From Zero to Security Hero

Abstract:

You've just installed SQL Server. Do you trust the default installation? Is it "secure" enough for you? How easy is it to hack a SQL Server?

In this workshop we'll see a few examples on how to exploit SQL Server, modify data and take control, while at the same time not leaving a trace.

Most importantly, we'll also cover recommendations on how to avoid these attacks, discuss the recommended security best practices, and also take a look at the pros and cons of new security features in SQL Server 2016. Workshop suited for all audiences (DBA, Developer, SysAdmin). More exploits/recommendations may be covered (SQL Server 2016 seems to be full of surprises).

Objectives:

● Understanding how to bypass security on a typical installation of SQL Server, OS, network and storage;

● Securing the SQL Server and OS installation, including security best practices;

● Recommendations on SQL Server features that have security implications.

Contents:

During this training workshop, we will cover:

● How to hack a SQL Server, take control, access and change information, using multiple techniques;

● Protect against attacks, implementing network connection encryption using certificates, Always Encrypted, Transparent Data Encryption (TDE), Backup Encryption, etc.;

● Other features in SQL Server (Row Level Security, Dynamic Data Masking, Instant File Initialisation, etc.): How to hack them, and recommendations on if and when you should use them;

● Login and object security model best practices;

● Instance configuration best practices (covering the different editions and versions of SQL Server);

● Operating system hacking and security best practices (Windows, Linux, AD, virtualisation) that affect SQL Server;

● Knowing your client apps (business apps, websites, etc.): risks, exploits (SQL Injection, Social Engineering, etc.) and solutions;

● Security best practices in database cloud environments (Azure SQL Database, Azure VM with SQL Server, etc.);

● Other security recommendations.

Attendee's recommended pre-requisites:

● Audience: DBA, Developer, SysAdmin;

● Recommended: At least 6 months of regular experience with SQL Server (Database Engine);

● Attendees are encouraged to bring their laptops to follow along;

● SQL Server 2016 will be used, although earlier versions (2012 or 2014) will be sufficient in many cases.

About the trainer:

André Melancia Independent Developer/DBA/Consultant. Microsoft Certified Trainer (MCT) focusing on SQL Server, Azure and IoT. 17+ years' fun developing information and multimedia systems, DBA, project and IT management. PowerShell Portugal, IT Pro Portugal and IoT Portugal communities organiser. IPv6 Portugal, DNSSec Portugal and Windows Development Portugal online communities moderator. Actively volunteering, organising, speaking or just participating at community meetings and events like SQLSaturdays, SQLBits, SQLRelay, Maker Faire Lisbon, Arduino/Genuino Day Lisbon, Global Azure Bootcamp Lisbon, etc. Proud uncle and food devouring expert, with dangerous pussy cat as companion.

Go to http://Andy.PT and you'll know the same as the NSA...

LinkedIn: http://LinkedIn.COM/in/AndreMelancia

Twitter: @AndyPT