McAfee Moves Into Database Security with Sentrigo Buy

Intel’s (NASDAQ:INTC) McAfee security division is acquiring privately held database security vendor Sentrigo. Financial terms of the deal are not being publicly disclosed.

Sentrigo’s products include the Hedgehog Enterprise product, which is a Database Activity Monitoring (DAM) solution that provides virtual patching for database deployments. Another key product is the Hedgehog DBscanner, which is a vulnerability assessment solution for databases.

“After evaluating other players in this market, McAfee recognized that Sentrigo has the best technology, best go-to-market approach, and strongest team to bring into McAfee,” Martin Ward, McAfee’s senior director of risk and compliance product marketing, told InternetNews.com. “McAfee has sold Sentrigo solutions under an OEM agreement for six months so we are already familiar with the market opportunity, technology, how to sell it, and who to target.”

Ward added that the Sentrigo solution is complementary to what McAfee already sells. With the previous partnership, McAfee had already been branding Sentrigo’s products, including Vulnerability Manager for Databases, Database Activity Monitoring, and Integrity Monitoring for Databases as McAfee products.

“We believe Sentrigo has the DNA to become the market leader for cloud security of databases,” Ward said. “The Sentrigo architecture is unique in the database security market, utilizing autonomous sensors that can be deployed locally wherever cloud systems are provisioned.”

The need to protect databases against attack, specifically SQL Injection-type attacks, is one which multiple vendors have been attempting to solve. Oracle recently released its own Database Firewall product to prevent SQL Injection. IBM also has scanning technology that helps prevent SQL Injection attacks.

“There is no Web application firewall as part of the solution,” Ward explained. “Sentrigo has a technology called vPatch, which helps in preventing SQL injection attacks, and that technology will be part of the McAfee portfolio.”

In Ward’s view, the Sentrigo products integrated within McAfee’s portfolio will be able to stand up to the competition.

“Oracle and IBM have started to enter this market as well, but McAfee believes that an integrated and comprehensive server security solution, including database and application-level security along with OS-level security, will help customers be more secure against the Advanced threat landscape,” Ward said.

SQL Server 2008 and 2008 R2 Integration Services – Managing Remote Processes Using Script Task

In the recent articles published on this forum, we have described a couple of methods that allow you to launch arbitrarily chosen processes using SQL Server 2008 R2 Integration Services. While the scope of the first of them (relying on Execute Process Task) was restricted to the local computer, the second one (leveraging custom .NET code incorporated into Script Task) is capable of extending this functionality to remote systems. We will provide here an example demonstrating such capability and discuss caveats regarding its implementation.

.NET Framework facilitates interprocess communication necessary to accomplish our goal through Windows Communication Foundation and remoting; however, considering our somewhat limited requirements, it is more straightforward to deliver the desired objective by employing Windows Management Instrumentation. Its features, exposed through System.Management namespace, are intended specifically for automating administrative tasks. We will utilize its Win32_Processs class in order to invoke a designated executable on a target computer (in our example, we will call GPUpdate.exe that triggers processing of Group Policy by Client Side Extensions, but obviously it is possible to apply the same approach to carry out other types of tasks that involve running non-interactive programs).

To implement our solution, launch Business Intelligence Development Studio and create a new project based on the Integration Services template. Drag the Script Task icon from the Toolbox and drop it on the Designer interface. With the newly generated task highlighted, activate the Variables window. Define two variables named sComputer and sCommand of String data type and Script Task scope. Assign to the first one the name of a remote computer where the executable will be running and set the other one to GPUpdate.exe /Target:Computer /Force.

Use context-sensitive menu of the Script Task to display its Editor dialog box. Designate Visual Basic .NET 2008 as the ScriptLanguage. Specify User::sComputer and User:sCommand as ReadOnlyVariables. Click on Edit Script... command button to access the Visual Studio Tools for Applications 2.0 interface.

