Recently I had a chance to speak with my friend and colleague, Ashish Sharma. We were discussing Project Management topics (he recently passed PMP and ACP). Our discussion ended on a very interesting topic – RISK Assessment.
Definition: According to PMBOK, projects can have unforeseen events or activities that can impact the project’s progress, result, or outcome in a negative or positive way. Further, a risk can be assessed using two factors – impact and probability. Determining the quantitative or qualitative value of risk related to a specific situation or recognized threat is known as Risk Assessment.
So, coming to my point, how do we apply a risk assessment framework for database systems, especially SQL Server?
I, myself, have never created or used a Risk Register for SQL Server. Hence, I decided to do a little more research on the subject. I found absolutely nothing on this particular topic. However, while searching for SQL Server security, I found an article I wrote in 2009 that provides tips on protecting data.
After spending some time researching, I found a good sample Risk Register that we can use. You can download it here.
Now, this is what we have for a Risk Register. What about threats?
Below, I have identified all of the threats I can think of:
|Virus Attack||Install AV on DB Server,however, do not forget to exclude SQL Server files|
|Unauthorized Logins||Always use Audit (C2, Windows, SQL or both) failed login attempts and analyze them regularly. Always, rename SA / Admin account and use strong password mechanism for all the servers. If possible always try to use domain authenticated accounts.|
|MiM Attack||To mitigate a MiM attack do the following :
|Root Access||To avoid someone getting root access do following:
|SQL Injection||Do following: