TIOBE Index for January 2023 – Which Language is Most Popular?

Have you seen the latest TIOBE rankings report?

The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third-party vendors. Popular search engines such as Google, Bing, Yahoo!, Wikipedia, Amazon, YouTube and Baidu are used to calculate the ratings. Observe that the TIOBE index is not about the best programming language or the language in which most lines of code have been written.

Scripting language Lua is back in the top 20 of the TIOBE index. In its heyday in 2011, Lua briefly touched a top 10 position. Whether this is going to happen again is unknown. But it is clear that Lua is catching up in the game development market: easy to learn, fast to execute, and simple to interface with C. This makes Lua a perfect candidate for this job. One of the drivers behind the recent success of Lua is the very popular gaming platform Roblox, which uses Lua as its main programming language. –Paul Jansen CEO TIOBE Software

TIOBE also announced that C++ is the programming language of 2022. You can read the details of how and why at the TIOBE website, as well as see the runners up (C and Python). If you are a developer, you will find this information interesting.

Continue reading “TIOBE Index for January 2023 – Which Language is Most Popular?”

Free Download: SQL Server Management Studio 18.12.1


SQL Server Management Studio (SSMS) is an integrated environment for accessing, configuring, managing, administering, and developing all components of SQL Server. SSMS combines a broad group of graphical tools with a number of rich script editors to provide developers and administrators of all skill levels access to SQL Server.

The SSMS 18.x installation doesn’t upgrade or replace SSMS versions 17.x or earlier. SSMS 18.x installs side by side with previous versions, so both versions are available for use. However, if you have a preview version of SSMS 18.x installed, you must uninstall it before installing SSMS 18.12. You can see if you have the preview version by going to the Help > About window.

If a computer contains side-by-side installations of SSMS, verify you start the correct version for your specific needs. The latest version is labeled Microsoft SQL Server Management Studio 18.

Beginning with SQL Server Management Studio (SSMS) 18.7, Azure Data Studio is automatically installed alongside SSMS. Users of SQL Server Management Studio are now able to benefit from the innovations and features in Azure Data Studio.

Continue reading “Free Download: SQL Server Management Studio 18.12.1”

Top 10 Ways to Prevent Active Directory Attacks

Active Directory is a Microsoft solution for providing on-premises identity management in an enterprise environment. It is also one of the primary targets of most modern cyber-attacks. Fortunately, there are a few things you can do to help protect your Active Directory environment.

With a few actions, an organization can significantly reduce their attack surface and help protect the Active Directory environment from attack. Since attackers want to steal Active Directory credentials or compromise Active Directory with malicious software, you have to structure your defenses to match their attack strategy.

Continue reading “Top 10 Ways to Prevent Active Directory Attacks”

Understanding VSS and SQL Server

In the early days of SQL Server and Windows, backups weren’t always easy to create. Sometimes you had to completely stop the SQL Server services to get full backups. It could be difficult to backup everything without a pre-backup script to stop required services and post-backup scripts to get everything running again.  In the last 10 years, however, a lot has changed. Microsoft has included a few technologies in Windows Server that facilitate the conversation between these different components to allow them to work better together. The main component behind all this success is the Volume Shadow Copy Service (VSS) introduced in Windows Server 2003. The idea is actually quite simple: create a Windows service that is able to coordinate the actions required to create a consistent shadow copy (also known as a snapshot or a point-in-time copy) of the data you want to backup. VSS operates at the block level of the file system. You can then use those shadow copies as your backup or you can take them to another disk or to tape as required, without affecting the running application at that point.

Continue reading “Understanding VSS and SQL Server”

Cybersecurity Tips for Grandparents in 2022

As we approach Grandparents Day on September 11th, we need to help educate our friends and family on a few easy to communicate cybersecurity tips to help them stay safe. Sometimes it can be difficult to communicate technical information in a way that non-technical people can understand and retain.

Stay Skeptical

Some people, especially older people, assume the best from people they interact with, even in a virtual environment. You should encourage them to never assume that a stranger online is a trustworthy person. Even if the message appears to come from someone they know, they should exercise caution when anything arrives via email, instant messaging apps, or social media. If in doubt, throw it out!

Don’t click that link

A phishing attack typically begins with an unsolicited email or social media message in which the fraudster impersonates a trusted entity and attempts to persuade you to hand over your sensitive data, such as credit card details or login credentials. Be wary of clicking on links or opening attachments in emails even if the message appears to be from a known and trusted source.

There is no free lunch

You didn’t win anything and you should never trade something of value for a chance any winning something. A message might warn you that time is limited and you don’t want to miss an opportunity to get a free prize, but never send money or your valuable information to collect a free prize. Never send anything of value (credit card data, gift cards, etc.) in response to these types of messages.

Never Send Money

Romance scams have been high on the list of the most common scams against seniors for many years, which may not be surprising in the sense that loneliness is one of the most common issues many seniors face. Never send money to anyone for any reason because it is probably a scam. Even if it is a loved one needing bail money, call the jail or bail bondsman directly to arrange payment.

When in doubt, Hang up

If you feel a con artist is on the other end of the phone, hang up immediately. If they are threatening you with jail time if you don’t send money, hang up and call the police to let them know what is happening.

Understanding the NIST Cybersecurity Framework

Summary

The Cybersecurity Framework Set was an optional standard created by the National Institute of Standards and Technology under the United States Commerce Department. This set of guidelines for private sector companies is intended to help them be  better prepared in identifying, detecting, and responding to cyber-attacks. It also includes some guidelines on how to prevent and recover from a cyberattack.

The NIST Cybersecurity Framework is intended to address the lack of standards when it comes to cybersecurity. As with almost everything else that deals with technology, there are currently major differences in the way companies are using technology to detect and remediate attacks from hackers, malicious users, and ransomware.

With the complexity and frequency of cyberattacks growing each day, the task of detecting and preventing cyberattacks has gotten too difficult and complex to be left to chance, and a lack of a strategy among most organizations only makes this effort more difficult.

Continue reading “Understanding the NIST Cybersecurity Framework”

Cloud Security Best Practice

There are several things you can do to improve the security of your online cloud environment. Protect your business assets by enabling specific controls when available.

  1. Access Control – Enable Multi-Factor Authentication (MFA) and Conditional Access when possible. This means requiring not just usernames and passwords to access your critical cloud-based systems, but also requiring multi-factor authentication. Instead of allowing user access with just something you know (password), also require a user to prove their identity with something they have (cellphone) or something they are (fingerprint). You may also be able to enable conditional access, which allows an administrator to add additional requirements to your login process, like only allowing you to log into the cloud environment using an authorized laptop, from a specific location, etc.
  2. Improve Security Posture – Use the tools available from your cloud provider to improve your overall security posture. Microsoft Azure offers a secure score rating, showing you recommended actions and comparing your security profile to other tenants. This can drive security changes that you may not even know are possible and provide instructions specific to your environment.
  3. Secure Your Applications – Train your developers in security best practices such as Security Development Lifecycle (SDL) and test for common development issues using OWASP as a guide. Encrypt everything possible, including all internal and external connections. All data that is stored or processed should also be encrypted. Your backups should be encrypted and stored in a secure location away from the production data. Review your relationships with all vendors to make sure it is crystal clear who is responsible for all aspects of your security. You are responsible for everything unless it is specifically stated otherwise in your vendor contract.
  4. Understand and Mitigate Risks – Use best practice guidelines to identify threats and build processes to protect all your systems from known threats, detect any attacks that malicious groups may use in an attack in your environment, and respond to threats and attacks before your systems can be compromised. You should utilize a security information and event management (SIEM) system to collect the logs from all systems. Once the logs are in a central location you can build alerts when specific events occur, as well as identify risky behavior before the systems can be compromised.
  5. Maintain Network Security – Even through the cloud moves systems outside of your on-premise environment, the proper configuration of your firewall is still very important. Controls still need to be in place to protect the perimeter, detect hostile activity, and respond to all possible threats. A web application firewall (WAF) protects web apps from common exploits like SQL injection and cross-site scripting. Using concepts like virtual networking and subnet provisioning, you can micro-segment your network to provide additional security as you work toward zero trust networking. Enable your endpoint firewall, like Windows firewall, to properly protect the endpoints as they move outside your protected on-premise network.

While protecting your company assets from a constantly evolving threat landscape can seem an impossible (and expensive) task, some basic security processes can start you down the path towards a best-practice security environment. Don’t try to do everything at once. Start simple with the goal of constant improvement.

Enable Windows Defender Application Guard in Windows 10

Windows Defender Application Guard is an extra security feature of Windows 10 that rolled out several years ago. When enabled, it implements a sandbox for the Microsoft Edge browser, including Internet Explorer supported sites using Edge. Windows Defender Application Guard for Microsoft Edge is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating systems, apps, and data.

Three core features of Windows Defender Application Guard:

  • Isolated Browsing – Windows Defender Application Guard uses the latest virtualization technology to help protect your operating system by creating an isolated environment for your Microsoft Edge session.
  • Help Safeguard your PC – Windows Defender Application Guard starts up every time you visit a website that isn’t work-related to help keep potentially malicious attacks away from your PC.
  • Malware Removal – Any websites you visit, files you download, or settings you change while in this isolated environment are deleted when you sign out of Windows, wiping out any potential malware.

Windows Defender Application Guard uses Hyper-V virtualization technology to provide protection against targeted threats. It adds a special virtual layer between the browser and the OS, preventing web apps and the browser from accessing the actual data stored on the disk drive and in memory.

Prior to Windows 10 build 17063, the feature was exclusively available to Enterprise editions of Windows 10. Now, the feature is available to Windows 10 Pro users.

If you are running Windows 10 Pro build 17063 and above, you can try it in action.
Continue reading “Enable Windows Defender Application Guard in Windows 10”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Online Risks for Children

Children face tremendous risks while they are accessing the internet. Parents are often worried about their children while they access online services and social media, without really understanding the risks or what they can do to mitigate the risks. Many parents feel that some online interactions are safer than others, without really thinking through the risks.

Let’s discuss some of the risks and what you can do to help protect your children.

  • Cyber Bullying – This is a fairly common problem, where children bully other children using various social media platforms, like Twitter and Facebook. This can seem fairly trivial to an adult, but children are more focused on social media and it can be devastating for a small child to be constantly receiving messages about themselves being different or not worthy of friendship or interaction. This can lead to social isolation, depression, and even suicidal thoughts.
    • The best action for a parent is to monitor their children’s social media messages and help filter the incoming messages to make sure you have an opportunity to filter out the harmful messages so they can be deleted, reported, or explained.
    • It is also important to monitor your child’s outgoing messages to make sure your child is not the source of problems for other children and their parents.
    • Explain to your child what cyber bullying is and why it is important to speak with you if they see messages that upset them or make them feel uncomfortable.
    • Don’t trivialize these events. Just because they seem unimportant to you doesn’t mean they don’t seem important to a young mind just starting to understand social interactions and online communication.
  • Radicalization – As you may have heard recently with news stories about a child or young adult that was convinced to join an extremist group or terrorist organization, it is possible to convince someone to commit violent attacks by inundating them with social media content and targeted messages to convince them a specific group or organization must be physically attacked.
    • Young minds are much more susceptible to this type of online radicalization than older people, so it may not sound like a real risk. It happens all the time and can start with altering their political alignment, which seems minor, all the way up to instigating a physical attack on a minority or other groups while they are at a school or other function.
    • Once the child is convinced their extreme political, social, or religious views are accepted by the online community, it can be very difficult to convince them to reject those views.  That is why it is important to monitor the online forums and content your child is exposed to, so you can help explain why those views are extreme or incorrect. You need to provide guidance to them about where to get moderate content and an accurate education to prevent a path to extremism.
    • If you feel the content is potentially criminal or dangerous, you can report the content to the police.
  • Identity Theft – While most children don’t have access to credit cards or cash, they are still the target of criminals. Children have identities, and those identities can be stolen and sold on the black market for people looking for new identities used to commit crimes like applying for credit cards, jobs, government benefits, etc.
    • Some studies have shown children are much more likely to have their identities stolen than adults. Children are not as savvy as adults in determining when someone is lying to them, and they are more likely to do what an adult tells them to do, so it can be easier to steal from children.
    • Talk to your children about what types of information to not share with strangers, including their last names, addresses, telephone numbers, birth days, etc. Explain the best ways to communicate online, and monitor communications to help identify issues before it leads to a crime.
  • Inappropriate Content – The internet is full of uncensored content tahat is considered dangerous to young children.  You can find shocking, violent, and pornographic material with a few simple internet searches, and you know what terms can get you to that content. A child may search for seemingly innocent terms that could result in a traumatic result. You don’t want them to stumble across violent acts that could include death, torture, or other despicable acts of violence.
    • Use the content filters. Many browsers include a “Kids” mode that helps block this type of content, so check your browser settings. Many search engines allow for a “Safe” mode to limit objectionable content. While no filter will be 100% effective, it can be helpful to make it much harder to be exposed to inappropriate content.
    • Being present when your child is conducting an internet search can be very helpful. This is your opportunity to help them learn how to correctly use a browser and search engine while also helping them with their search terms to quickly find the correct content.
  • Scams – Young children will often believe everything you tell them, and cyber-criminals have a lot of experience telling outlandish stories to scam people. It can be easy to dupe a child into telling them sensitive information or convincing them to send money to their online account using mom’s credit card or Venmo account.
    • Scams targeting children are often related to events in their world, like gaming scams where an online “friend” asks your child to buy them online gold in their favorite game and their “friend” will then send them extra lives.
    • An online message offering them a free Xbox if they just provide their address and phone number to enter an online contest seems like a sensible offer to a child, but an adult might ask a few questions before they give away information. A child will provide any information that is requested because they just want to win.
    • Discuss these types of requests with your child and make sure they know they should always come to you before engaging in these types of conversations.
  • Grooming – Children can be lured into some serious and dangerous situations in the physical world, so we are careful to teach our children not to talk to strangers, get into cars with strangers, take candy from strangers, etc. Then we allow our children to access the internet where millions of strangers have access to them. While we like to think that most people are good and don’t have malicious intentions with your children, you have to accept there are thousands of people online that see your child as an opportunity to groom your child to get what they want.
    • Grooming is just convincing someone to change their views and accept what they are being told is the better path, which is often specific to sexual activity. This can include convincing your child to ignore what mom told you and send nude pictures to them. It could escalate to having the child secretly meet with them, which could lead to sexual assault.
    • Children don’t have fully formed minds and can be convinced to do things that seem obviously bad or truly dangerous to an adult. Talk with your child and make sure they understand what conduct is allowed, and what is not allowed. You never want your child exposed to sexual content.
    • Children should be educated about what types of behavior is strictly prohibited and when they should come to you for help. If they report someone is asking for unusual or dangerous content, you should take that information seriously and do what is required to block their access to your child. You should also consider reporting the activity to the police.

There is a theme here: Spend some time with your children and make sure they know you are available to them as a resource to help them safely use the internet. You were not born with the knowledge of how to safely use the internet or communicate with strangers, and neither were our children. Make sure you provide an education and provide basic guidelines on how to use social media, how to interact with people on the internet, and what online activity is acceptable.

Tips for Parents

  • Limit Access – Don’t allow online activity 24×7, make sure there are well established expectations around offline and outdoor activities. This can mean turning off Wi-Fi or unplugging network cables to promote compliance.
  • Use Parental Filters – These programs can be installed on your child’s computer and only activities and content you allow are enabled on the computer. These filters aren’t 100% effective, but they can provide a baseline to help guide acceptable behaviors and report on attempts to bypass the filter.
  • Regularly review browser history – Your child’s computer will log all internet access so you can review what content was accessed by your child. This log will not always expose exactly what was done or discussed while on that site, but can be a good conversation starter with your child.
  • Find child-friendly solutions – There are child-friendly websites for many online activities, like email, social media, video sharing, educational content, etc. Check with other parents or teachers to see what they recommend or use to help decide if it will work for your family.
  • Communicate – Make sure your children know you are available to them when they want to discuss what they are experiencing online, both good and bad stuff. Find the time to ask them about what activities they are performing online, from gaming, homework, and talking to their friends. Don’t be afraid to listen to how they communicate with friends, teachers, remote family members, and strangers. Offer guidance to improve communication or celebrate with them when they make the correct choices.

Windows Security Checklist for Home Systems

While your IT Department may have a handle on enterprise security, not everyone is technical enough to feel confident that their home computer systems are secure from attack. Many people wonder where is the best place to start, what steps they can take that will make the most impact, and which systems are most likely to need attention.

While there are literally hundreds of settings you can alter and fine tune to adjust your specific system settings, we are going to focus on general security actions you can look into, each helping build a general security mindset that will hopefully get you started without feeling overwhelmed. As you begin with general security changes, you will become more confident in your abilities and less worried that you are breaking anything.

General Considerations

  1. Router – All the devices on your home network communicate with the router. This is the device usually supplied by your internet provider, that allows your home computers to access the internet. This is the access point where most attacks are going to come from, so you want to start here to make sure you have a secure connection to the internet.
    • The router has an administrator-level account, and you must change the default password so that an attacker can’t access your router and disable any security settings.
    • You’ll also want to check if the router is updated with the latest firmware. As vulnerabilities are discovered, the router vendor will provide updated software and you want to make sure your router is patched. This can usually be configured so the router will automatically install new patches, but sometimes this must be manually performed. You’ll want to make sure you investigate these settings and configure them appropriately.
    • You should also disable remote administrator access to your router. This will prevent an attacker from logging into your router unless they are directly connected to the router from your home network. If you need help from your internet provider, they will contact you anyway, so you can grant them access if you need their remote help.
    • You can search the internet with the specific make and model of your router to get the user’s manual or recommended settings.
  2. Wi-Fi Security Settings – Many routers include Wi-Fi, which allows your home computers to connect to the router wirelessly so you can easily access the internet. You’ll need to check the security on your wireless network to enable the basic security features.
    • In Security Settings, create a name for the Wi-Fi network (SSID) and a complex password, and then select a type of encryption, like WAP2. Do not name your Wi-Fi network something that can easily be associated with you, such as your last name or address.
    • When possible, you’ll want to use AES on top of WPA2. Advanced Encryption Standard is a newer encryption standard that should be available on routers built after 2006.
    • Wi-Fi Protected Setup (WPS) was created with the intention of making the user experience easier and quicker when connecting new devices to the network. It works on the idea that you press a button on the router and a button on the device. This makes both devices attempt to pair automatically. You’ll want to disable this feature, if possible, because it has a history of security issues.
    • You can also sometimes create a separate guest Wi-Fi network, if supported by your router. A separate guest network has some advantages, like not having access between the two networks. It not only provides your guests with a unique SSID and password, but it also restricts guests from accessing your primary network where your connected devices live. You never have to disclose your main Wi-Fi network password to guests or visitors since they only need to know the guest Wi-Fi password. You can easily change the guest Wi-Fi password when your guest leaves without having to log all your other devices back into the network.
    • You might also want to consider the Wi-Fi signal power. If people can detect your Wi-Fi from across the street or in a nearby home, there is a risk that they will also attempt to log into your network. You can sometimes adjust the router signal strength or physical placement of the hardware to reduce that risk.
  3. System Update – Now that you have a relatively secure network, you can start looking at the devices connected to that network. It used to be a network used from a laptop or desktop computer, but today you can have a multitude of devices that are connected for internet access. You can have a smart thermostat, doorbell camara, video game console, cellphone, coffeemaker, etc.
    • For each system involved, you’ll need to log into the device and make sure you understand how to check for firmware and operating system updates and attempt to configure the device to automatically check for and apply vendor updates, if possible.
    • For each system involved, review the available security and privacy settings to make sure the device meets recommended settings. Vendor websites are a good resource to help you complete this step.
    • This might also be a good time to determine if the device really needs internet access. If the device is using internet access just to allow you to remotely access the device from the internet, for example, you need to ask yourself if you ever plan on using this feature. If you don’t need the feature, you may be able to disconnect the device from your network and reduce your overall risk profile.
  4. Security Suite – For your major devices like laptops and desktops, you should install and properly configure anti-malware and anti-virus software. There are various free versions available, so research a few vendors and find a solution that meets your needs. Make sure you use a vendor that you can trust.
    • Installing an anti-virus solution with default settings is rarely enough to really protect your computer. You’ll want to look at the available settings and properly configure the solution to provide the security you are expecting. Many vendors will guide you to using the best settings.
  5. Installed Programs – Review each program installed on the computers on your network and determine if those programs are still needed.
    • Maybe you installed a game a few years ago and haven’t used it since that one boring weekend. Now is a good time to uninstall or delete all the unneeded programs that are not essential.
    • If the program doesn’t look like something you need, and an internet search doesn’t answer the question around why it is installed, now is a good time to remove the program. It can be difficult to research something you don’t recognize, but a good internet search should answer your questions.
    • Now that you know what should be installed, a periodic check would help you quickly recognize when something new and unauthorized has been installed. If you do a periodic visual scan of installed applications every couple of months, this will be an easy security check to keep the device as clean and secure as possible.
  6. Program Updates – On your computer, you probably have several programs installed that you may not use very frequently. This could include word processing or spreadsheet suites, but it might also include specialized utilities or even games. All of these need to be patched because vendors periodically update their software to add new features and remove security vulnerabilities.
    • Check each application to see if patching can be automated. There should be a way to manually check for updates, but an automated check will make this process much easier.
    • If the program is older or doesn’t support regular updates, you should consider uninstalling or deleting the application. Each situation is unique, but you need to evaluate the risk if that one old program were compromised and allowed remote access to your computer.
  7. Password Hygiene – Now is also a good time to determine if you need to change your passwords. Easy to remember passwords are usually easy to guess passwords. You should really think about what makes a good password and make sure you change all your passwords to meet current best practice guidelines.
    • You can read more about selecting a better password here. You’ll want to select a really good and unique password for every account. You may need a password manager to store all your passwords, which can encourage longer and more random password selection.
    • Never use the same password for two different accounts. If you are using the same password for LinkedIn as you use for Netflix, if one account is compromised the attacker can use that same password to log into potentially sensitive information from a different account.
    • If you haven’t changed the password recently (within the last 90 days) then change the password now. That will make sure that starting today you are following best practice with your password selection.
    • If you hear one of your online accounts may have been compromised, don’t wait for the service to contact you with the bad news. It takes only a couple of minutes to change a password.
    • If you no longer use the online service, see if the online account allows you to delete or disable the account to reduce your online risk profile.
  8. Firewall Rules – Each computer you use probably has a firewall installed. The Windows Firewall is rarely used and it can be a great tool for limiting online access to your computer. You can essentially use the Windows Firewall to block remote access to your computer using specific ports and protocols, which can make a remote attack very difficult. It can be a little technical on how to configure the Windows Firewall correctly, so make sure you do your research and take notes on any changes you make so you can undo the changes if you find something has stopped working.
    • You can read more about how to get started with the Windows Firewall here. Don’t be afraid to do some internet searches to find some recommended settings.
  9. File Backup – So you have your home network secured, and the devices on that network are also more secure, and the accounts used to log into those devices are more secure. That is all great news, and you can continue to improve on that security as you learn more and have more technical confidence. But you are not completely safe, because a determined attacker is probably more technical than you and knows more tricks to successfully attack your systems. All is not lost, because you can create a fail-safe plan for recovery even if your files are deleted, scrambled, or encrypted to prevent your immediate access.
    • Backup your important files to a safe location. You can manually backup your files to an external disk drive or thumb drive. While not perfect, it can be a cheap and effective way to keep an external copy of important files where an attacker can’t find them. Just be sure to remove the external drive every time you finish the manual backup. Some people store the external drive in a fireproof safe.
    • An online backup service can make automated backups to a secure folder on the internet fast, easy, and low cost. While the amount of space available and cost can vary widely, a little shopping around can allow your entire family to back up their computers for about $100 a year. That is an inexpensive insurance policy if things go sideways.
  10. New Devices – While all the about steps will take some time and energy, you have to remember that this isn’t a one-time effort. As you add new devices to your home network, you have to review these steps again to make sure the new device isn’t the weakest link in your home network.

Protecting your family starts with taking responsibility for your home security, and that includes your home network. If you perform all these steps, you are well on your way to a safer and more reliable home network.

5 Reasons to Consider Insider Threats

If you look at studies about how businesses really operate, you’ll find statistics that indicate many users share their passwords with friends and coworkers and that about a 1/3 of terminated employees still have access to their former accounts.

