DBA Security

This is a collection of references like internet materials and books about database security. Not only SQL Server security, but information security in general.

US Department of Defence (DoD), Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) on database:
iase.disa.mil/stigs/app-security/database
Very detailed and in high quality.

The National Cybersecurity and Communications Integration Center
www.us-cert.gov

Payment Card Industry Data Security Standard (PCI DSS):
www.pcisecuritystandards.org/security_standards

SANS Institute (SANS)
www.sans.org

Federal Information Security Management (FISMA)
www.dhs.gov/federal-information-security-management-act-fisma

Financial Services Sector Coordinating Council (FSSCC)
fsscc.org
Has a automated cybersecurity assessment tool, but it has not been maintained for some years.

Federal Financial Institutions Examination Council (FFIEC)
Has a cybersecurity assessment tool, but is has not been maintained for several years.
FFIEC IT Handbook
ithandbook.ffiec.gov

Bundesamt für Sicherheit in der Informationstechnik (BIS)
Federal Office for Information Security
www.bsi.bund.de/EN

ISO 27001:
www.iso.org/iso/home/standards/management-standards/iso27001.htm

ISO 27002

Common Criteria - ISO 15408
www.commoncriteriaportal.org
Microsoft SQL Server Certification Reports and other CC documentation.

National Institute of Standards and Technology (NIST), National Checklist Program (NCP):
http://web.nvd.nist.gov/view/ncp/repository
National Vulnerability Database (NVD) Common Vulnerability Scoring System (CVSS) Support:
nvd.nist.gov/cvss.cfm
Common Vulnerability Scoring System (CVSS):
www.first.org/cvss

Federal Information Processing Standards Publication (FIPS): Security Requirements for Cryptographic Modules
FIPS 140-2 (PDF)
Usage of compliant certified algorithm instances.

Cloud Security Alliance (CSA)
cloudsecurityalliance.org

Open Web Application Security Project (OWASP):
www.owasp.org

European Union Agency for Network and Information Security (ENISA)
www.enisa.europa.eu
EU center of expertise on network and information security.

EU GDPR: General Data Protection Regulation (Regulation 2016/679)
"Regulation (EU) 2016/679 of the European Parliament and of the Council"
www.eugdpr.org
EU regulation on data protection for all people in EU. As a regulation it does not require national legislation.

European Data Protection Supervisor (EDPS)
edps.europa.eu
European Union’s (EU) independent data protection authority.

EU: Network and Information Security (NIS2) directive
Set a common level on network and information security on a broad set of business sectors. Actually the directive covers all companies with more than 50 employees or more than 10 mio. EUR turnover.
It is expected that the directive will be adopted in 2022 and will be effective 18 months thereafter.

Center for Internet Security (CIS), Security Configuration Benchmarks on Database Servers
benchmarks.cisecurity.org/downloads/benchmarks.servers.database
These guidelines are of a very varying quality.

The Hacker News (thehackernews.com)

Danish references

DK CERT (www.cert.dk)

The Centre for Cyber Security (CFCS.dk)
Governed by Danish Ministry of Defense (Forsvarsministeriet).

Digitaliseringsstyrelsen (digst.dk/sikkerhed)

Litterature

Denny Cherry: Securing SQL Server, 2nd Edition
2012, Syngress, Elsevier (ISBN 978-1-59749-947-7)
Many great details and experiences.

Peter A. Carter: Securing SQL Server, 2nd Edition
2018, Apress ISBN 978-1-4842-4160-8)

Justin Clarke: SQL Injection Attacks and Defence, 2nd Edition
2012, Syngress, Elsevier (ISBN 978-1-59749-963-7)
Great in many aspects.

Rudi Bruchez: Microsoft SQL Server 2012 Security Cookbook
2012, Packt Publishing (ISBN 978-1-84968-588-7)

No comments: