Eyes Slammed Open

How Secure is your Business-Critical Database?

The havoc wreaked by the SQL Slammer, or Sapphire, worm starkly illustrated the vulnerability of Internet-accessible database servers. Fortunately, the worm didn't compromise any stored data. However, it exploited a flaw in Microsoft's SQL Server to propagate itself and consequently (according to published reports) clogged much of the Internet backbone, disrupted Bank of America's automatic teller machine network, and all but ceased South Koreans' access to the Internet and other services.

DBAs defending Microsoft on Usenet argue that SQL Server is a target because it's so widely implemented. E-business conducted over the Internet is also becoming prevalent, and therefore a bigger target — and the data exchanged is usually critical to protect.

Although the majority of the threat to critical data comes from people with authorized access, external attacks are a constant reality for large enterprises. The SQL Slammer worm should motivate enterprises to revisit their security practices.

In the trenches, DBAs should have installed SQL Server patches that Microsoft released half a year before this worm was unleashed. But you can argue that the failure began with management. For instance, the IT department may be too understaffed to handle all the maintenance required to ensure security.

Besides reexamining staffing numbers or talent, management should consider taking other actions. George J. Dolicker is a CISA, CISSP, and principal consultant for information security at International Network Services, a consultancy that helps companies build, secure, and manage their networks. One of the firstthings Dolicker checks when consulting with a new client is whether the officers of the company know the answer to the question: Who's in charge of information security? "It's scary the number of times they don't have an answer," he says.

Dolicker advises that the information security manager "should be involved in application software development to the point that they have sign-off before the application goes live." Furthermore, enterprises should have an effective system architecture: multitiered with data encryption, a firewall between the applications and the outside world, intrusion detection on the devices as well as the network, and an integrity system that verifies data. No information system environment can be 100 percent secure, but these layers of obstacles slow most attacks long enough for their behavior to be detected and stopped.

And "although software maintenance doesn't have an obvious return on investment," Dolicker adds, "aggressive software maintenance is one of the most critical aspects of keeping online applications secure."

— Jeanette Burriesci

In this Issue: