SlideShare a Scribd company logo

Hacking Exposé - Using SSL to Secure SQL Server Connections

Download as PPTX, PDF
Chris Bell
Chris Bell

Are you someone (A DBA, Developer, etc) that connects to SQL Server to use data? You probably hear a lot about how protected your database can be when at rest. But what about when you connect to SQL and start running some queries? Using a simple hacking technique we will dig into some packets on our network and see what's in them. You may be shocked! Then we will create a self-signed SSL certificate, use it to encrypt our connections on the SQL Server, and see the actual changes in the packet as hackers would. Demo scripts and processes not included in great detail with the slide deck. Some presentation notes are included.

Technology
1 of 15
Hacking ExposéUsing SSL to Protect SQL Connections
Who Am I? • WaterOx Consulting • SQL Server MVP • Friend of Redgate • PASSDC • SQL Saturday DC & Nova Scotia • SQL Summer Camp
What is Hacking?
How safe is your data? Hacking / Cracking • Modifying computer hardware or software • Accomplish goals outside of original purpose Measures taken to protect your data • Primarily at rest • In motion over the network • Not always the case
Easy to get tools RawCap • Command line tool • Run from USB • Captures packets into a file for reference later WireShark • GUI • Captures packets as well • Reads other capture files Lots of others out there
DEMO
What to do?
SSL Definition • Secure Socket Layer • Standard security technology • Provide communication security over network • Encrypts data flowing between parties • Primarily prevent eavesdropping and tampering
How SSL Works 1. Client attempts to connect to server 2. Server send client copy of certificate 3. Client confirms trust 4. Server sends back acknowledgement to start SSL Session 5. Encrypted data shared between client and server
Lockdown
Secure Your SQL Server Connection 1. Create / Obtain SSL Certificate 2. Grant permissions to use certificate 3. Enable SSL in SQL Server 4. Connect
DEMO
No single solution Data in motion • SSL – encrypt connections • File encryption tools Data at rest • TDE • Column level encryption
Review By default connections are not encrypted • Need to setup SSL (self signed minimum) • Requires restart • Encrypts data being transmitted No one solution • Protect data in transit • Protect data at rest • Separation of duties
Con tac t @CBellDBA Chris@WaterOxConsulting.com

Recommended

Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
Cloudflare
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
Cloudflare
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
Cloudflare
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
Cloudflare
 
Sqlviking
SqlvikingSqlviking
Sqlviking
Jonn Callahan
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013
Cloudflare
 
Nikto
NiktoNikto
Nikto
penetration Tester
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 

Recommended

Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
Cloudflare
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
Cloudflare
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
Cloudflare
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
Cloudflare
 
Sqlviking
SqlvikingSqlviking
Sqlviking
Jonn Callahan
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013
Cloudflare
 
Nikto
NiktoNikto
Nikto
penetration Tester
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014
Cloudflare
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
n|u - The Open Security Community
 
Owasp nov-2014
Owasp nov-2014Owasp nov-2014
Owasp nov-2014
Kevin Alcock
 
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User GroupAzure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Rahul Nath
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLBarcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Richard Fussenegger
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
Achievers Tech
 
Botconf ppt
Botconf pptBotconf ppt
Botconf ppt
Cloudflare
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
Teri Radichel
 
Protecting Your Data with Encryption
Protecting Your Data with EncryptionProtecting Your Data with Encryption
Protecting Your Data with Encryption
Ed Leighton-Dick
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
Cloudflare
 
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Ed Leighton-Dick
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
North Texas Chapter of the ISSA
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Ending the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New HopeEnding the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New Hope
Michele Chubirka
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
FITC
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
Teri Radichel
 
Matriux blue
Matriux blueMatriux blue
Matriux blue
InMobi Technology
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the application
Matthew Saltzman
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
ssuserec53e73
 

More Related Content

What's hot

Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014
Cloudflare
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
n|u - The Open Security Community
 
Owasp nov-2014
Owasp nov-2014Owasp nov-2014
Owasp nov-2014
Kevin Alcock
 
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User GroupAzure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Rahul Nath
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLBarcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Richard Fussenegger
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
Achievers Tech
 
Botconf ppt
Botconf pptBotconf ppt
Botconf ppt
Cloudflare
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
Teri Radichel
 
Protecting Your Data with Encryption
Protecting Your Data with EncryptionProtecting Your Data with Encryption
Protecting Your Data with Encryption
Ed Leighton-Dick
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
Cloudflare
 
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Ed Leighton-Dick
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
North Texas Chapter of the ISSA
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Ending the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New HopeEnding the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New Hope
Michele Chubirka
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
FITC
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
Teri Radichel
 
Matriux blue
Matriux blueMatriux blue
Matriux blue
InMobi Technology
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 

What's hot (20)

Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
 
Owasp nov-2014
Owasp nov-2014Owasp nov-2014
Owasp nov-2014
 
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User GroupAzure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLBarcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
 
Botconf ppt
Botconf pptBotconf ppt
Botconf ppt
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Protecting Your Data with Encryption
Protecting Your Data with EncryptionProtecting Your Data with Encryption
Protecting Your Data with Encryption
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
 
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
 
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
NTXISSACSC3 - Critical Criteria for (Cloud) Workload Security by Steve Armend...
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Ending the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New HopeEnding the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New Hope
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
 
Matriux blue
Matriux blueMatriux blue
Matriux blue
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talk
 

Similar to Hacking Exposé - Using SSL to Secure SQL Server Connections

Going outside the application
Going outside the applicationGoing outside the application
Going outside the application
Matthew Saltzman
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
ssuserec53e73
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
Simon Haslam
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy World
Dave Stokes
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server Security
Chris Bell
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQL
Lesa Cote
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
Websec
WebsecWebsec
Websec
Kristaps Kūlis
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
BU
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Secure Socket Layer SSL Certificate.pptx
Secure Socket Layer SSL Certificate.pptxSecure Socket Layer SSL Certificate.pptx
Secure Socket Layer SSL Certificate.pptx
AnsarHasas1
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
DataArt
 
Chapter08
Chapter08Chapter08
Chapter08
Muhammad Ahad
 

Similar to Hacking Exposé - Using SSL to Secure SQL Server Connections (20)

Going outside the application
Going outside the applicationGoing outside the application
Going outside the application
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy World
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server Security
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQL
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Secure Socket Layer SSL Certificate.pptx
Secure Socket Layer SSL Certificate.pptxSecure Socket Layer SSL Certificate.pptx
Secure Socket Layer SSL Certificate.pptx
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
Unit08
Unit08Unit08
Unit08
 
Chapter08
Chapter08Chapter08
Chapter08
 

Recently uploaded

Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 

Recently uploaded (20)

Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 

Hacking Exposé - Using SSL to Secure SQL Server Connections

  • 1. Hacking ExposéUsing SSL to Protect SQL Connections
  • 2. Who Am I? • WaterOx Consulting • SQL Server MVP • Friend of Redgate • PASSDC • SQL Saturday DC & Nova Scotia • SQL Summer Camp
  • 4. How safe is your data? Hacking / Cracking • Modifying computer hardware or software • Accomplish goals outside of original purpose Measures taken to protect your data • Primarily at rest • In motion over the network • Not always the case
  • 5. Easy to get tools RawCap • Command line tool • Run from USB • Captures packets into a file for reference later WireShark • GUI • Captures packets as well • Reads other capture files Lots of others out there
  • 8. SSL Definition • Secure Socket Layer • Standard security technology • Provide communication security over network • Encrypts data flowing between parties • Primarily prevent eavesdropping and tampering
  • 9. How SSL Works 1. Client attempts to connect to server 2. Server send client copy of certificate 3. Client confirms trust 4. Server sends back acknowledgement to start SSL Session 5. Encrypted data shared between client and server
  • 11. Secure Your SQL Server Connection 1. Create / Obtain SSL Certificate 2. Grant permissions to use certificate 3. Enable SSL in SQL Server 4. Connect
  • 12. DEMO
  • 13. No single solution Data in motion • SSL – encrypt connections • File encryption tools Data at rest • TDE • Column level encryption
  • 14. Review By default connections are not encrypted • Need to setup SSL (self signed minimum) • Requires restart • Encrypts data being transmitted No one solution • Protect data in transit • Protect data at rest • Separation of duties

Editor's Notes

  1. Regular SQL Server setup No encrypted connections setup No network encryption setup Show 3 connections 1) SSMS login and simple query 2) capture with rawcap – view with wireshark 3) show values in plain text sent & returned 4) Use Excel – establish connection and don’t even put data in spreadsheet – show values 5) back to SSMS – connect and pull an encrypted value through – once without key open, once with key open
  2. Purchased from certificate authority Research companies, check references, assured identity Encrypt a message with the server's public key (encrypt only), send it, and if the server can tell you what it originally said, it just proved that it got the private key without revealing the key. Process – Client attempts to connect to server (server has private key and personal certificate) Server sends client copy of certificate Client checks that it is trusted, if so confirm back to server with message encrypted by public key Server sends back a digitally signed acknowledgement decrypted by private key to start SSL encrypted session Encrypted data shared between client and server.
  3. Connec tto woxemo vm machine Show IIS self signed certificate creation process Grant permission to SQL Service account to use certificate Set certificate and restart SQL Set enforce encryption in protocol to ‘yes’ Connect and sniff packets as in previous demo to see if now protected Show how turning the yes to no in enforce means that it is optional, not by default. Yes ensured the connection has to be encrypted
  4. You can’t just protect data at rest, nor can you just protect data in motion. Primary focus of many places is data in motion Anthem stated: Our state of the art system protected the data – in motion – they did not encrypt it when at rest. All plain text. Because HIPAA said they didn’t have to. Think about that. A large company with private information decided on minimal compliance rather than minimal risk.