In the Project Explorer window, toggle the Show All Files button to display References node. Use Add References... option from its context sensitive menu to display the corresponding dialog box, locate System.Management entry in the list appearing on its .NET tab, and click on OK command button to add it to your project. If you receive No template information found. See the application log in Event Viewer for more details message at this point, execute Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\VSTA.exe /InstallVSTemplates from the Command Prompt window (alternatively, you could also open Package.dtsx file and edit its content directly by adding <Reference Include="System.Management" /> entry in the <ItemGroup> element of the section that includes project references).

Once these steps are completed, type in Imports System.Management entry in the top section of the General Declarations area and populate the content of the Public Sub Main() with the following code:

Public Sub Main()

   Dim sComputer = Dts.Variables("sComputer").Value.ToString
   Dim sCommand = Dts.Variables("sCommand").Value.ToString

   Dim cConnOptions = New ConnectionOptions
   cConnOptions.Impersonation = ImpersonationLevel.Impersonate
   cConnOptions.EnablePrivileges = False

   Try

      Dim oMgmtScope = New ManagementScope("\\" + sComputer + "\root\cimv2", cConnOptions)
      Dim oProcess = New ManagementClass("Win32_Process")
      oProcess.Scope = oMgmtScope

      Dim cInParams = oProcess.GetMethodParameters("Create")
      cInParams("CommandLine") = sCommand

      oMgmtScope.Connect()

      Dim cOutParams = oProcess.InvokeMethod("Create", cInParams, Nothing)
      MessageBox.Show("Process ID " & cOutParams("processId"), "Process Created")
      Dts.TaskResult = ScriptResults.Success

   Catch ex As Exception

      MessageBox.Show(ex.Message.ToString, "Error")
      Dts.TaskResult = ScriptResults.Failure

   End Try

End Sub

To briefly summarize our code, we start by extracting values stored in the SSIS variables, placing them temporarily in sComputer and sCommand (primarily to improve readability). Next, we define an instance of ConnectionOptions class of System.Management namespace, which determines settings necessary to establish a WMI connection. This includes COM Impersonation mechanism and extra privileges on the target computer (disabled since our task does not require their elevation). Note that it possible to customize other properties of ConnectionOptions class, such as COM Authentication level or its security context (rather than relying on the account running the SSIS package), if the default ones do not satisfy your requirements.

Next, we instantiate an object of ManagementScope class that represents the scope of management operations, pointing to root\cimv2 WMI namespace on the remote computer. Since this is where the Win32_Process WMI class is defined, we use it to define its instance. We also assign the value of sCommand variable (which contains the name of executable and its command line switches) to CommandLine input parameter of its Create method. Finally, we establish the connection to the management scope and invoke the Create method with appropriate input parameters.

The successful process creation is indicated by a message box displaying identifier of the newly created process. While it is not possible to run program in this manner interactively, you can verify successful outcome of GPUpdate.exe by examining content of the Group Policy Operational log with the Event Viewer (in particular, search for events 4016 and 8004, which signify, respectively, start and completion of Group Policy processing).

It is important to note that ability to manage remote systems via WMI is dependent on a number of prerequisites. In particular, both authentication and security parameters (as defined by properties of ConnectionOptions class) must comply with DCOM requirements. In addition, connections need to be established using credentials that have sufficient DCOM and WMI-level permissions, as well as are not affected by User Account Control or Windows Firewall restrictions. For a complete list of factors that need to be taken into consideration in such scenarios refer to the MSDN Library article Connecting to WMI on a Remote Computer.

TOP 10 SQL Server Requests That Should Be Automated

Microsoft is capturing the market using simple and elegant graphical user interfaces. However, when it comes to managing many computers, scripting/automation is the key. Microsoft also provides automation features in almost all of its products, including SQL Server.

There are mundane tasks that SQL Server Database administrators get as requests. This article discusses the various repetitive and boring tasks that should be automated.

Some of the many advantages for automating tasks are:

 

• Reduce the amount of time you dedicate on repetitive activities
• Reduce the money spent on these mundane works.
• Use the time saved to solve quality issues.
• Improve your ability to handle a larger volume of requests

The following are common repetitive tasks that should be automated.

 

1. Install SQL Server

The first and foremost request that a DBA usually gets is Install SQL Server. Installation of Microsoft SQL Server or Microsoft SQL Server Client is usually a long process and requires a lot of clicks, and both need to be automated. You don’t need to click n number of times to install software. SQL Server installation can be done using unattended install. Check these articles on unattended installation, and also check books online.

SQL Server 2005 – Unattended installation – Part I

SQL Server 2005 – Unattended installation – Part II

SQL Server 2005 – Unattended installation – Part III

 

2. SQL Server Configurations

Installation of SQL Server also requires configuration changes. Any configurations like memory settings, enabling features, processor settings, etc., should be automated. Most of the settings can be updated using the sp_configure command and using the combination of Windows PowerShell and registry object. All these can be automated. Example:

 

sp_configure 'show advanced options',1
reconfigure with override
sp_configure 'backup compression default',1
reconfigure with override
sp_configure 'max server memory (MB)',32768
reconfigure with override

3. Install Service pack, Hotfix / cumulative updates

Like any product, SQL Server also comes with service pack updates and cumulative patches. SQL Server installation is always followed by installation of service packs and hotfix, etc. All the service pack installs, hotfix and cumulative updates can also be installed using the unattended installation feature. Example:

SQL Server 2005: Unattended installation, Part V

Now SQL Server allows you to slip stream service packs along with the actual installation binaries (Overview of SQL Server Servicing Installation

These service pack, hotfix and cumulative update requests either could become a standard to be implemented on all servers, or sometimes it could be ad hoc requests.

 

4. Server Maintenance

There are certain tasks that need to be done on the host or server level. For example, weekly reboot of the host or shrinking database files or archiving/purging or Change Service account password and so on can be automated using SQLAgent or windows scheduler job with Windows PowerShell or VBScript, etc., or a combination of all.

Though these can be ad hoc real requests, if everything is scripted and ready to run, you don’t have to manually do these tasks.

This link talks about setting up the reboot cycle for active/passive cluster server.

 

5. Database Maintenance

There are database maintenance tasks that are very repetitive and need to be automated. You cannot log on to SQL Server everyday and do these maintenance tasks manually. These maintenance jobs are:

FULL Backups

Differential Backups

Transaction LOG Backups

Index maintenance

Check database consistency

Backup cleanups, etc.

Processing cube

All the above listed jobs could be ad hoc real requests. So if you have everything scripted and ready to run like SQLAgent jobs, you don’t have to manually do these tasks. You can always kick off the SQL Agent jobs.

Visit this link for backup of Analysis service database using script.

 

6. Alerts and Notifications

Once you establish a SQL Server standard on which alerts and notifications need to be enabled on every SQL server, you can go ahead and automate them. Just implement them on one server and then script it out. Once scripted, it can be executed on all the servers using command line utilities like SQLCMD or OSQL.

 

7. Monitoring

Monitoring Blocking more than 15 mins

Monitoring Open Transactions

Deadlock Monitoring

Monitoring Database Mirroring status

Monitoring Log shipping status

When all these tasks come as ad hoc requests, automated monitoring comes in handy. All you have to do is to send the results from these jobs to the users.

 

8. High Availability

There are many high availability features available in SQL Server. When these features are requested by your user, you could simply set all these up by automated using simple scripting. Examples include failover clustering and database mirroring.

There are other features related to database high availability like Log Shipping, Replication and so on that can also be automated using scripting. If you use SQL Server management studio, you would have noticed that there is a SCRIPT option in almost every objects that are displayed:

 

9. Synchronize QA databases with PROD database

There are requests like refresh database from Production to QA / UAT / Test servers and so on. Even though they are not consistently repetitive, it is always efficient to keep a readymade script that would automatically go to production server and take a backup or get the recent backup and restore it on the QA or test server.

See this link for a high-level process on how to synchronize a TEST database using Production backups.

