5, 2017 at 1:31 pm
Eric M Russell (1/5/2017)
Broadly speaking, I'm free market and libertarian when it comes to cultural freedom and limiting government. However, when it comes to privacy and data security, I believe the US should follow the lead of Europe and the state of California. Left unchecked, institutions that hoard data like Facebook, Google, and the NSA threaten the privacy and well being of the public. We should regulate how institutions acquire, store, and use personal data for the same reasons that we regulate things like hazardous chemicals, because a data breach is no different from a toxic spill in terms of how it impacts the public.
Tend to agree here. There should be limits.
I thought that some of the data that Google used for learning, speech, semantic extraction, etc., was only held for a limited time and discarded, but I'm not sure.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
January 5, 2017 at 1:58 pm
Steve Jones - SSC Editor (1/5/2017)
Eric M Russell (1/5/2017)
Broadly speaking, I'm free market and libertarian when it comes to cultural freedom and limiting government. However, when it comes to privacy and data security, I believe the US should follow the lead of Europe and the state of California. Left unchecked, institutions that hoard data like Facebook, Google, and the NSA threaten the privacy and well being of the public. We should regulate how institutions acquire, store, and use personal data for the same reasons that we regulate things like hazardous chemicals, because a data breach is no different from a toxic spill in terms of how it impacts the public.
Tend to agree here. There should be limits.
I thought that some of the data that Google used for learning, speech, semantic extraction, etc., was only held for a limited time and discarded, but I'm not sure.
Most members of Congress live in "gated communities", both literally and psychologically. However, the hacking of DNC and State Department email accounts really penetrated their comfort zone, so I'm sure they think more about digital privacy and security today than they did a year ago.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
January 6, 2017 at 4:59 pm
Eric M Russell (1/5/2017)
Steve Jones - SSC Editor (1/5/2017)
Eric M Russell (1/5/2017)
Broadly speaking, I'm free market and libertarian when it comes to cultural freedom and limiting government. However, when it comes to privacy and data security, I believe the US should follow the lead of Europe and the state of California. Left unchecked, institutions that hoard data like Facebook, Google, and the NSA threaten the privacy and well being of the public. We should regulate how institutions acquire, store, and use personal data for the same reasons that we regulate things like hazardous chemicals, because a data breach is no different from a toxic spill in terms of how it impacts the public.
Tend to agree here. There should be limits.
I thought that some of the data that Google used for learning, speech, semantic extraction, etc., was only held for a limited time and discarded, but I'm not sure.
Most members of Congress live in "gated communities", both literally and psychologically. However, the hacking of DNC and State Department email accounts really penetrated their comfort zone, so I'm sure they think more about digital privacy and security today than they did a year ago.
That doesn't mean they'll actually do anything about it. If they do get around to doing something, the resulting bureaucracy may very well be enough to delay implementation until the next 3 generations of the threat are obsolete.
Going way back to Gary's first post on this thread, I wish the financial industry would do more to mitigate threats to itself as a whole. Sadly, that's not the way businesses tend to work.
Viewing 14 posts - 16 through 28 (of 28 total)
You must be logged in to reply to this topic. Login to reply