The amount of database talent we have here in the San Francisco Bay Area is remarkable and I can guarantee we’ll be thinking more like hackers at DesignMind. Thanks again to Sudha, Director of Product Management at Loglogic (now owned by Tibco), and Slavik, CTO at Sentrigo, for a fantastic presentation. You can follow Slavik’s Database Security Blog here.
Think Like a Hacker really got me thinking! Sudha Iyer of LogLogic and Slavik Markovich of Sentrigo spoke to the Silicon Valley SQL Server User Group on how hackers attack databases, and what can be done to reduce their likelihood of success. Sudha gave a good overview of the threats, and about some unfortunate organizations who were vulnerable. For instance, Heartland Payment Systems had a breach exposing 130 million credit and debit cards! How was it done? SQL Injection Attacks.
There are some obvious best practices that should be implemented. Remember the SQL-Slammer worm? Microsoft had closed that vulnerability, but many thousands of servers had not been properly patched.
Slavik talked about basic hacking techniques, ranging from brute force password cracking, and to SQL Injection. He walked us through different forms of SQL Injection attacks, culminating with complete control of an admittedly vulnerable server (as many are). Slavik talked about best practices for securing SQL Server, many of which apply to Oracle, DB2, MySQL, and other databases.