 

10. Transfer Logins and users

When you do log shipping or database mirroring or even do a QA/TEST database refresh, the logins are not carried over to the target server. In order to do that, you need the stored procedure “sp_hexadecimal” and a script to generate those logins using SQL server security information from system tables. It is better to generate these logins before implementing log shipping or database mirroring or even doing QA/TEST database refresh. It is also necessary to generate these logins and copy the generated login script to the destination server on daily basis. For more on regenerating logins, read Re-generating SQL Server Logins.

Couchbase Unleashes Open Source NoSQL Database

What happens when you bring together two open source database technologies? In the case of vendors Membase and CouchOne, you end up with a new company called Couchbase and a new product called the Couchbase Server.

Membase and CouchOne announced their merger last month. Couchbase is now out with its first product release called Couchbase Server, which extends the capabilities of the open source NoSQL Apache CouchDB database.

“Couchbase Server is a binary distribution of the Apache CouchDB open source software from Couchbase, Inc.,” James Phillips, co-founder and SVP Products for Couchbase, told InternetNews.com. “In addition to the CouchDB software, the distribution includes GeoCouch, an open source software project founded by Volker Mische, a Couchbase employee, and packaged with easy to use installers for 32- and 64-bit Linux (Red Hat and Ubuntu), Mac OS X, and Windows platforms.”

Phillips added that Couchbase Server is a binary distribution of CouchDB. Users of CouchDB can easily migrate to Couchbase Server, which is fully compatible with their existing database files. The Couchbase Server is based on the open source Apache CouchDB 1.02 release.

Unlike Couchbase’s predecessor company, CouchOne, Couchbase does not offer standalone support for Apache CouchDB, only Couchbase Server. Phillips noted that Couchbase Server is the binary that his company has built, tested, certified and added supportability tools into.

“Couchbase Server is primarily intended to be an easy way for devs to get their hands on the Apache CouchDB technology – it is packaged for ease of download and installation across a variety of environments,” Phillips said. “In addition, we build, test, add supportability tools and certify the binaries across various platforms and operating systems.”

Phillips added that Couchbase’s goal is to help users get a packaged version of CouchDB that can be used to support users since Couchbase knows precisely what was built and because there are tools to help easily diagnose, troubleshoot and fix problems remotely.

Couchbase Server is available in both community and Enterprise versions. The Enterprise version adds legal indemnification and support to productions usage.

“Couchbase Server Enterprise Edition is a binary, and is provided under the terms of a Couchbase end-user license agreement governing use of the binary,” Phillips said. “But it is built from completely open source software entirely available via the Apache open source license.”

The other half of Couchbase is the Membase side, which includes memcached memory caching capabilities for NoSQL databases. Phillips noted that Membase Server continues to be available as a standalone project and product.

“This summer we will release what is currently being called Elastic Couchbase Server which is an evolution of Membase, using CouchDB as the storage layer and CouchDB index and query capabilities to Membase,” Phillips said.

Oracle Database Security and Regulatory Compliance – What’s a DBA to Do?

Database administrators are spending an increasing amount of time and effort to ensure that their systems comply with one or more regulatory or privacy mandates such as PCI-DSS, Sarbanes-Oxley SAS70 and HIPAA. Regardless of the specific regulations you must satisfy, meeting the requirements demanded by these mandates has become a critical function for most IT managers and database administrators. I suggest a simple approach to reduce the pain and effort involved in satisfying these regulatory requirements by placing the emphasis on the proper configuration and hardening of all your technology components. Although this article is mainly geared toward Oracle DBAs, the strategy applies to system administrators, Oracle E-Business administrators and application developers as well.

Be Proactive: In order to minimize the amount of time you spend on the annual (or sometimes quarterly or biannual) security and compliance related audits, the smart strategy is always to implement a proactive security strategy. What happens in most companies is that the auditing team comes in and sets up shop, and you (and your managers) are waiting anxiously to see what security loopholes the auditors might find and how you’re going to mitigate them, either by fixing them directly or by convincing the auditors to accept compensating controls instead to satisfy specific regulatory requirements. If instead, you start by building in security and compliance features right from the time you install, configure and implement your technology stack and applications, you’ll find the going a lot easier come audit time.

Create an Organization-Wide Plan: One of the very first things you must do in order to ensure a strong regulatory compliance stance is to create and implement a formal organization-wide security plan. The security plan will include databases and applications, as well as the network, web applications and other critical technology components. In the security plan, you must clearly lay down how you’re going to implement various security policies that are designed to ensure compliance with key regulations your company must satisfy. You must include policies relating to access control and authorization as well as any scheduled security related operations such as the periodic changing of passwords, for example. Additionally, you can also include detailed backup and recovery strategies and disaster recovery policies in your security plan. Note that your security plan must contain both the security policies that you intend to follow in order to comply with various regulations, as well as detailed step-by-step implementation plans for each of those security policies.

Let me provide a simple example of how a strong security plan enhances your security and compliance status: Most regulations require that you encrypt credit card numbers in applications such as the Oracle E-Business Suite. Your encryption policy can state that the encryption keys must be rotated every three months. The security plan must provide the schedules for the rotation of the encryption keys as well as the exact steps necessary to implement the policy.

Use Oracle Best Practice Recommendations: Possibly the best thing you can do to enhance database and application security, as well as your compliance readiness, is to simply start off by implementing Oracle’s best practice recommendations. You can find the latest Oracle best practice recommendations for the Oracle E-Business Suite, for example, by going to Oracle’s Metalink and checking out the document titled “Best Practices for Securing Oracle E-Business Suite Release 12” (Metalink Note 403537.1). As comprehensive as Oracle’s best practice recommendations are, there is sometimes a possibility of finding dated information as well as a narrowly scoped security recommendation. In order to tighten down security and enhance compliance with regulations, you probably are better off going the extra mile by studying other security guidelines and checklists such as those offered at www.cisecurity.org and www.checklist20.com.

I can already hear some of you yawning, thinking to yourself that you’re aware of all the best practice recommendations, but you’re looking for some serious security guidelines. The truth is that a vast majority of companies fall well short of Oracle’s best practice recommendations. Database and system administrators have too much on their plates and work under tight deadlines and are judged by how well the applications perform and how functional the system is from the end users’ point of view. Security and compliance is almost never the most (or even the second, third or fourth most) important goal when designing and implementing new systems. I can assure you that once you truly pay attention to the available best practices and implement your systems as closely as possible to the suggested guidelines, you are indeed on a very firm ground regarding numerous security configurations that have a direct bearing on compliance. These configuration items include those dealing with database hardening, default user accounts and what to do with them, UNIX and Windows file permissions, access permissions and privileges and numerous other critical security related policies. Many regulations require that you implement separation of duties in your applications — the Oracle best practice list covers this, as well other key compliance related issues such as the auditing of E-Business Suite application activity, by showing you how to implement Oracle application auditing.

Implement what you have access to: After you harden your systems and applications by following Oracle’s best practices, you can turn to the built-in Oracle security features. These are features that you’ve already paid for and most of these are very easy to set up. You can dynamically control and limit user privileges to modify data based on the specific environment of each user by implementing Oracle’s Virtual Private Database in your applications. If protecting yourself from potential internal threats is a high priority, you can use Oracle’s auditing capabilities to audit various types of user activity, such as logons and logoffs, accessing of critical data and the use of critical system privileges. You can additionally deploy the built-in Oracle Fine Grained Auditing (FGA) policies to control user activity within your database. You probably are already aware that implementation of policies such as FGA satisfies several regulatory compliance requirements.

Due to heavy workloads as well as a lack of understanding of key regulations, most companies leave virtually all of their test and development databases and applications in a state of benign neglect, as far as security goes. But the fact is that regulators really don’t care where exactly you’re storing critical data such as customer credit card numbers. Regardless of the nature of the database (production or test), the regulations require that you encrypt key data. In light of this, place an equal emphasis on securing data in the test and development databases as you place on securing your production data — the data is exactly the same in almost all cases.

Use Oracle Options: In addition to taking advantage of built-in Oracle security features, you might also want to consider purchasing Oracle options such as Oracle Advanced Security and Oracle Data masking, for example. Oracle Advanced Security helps you encrypt data at the column or even the tablespace level. You can also employ this option to encrypt data passing through the network. You can employ Oracle Data masking to mask personally identifiable data such as credit card numbers. This capability comes in very handy to quickly obfuscate key data when you clone test databases from your production databases.

Similarly, Oracle Database Vault helps you protect your data from misuse by privileged internal users such as database administrators. Oracle Audit Vault helps you centrally manage your audit strategy and provides features such as an audit data warehouse and dramatically simplifies compliance reporting.

Whether you choose to use Oracle or another software vendor, database security and compliance should not go unnoticed, as it is a critical function within any organization.

MySQL

MySQL is a relational database management system (RDBMS) that runs as a server providing multi-user access to a number of databases. MySQL is officially pronounced  (“My S-Q-L”), but is often also pronounced   (“My Sequel”). It is named after developer Michael Widenius‘ daughter, My. The SQL phrase stands for Structured Query Language.

The MySQL development project has made its source code available under the terms of the GNU General Public License, as well as under a variety of proprietary agreements. MySQL was owned and sponsored by a single for-profit firm, the Swedish company MySQL AB, now owned by Oracle Corporation.

Free-software projects that require a full-featured database management system often use MySQL. For commercial use, several paid editions are available, and offer additional functionality. Some free software project examples: Joomla, WordPress, MyBB, phpBB, Drupal and other software built on the LAMP software stack. MySQL is also used in many high-profile, large-scale World Wide Web products, including Wikipedia, Google^[5] (though not for searches) and Facebook.

Oracle Database

The Oracle Database (commonly referred to as Oracle RDBMS or simply as Oracle) is an object-relational database management system (ORDBMS) produced and marketed by Oracle Corporation.

Larry Ellison and his friends and former co-workers Bob Miner and Ed Oates started the consultancy Software Development Laboratories (SDL) in 1977. SDL developed the original version of the Oracle software. The name Oracle comes from the code-name of a CIA-funded project Ellison had worked on while previously employed by Ampex.

Database management system

A Database Management System (DBMS) is a set of computer programs that controls the creation, maintenance, and the use of a database. It allows organizations to place control of database development in the hands of database administrators (DBAs) and other specialists. A DBMS is a system software package that helps the use of integrated collection of data records and files known as databases. It allows different user application programs to easily access the same database. DBMSs may use any of a variety of database models, such as the network model or relational model. In large systems, a DBMS allows users and other software to store and retrieve data in a structured way. Instead of having to write computer programs to extract information, user can ask simple questions in a query language. Thus, many DBMS packages provide Fourth-generation programming language (4GLs) and other application development features. It helps to specify the logical organization for a database and access and use the information within a database. It provides facilities for controlling data access, enforcing data integrity, managing concurrency, and restoring the database from backups. A DBMS also provides the ability to logically present database information to users.

Database

A database is a system intended to organize, store, and retrieve large amounts of data easily. It consists of an organized collection of data for one or more uses, typically in digital form. One way of classifying databases involves the type of their contents, for example: bibliographic, document-text, statistical. Digital databases are managed using database management systems, which store database contents, allowing data creation and maintenance, and search and other access.

Backtrack Linux Intro!

Backtrack Linux is a penetration tool kit based on ubuntu Linux . this is the only toolkit which is used to hack anything or penetrate anything. Backtrack Linux includes topmost security tools such as Metasploit, Kismet, Aircrack, Vas , Set etc.if you want to use Backtrack you should know normal operations of Linux.

this is the small introduction to Backtrack Linux . I will give you a more important and its usage related information in further posts. so keep in touch with machine security.

thanks,
Shantanu