That should concern your company leadership team as well as IT management. Organizations spend a lot of time and money implementing security controls in an effort to manage user permissions, and they still don’t always get them correct.

Another statistic that should worry you is the growing instances of insider incidents in the past couple of years. The rate of attacks attributed to internal employees has risen sharply, with some statistics showing a 44% increase in these types of difficult to detect and highly effective kinds of attacks. If this can happen in your organization, what about your business partners, suppliers, and consulting companies?

Facts to Consider:

  1. The cloud doesn’t make detection easier – Most technology professionals will tell you that cloud-based applications make it even harder to detect malicious activity. Insiders with malicious intent can gain temporary or permanent access to your most critical applications in a cloud environment (IaaS, SaaS, PaaS) and cause havoc.
  2. Trusted Access Means Easier Attacks – Just because your key employees might need elevated permissions to perform their daily functions doesn’t mean they should be doing whatever they want whenever they want. Management needs to build structure to normal daily activity and structure alerts and reporting around abnormal behavior. This allows management to ask questions and detect fraud before major damage can happen.
  3. Guard Sensitive Data – Sensitive data (employee data, employee data, credit card data, corporate secrets, etc.) is usually the target of malicious attackers, even insiders. They may want to collect and sell the information to competitors, foreign governments, protesters, or to other hackers to help them with their future attacks. They could just want the data for blackmail, thinking they can never be fired if they hold copies of all your sensitive data.
  4. Breaches Happen Slowly – Data breaches rarely happen in one night, with a hacker breaking into your network and stealing your data while you sleep. Data stolen by insiders usually happens over weeks, months, or even years. You also probably won’t detect that data has been copied or deleted overnight. It can take many organizations months or years to even detect that something is wrong.
  5. Insider Threats are Huge – If a trusted and valuable employee turns rogue, just think of all the systems, file shares, data, and files they have access to each day. If they decided to start stealing your files and data, how long might it take for you to detect their activity, or even if you did detect something was wrong, how long would it take before you suspected that valued employee?

How to identify an insider threat: Continue reading “5 Reasons to Consider Insider Threats”

The Future of Risk, Compliance, and Governance (GRC)

 

After two years of a global pandemic, mature organizations must implement a Risk, Compliance, and Governance (GRC) program that provides visibility into existing and emerging risks, helps simplify the understanding and communication of risks across the business, provides actionable risk intelligence to decision makers, and ensures an agile response to unknown threats. This is the path forward if a business wants to thrive in today’s highly unsettled business environment.

As businesses look forward to what new threats exist, they find themselves asking what is the next major risk event that they should be prepared to respond to or geopolitical event that will immediately impact their business strategy. We can always predict the next event, or how successful our response will be to minimize the business impact, but we can prepare for the worst and hope for the best, and that requires some basic preparation.

Risks are Connected

With the interconnected nature of modern business systems, you have to understand that everything is interconnected today.  The intersection of systems, people, various projects, organizations, and risks among cybersecurity, third-party teams, compliance efforts, operational risks continue to be more complex and difficult to quantify as systems get more complex and interconnected in the future. You cannot look at these risks as isolated to specific systems or personnel, but as all interrelated and connected to provide a complete risk picture. Continue reading “The Future of Risk, Compliance, and Governance (GRC)”

What is an Enterprise Architect?

Wikipedia defines an Enterprise Architect (EA) as is “a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a holistic approach at all times, for the successful development and execution of strategy. Enterprise architecture applies architecture principles and practices to guide organizations through the business, information, process, and technology changes necessary to execute their strategies. These practices utilize the various aspects of an enterprise to identify, motivate, and achieve these changes.”

On a daily basis, an EA’s activities can change quickly and dramatically. I won’t go into organizational models of enterprise architecture organizations. but we’ll explore the role and responsibilities of an EA. Understanding the role of an EA will help us understand the typical daily challenges.

Skills

Technology expertise is an obvious skill required for a true EA, but technology skills are not the only skills you will need. There are other essential skills:

  • Motivational – EAs must be able to motivate and inspire. A large part of the job is to influence or evangelize ideas.
  • Negotiation – There will be times at meetings when an EA must negotiate to get things accomplished.
  • Critical Thinking – Being able to think quickly and see the “big picture” is essential
  • Problem Solving – EAs must be able to evaluate and solve problems
  • Big Thinking – An EA must avoid tunnel vision and being able to look at a problem from multiple angles
  • Business savvy – To really understand how technology will affect the business
  • Process Orientation – Thinking in terms of process is essential for an EA
  • People Skills – An EA’s job requires interacting with people constantly

Challenges

There are impacts to multiple areas, each of which has its own unique set of challenges. The three major areas that should be considered are:

  • Production Processes – These processes support the promotion of software to production environments, change management, and support of solutions after they are in production.
  • Production Systems – Systems that are in the production environment are often not isolated; they are deployed and configured into environments that have dependencies and restrictions.
  • Production Teams – Teams that support and deploy these solutions have unique processes and procedures. There is both a process and an organizational perspective on this.

Production Processes

EAs should be mindful of production processes because they affect the cost, quality, and resiliency of software. EAs can have a positive impact on these processes by being involved in the following core production processes:

  • Configuration Management – EAs can optimize these efforts, both in the design of the architecture and in providing insight into the rest of the organization, possibly standardizing this process.
  • Change Management – EAs are typically not involved in this process, but they need to be mindful of the impacts to solutions since they could have many different relationships with other solutions and altering a solution could create downstream challenges.
  • Incident Management – EAs do not generally engage in this process either, but they need to be mindful of it because incident management data can be of great value. The data collected here can correlate with other data to help EAs gauge how much an architecture costs.

Production Systems

EAs perform a set of activities that involve existing production systems quite often. By doing so, they serve multiple roles, both in participation and leadership for the following activities:

  • FutureState Architecture – When EAs determine a direction for a set of business problems, a solutions road map and architecture envisioning occurs.
  • CurrentState Review – This process involves an EA engaging with a LOB owner or post-production maintenance teams.
  • Strategic Initiatives – EAs can shape strategic initiatives that result when other forces besides a formal planning process trigger evaluation of current solution architectures.

EAs encounter both technology and operational aspects when reviewing and re-architecting solutions. It’s important to keep in mind that these concerns are not just related to software, but can include a mix of hardware, communications, and software aspects. These aspects stem from a set of enterprise functions, which include:

  • Shared Services – EAs consider whether or not particular solutions should use shared services.
  • Solution Dependencies – Solutions often communicate with other solutions for additional functionality. Unless the current state architecture is fully mapped, there is a seemingly endless amount of interdependencies throughout enterprises.
  • Environments – EAs often consider unified management and consolidation of platform environments.
  • Constraints – EAs take in limitations or constraints to architectures for various reasons. Some COTS-based solutions limit the API usage, for example, while other custom-developed solutions are built not to be extensible.

Production Teams

Various post-production maintenance teams are required to do most work on existing architectures, because design documents are created during the SDLC process that can quickly become outdated. Unless the architecture is fully documented through the post-production life cycle, EAs rely on these teams. Teams that are engaged usually consist of:

  • Maintenance Team
  • Operations Team
  • User Support Team

These teams offer perspective into multiple domains of consideration when making architecture decisions.

You can find more information on EAs here.

How to Spot a Bad Boss During an Interview

In a Harvard Business Review article by Sara Stibitz, she outlines how to spot a terrible boss during the interview process. The process is a fairly well-known list of items to watch for during an interview, but it doesn’t hurt to remind you of those items you should be aware of during this important process.

You should know what kind of person you respond well to, and make sure your new boss meets those requirements. You might not have a choice when looking for that new job, but if you do have a choice, you should also interview that new boss to make sure he or she is someone you can spend a lot of time with.

You should also trust your instincts to make sure if it feels wrong, abort the process and look elsewhere for an open position. The interview process is a lot like dating in that everyone is on their best behavior during the interview process. People dress up and at least act like they care about you and the company. If you can’t stand them or if they appear to have habits that seem annoying or unprofessional, it probably won’t get better after the job starts.

Ask a few well-crafted questions to determine how the day-to-day assignments are handled and whether the overall management style will fit with your work style and personality. If you like a little extra flexibility in how to complete tasks and the description from your prospective manager indicates they like to exert a lot of strict controls, you might not be a good fit for this position.

Always do your research before you appear for your scheduled interview. Check for specific comments about the company or department, and also see what you can find out about the prospective manager. Most people start with LinkedIn and Facebook, then go to sites like Glassdoor to get the details on complaints or former employee reviews. If you have doubts about someone or a company, it doesn’t hurt to start asking questions to anyone who might have some answers.

Principles to Remember

 Do:

  • Pay attention to how the manager treats you throughout the interview process
  • Research the manager, and if possible, find former employees to ask for their perspective
  • Request to spend a half-day at the organization so you can interact with your potential colleagues and boss

Don’t:

  • Ignore your gut instincts about the manager as you go through the interview process.
  • Ask direct questions about leadership style — you’re unlikely to get an honest answer, and they might signal with their response that you don’t want the job. Feel out their style using simple questions to determine if they manage or lead their team.
  • Neglect to look up your potential boss’s social media profiles.

Common Active Directory Mistakes

Because of the need for Windows-based security, we commonly use Active Directory (AD) to manage user privileges. This also presents numerous challenges for administrators tasked with managing that environment and keeping critical business files safe and secure. Damage can be done by those accounts with elevated privileges, but sometimes vulnerabilities are introduced by administrators poorly managing AD. The best practices outlined by Sarbanes-Oxley and PCI audit requirements can help prevent some security issues, if you follow those best practices in a consistent and reliable way all the time. Sometime people make mistakes, and we have listed common mistakes:

  1. Users as domain administrators. Non-administrative users should not have administrative rights. Even administrative users should have a normal account that they use all the time, and a separate administrative account they only use when actually performing functions requiring elevated privileges. Ignoring the concept of least privilege is a major security issue.
  2. Accounts with elevated credentials. Most security aware organizations avoid this common mistake by giving users with elevated privileges, such as a domain administrators, a normal account to log onto their machine and a privileged account for elevated access. The main reason for the separation is to avoid security breaches such as a simple drive-by download or email attack. This also includes keeping the user accounts out of the local administrator account.
  3. Disable Object Protection. Make sure you do not disable simple warning asking you if you are sure you want to delete objects in AD. You don’t want to accidentally delete an object if it can be avoided. A better option would be to never turn off object protection.
  4. Keep obsolete accounts. Enabled user accounts that aren’t actively being used are one of biggest security threats in any organization. Develop a plan to disable and ultimately delete obsolete accounts within 60-90 days of inactivity. This can be accomplished with an automation script to third-party tools.
  5. Single Expert. A mistake many small organizations make when it comes to mission critical operations is having all their eggs in the basket of a single expert who is the only one that can make changes to AD.  You need to make sure at least two people understand, have access to, and can create and modify any AD settings in your environment.  This prevents the single point of failure in case the person who is the expert leaves the organization or is out of town for a few days and can’t be reached in an emergency.
  6. Poor Active Directory Design. Create a simple to understand and simple to maintain AD structure that is difficult to use incorrectly. Complexity breeds mistakes, so keep the structure and objects as simple as possible.
  7. No Incident Recovery plans. If someone deletes 10,000 directory objects today, how quickly can you recover AD back to normal? If an automated script improperly disables thousands of users, how do you plan to recover? Planning and testing recovery options are a must for all organizations to quickly recover from mistakes. Plan for the worse possible scenarios, and hope for the best. Have a written plan, and test different scenarios at least once per calendar year.
  8. Don’t modernize. Do not allow your core of network security to fall behind on technology. You may not want to upgrade your users to the latest version of Windows, but you should keep your AD environment up to date and never allow your environment to fall behind with the latest security improvements and features. Each and every security patch and Windows update needs to be tested and applied as a top priority.
  9. Share Accounts.  Each and every user should have their own network account. There should never be users sharing user accounts.
  10. No Password Changes. Users will never change their password if you don’t force them to change their passwords. You should force your users to change their password at least every 90 days, especially if your compliance rules require this setting.

You can get more information about Active Directory here.

SQL Server Configuration Recommendations

SQL Server Recommendations

The following is the list of general recommendations that are made for your installation of SQL Server. Each instance of SQL Server is unique, so you may have specific configuration requirements that are outside of these recommendations. You will often hear “it depends…” when discussing specific recommendations. People often ask about general recommendations, which is really just a place to start when you are beginning to configure your new server.

  • Always use Page Checksum to audit data integrity.
  • Consider using compression for read-only filegroups for higher storage efficiency.
  • Use NTFS for security and availability.
  • Use instant file initialization for performance optimization.
  • Use manual file growth database options.
  • Use partitioning (available in Enterprise Edition) for better database manageability.
  • Storage-align indexes with their respective base tables for easier and faster maintenance.
  • Storage-align commonly joined tables for faster joins and better maintenance.
  • Choose your RAID level carefully. For excellent performance and high reliability of both read and write data patterns, use RAID10. For read-only data patterns, use RAID5. Compared to RAID0, all other RAID levels have lower write performance, all else being equal, because RAID0 does not have redundancy. You do not want to use RAID0.
  • For optimized I/O parallelism, use 64 KB or 256 KB stripe size.
  • Although disk performance is commonly attributed to the disk seek time and rotational speed, the amount of cache also plays a role. For servers that frequently perform sequential workloads, like SQL Server, having a large disk cache is often times more important than seek time. Important – Make sure that the cache is backed up by battery.
  • For future scalability and ease of maintenance, use volume mount points.
  • To increase bus bandwidth reliability, use multipathing software.
  • For small servers with less than three disks performing mostly sequential I/O, or servers with approximately eight disks performing random I/O, PCI is sufficient. However, PCI-X is recommended and can service a wider range of servers with varying workload size.
  • Directly attached I/O is recommended for small- to medium-sized servers.
  • SAN systems are recommended for larger servers.
  • NAS systems are not recommended. Use iSCSI instead.
  • For better recoverability, use a SCSI interface instead of SATA and IDE.
  • For larger server loads, use SCSI or SATA with TCQ support.
  • Store transaction logs separate from data files. Do not stripe on the same disk as the data files.
  • For large bandwidth demands on the I/O bus, use a different bus for the transaction log files.
  • The number of data files within a single filegroup should equal to the number of CPU cores. This includes the TempDB and user database files.
  • Don’t assume the person configuring your server knows anything about SQL Server performance versus Windows server performance.

Who is Connected using SSMS to your SQL Server Database

Which users are connected to your database using SQL Server Management Studio? This may be helpful in quickly determining which users are directly connected vs. those connected via an application.

SELECT CO.client_net_address,SE.host_name,SE.login_name,ST.textFROM   sys.dm_exec_sessions SE   INNER JOIN sys.dm_exec_connections CO   ON SE.session_id = CO.session_idCROSS APPLY sys.dm_exec_sql_text(CO.most_recent_sql_handle) STWHERE  SE.program_name LIKE 'Microsoft SQL Server Management Studio%'ORDER BY SE.program_name,  CO.client_net_address;

This should work in SQL Server 2005+

History of SQL Server

Have you seen the video on the history of SQL Server?

Microsoft released its first version of SQL Server in 1988. It was designed for the OS/2 platform and was jointly developed by Microsoft and Sybase. During the early 1990s, Microsoft began to develop a new version of SQL Server for the NT platform.

This post has really useful information on the subject of SQL Server history, written by Euan Garden.

The SAF (SQL Admin Facility) interface from SQL Server 1.1:

This article lists some early notes about the development:

“While it was under development, Microsoft decided that SQL Server should be tightly coupled with the NT operating system. In 1992, Microsoft assumed core responsibility for the future of SQL Server for NT. In 1993, Windows NT 3.1 and SQL Server 4.2 for NT were released. Microsoft’s philosophy of combining a high-performance database with an easy-to-use interface proved to be very successful. Microsoft quickly became the second most popular vendor of high-end relational database software. In 1994, Microsoft and Sybase formally ended their partnership. In 1995, Microsoft released version 6.0 of SQL Server. This release was a major rewrite of SQL Server’s core technology. Version 6.0 substantially improved performance, provided built-in replication, and delivered centralized administration. In 1996, Microsoft released version 6.5 of SQL Server. This version brought significant enhancements to the existing technology and provided several new features. In 1997, Microsoft released version 6.5 Enterprise Edition. In 1998, Microsoft released version 7.0 of SQL Server, which was a complete rewrite of the database engine. In 2000, Microsoft released SQL Server 2000. SQL Server version 2000 is Microsoft’s most significant release of SQL Server to date. This version further builds upon the SQL Server 7.0 framework. According to the SQL Server development team, the changes to the database engine are designed to provide an architecture that will last for the next 10 years.”

If you are just interested in the sequence of events the following timeline by Raksh Mishra summarizes the development history of SQL Server:

  • 1987 Sybase releases SQL Server for UNIX
  • 1988 Microsoft, Sybase, and Aston-Tate port SQL Server to OS/2
  • 1989 Microsoft, Sybase, and Aston-Tate release SQL Server 1.0 for OS/2
  • 1990 SQL Server 1.1 is released with support for Windows 3.0 clients. Aston-Tate drops out of SQL Server development
  • 1991 Microsoft and IBM end joint development of OS/2
  • 1992 Microsoft SQL Server 4.2 for 16-bit OS/2 1.3 is released
  • 1992 Microsoft and Sybase port SQL Server to Windows NT
  • 1993 Windows NT 3.1 is released
  • 1993 Microsoft and Sybase release version 4.2 of SQL Server for Windows NT
  • 1994 Microsoft and Sybase co-development of SQL Server officially ends
  • Microsoft continues to develop the Windows version of SQL Server
  • Sybase continues to develop the UNIX version of SQL Server
  • 1995 Microsoft releases version 6.0 of SQL Server
  • 1996 Microsoft releases version 6.5 of SQL Server
  • 1998 Microsoft releases version 7.0 of SQL Server
  • 2000 Microsoft releases SQL Server 2000
  • SQL Server 2000 Service Pack 1 – Release date: June 12, 2001
  • SQL Server 2000 Service Pack 2 – Release date: November 30, 2001
  • SQL Server 2000 Service Pack 3 – Release date: January 17, 2003
  • SQL Server 2000 Service Pack 3a – Release date: May 19, 2003
  • SQL Server 2000 Service Pack 4 – Release date: May 6, 2005
  • 2005 Microsoft releases SQL Server 2005 on November 7th, 2005
  • SQL Server 2005 Service Pack 1 – Release date: March 18, 2006
  • SQL Server 2005 Service Pack 2 – Release date: March 5, 2007
  • SQL Server 2005 Service Pack 3 – Release date: December 15, 2008
  • 2008 Microsoft releases SQL Server 2008 RTM on August 2008
  • SQL Server 2008 Service Pack 1 – Release date: August 27, 2009
  • SQL Azure
  • Microsoft released SQL Server 2008 R2 RTM on April 21, 2010
  • SQL Server 2008 Service Pack 2 – Release date: September 29, 2010
  • SQL Server 2011, Code name Denali CTP1 Release date: November 8, 2010
  • SQL Server 2005 Service Pack 4 – Release date: December 17, 2010

These are also some (humorous) details from Kevin Kline at this site.

Disaster Recovery Planning

In your business, you are probably the only one tasked with understanding what types of disasters can strike your business and the task of planning to prevent those disasters from bringing down the business. As Alan Lakein said many years ago, “Failure to plan is planning to fail”. As an information technology professional, one of your many tasks is to understand the risks to your business systems and plan to prevent or overcome those risks from impacting your business.

About 40% of businesses do not re-open after a disaster and another 25% fail within one year according to the Federal Emergency Management Agency (FEMA). Similar statistics from the United States Small Business Administration indicate that over 90% of businesses fail within two years after a disaster.

Continue reading “Disaster Recovery Planning”

Best Practice: Stored Procedure Optimization Tips

SQL Server performance isn’t a simple checkbox you check that improves database performance. You have to look at many different factors to gain incremental improvements. Each change might give you a 5-10% improvement, but 10 changes might lead to a 50-80% improvement to the speed of your stored procedure.

In this article by Pinal Dave, we see some of the most common tweaks to your stored procedures that should be addressed as a best practice in your environment.

  • Include SET NOCOUNT ON statement: With every SELECT and DML statement, the SQL server returns a message that indicates the number of affected rows by that statement. This information is mostly helpful in debugging the code, but it is useless after that. By setting SET NOCOUNT ON, we can disable the feature of returning this extra information. For stored procedures that contain several statements or contain Transact-SQL loops, setting SET NOCOUNT to ON can provide a significant performance boost because network traffic is greatly reduced.
CREATE PROC dbo.ProcName AS SET NOCOUNT ON; --Procedure code here SELECT column1 FROM dbo.TblTable1 -- Reset SET NOCOUNT to OFF SET NOCOUNT OFF; GO
  • Use schema name with object name: The object name is qualified if used with schema name. Schema name should be used with the stored procedure name and with all objects referenced inside the stored procedure. This help in directly finding the complied plan instead of searching the objects in other possible schema before finally deciding to use a cached plan, if available. This process of searching and deciding a schema for an object leads to COMPILE lock on stored procedure and decreases the stored procedure’s performance. Therefore, always refer the objects with qualified name in the stored procedure like
SELECT * FROM dbo.MyTable -- Preferred method -- Instead of SELECT * FROM MyTable -- Avoid this method --And finally call the stored procedure with qualified name like: EXEC dbo.MyProc -- Preferred method --Instead of EXEC MyProc -- Avoid this method
  • Do not use the prefix “sp_” in the stored procedure name: If a stored procedure name begins with “SP_,” then SQL server first searches in the master database and then in the current session database. Searching in the master database causes extra overhead and even a wrong result if another stored procedure with the same name is found in master database.
  • Use IF EXISTS (SELECT 1) instead of (SELECT *)
  • Use the sp_executesql stored procedure instead of the EXECUTE statement

You can read the entire article here.

Common Database Design Mistakes

When creating a new database instance, people will often make mistakes. While I can’t list all the mistakes that people can or will make, I hope this brief list will help you know what mistakes are possible, and help guide you to not making as many mistakes. Sometimes we attack a design problem with the idea that we will just get the work done, but most times it is better to take the extra time to do it right.

I’m not perfect, and I have made these (and many other) mistakes in database design. I’m not trying to tell you what to do or even how to do it. I’m just trying to take my lessons learned and provide a simple list so that you might not make the same mistakes. I also want to point out that no list will ever be the only way to do anything. With database design questions, the best answer is usually “it depends”. When considering the many variables that make up your environment, you will need to make many decisions that help your database instance work best in your unique environment. You have to take into account the personnel you are working with, the limits of your hardware, company policies, etc.

Database design and implementation is the cornerstone of any database related project and should be treated will the importance that deserves. If you do your job really well, people will tend to minimize how important your job is in getting their projects completed. Like a police department that does a good job catching and locking up criminals, people start wondering why they need so many policemen when the crime rate goes down. People might start asking why they need your help in getting good database design, but it will only take a few failed projects for them to come back to you for your professional help.

Continue reading “Common Database Design Mistakes”

Top 50 Tables with Stale Statistics in SQL Server

SQL Server uses statistics in the Query Optimizer (QO) to create query plans that have the best possible query performance. The Query Optimizer already generates the necessary statistics for a high-quality query plan for most queries. Statistics for query optimization are binary large objects (BLOBs) that contain statistical information about the distribution of values in one or more columns of a table or indexed view. The Query Optimizer uses these statistics to estimate the cardinality, or number of rows, in the query result. These cardinality estimates enable the Query Optimizer to create a high-quality query plan. These statistics can become stale after certain INSERT, UPDATE and DELETE operations which involve a large number of rows.

A histogram measures the frequency of occurrence for each distinct value in a data set. The query optimizer computes a histogram on the column values in the first key column of the statistics object, selecting the column values by statistically sampling the rows or by performing a full scan of all rows in the table or view. If the histogram is created from a sampled set of rows, the stored totals for number of rows and number of distinct values are estimates and do not need to be whole integers.

Continue reading “Top 50 Tables with Stale Statistics in SQL Server”

Hard Drive RAID Levels Explained

What is RAID?

RAID stands for Redundant Array of Inexpensive Disks. It is a technology used to distribute data across multiple hard drives in one of several ways called “RAID levels”, depending on what level of redundancy and performance is required.

Wikipedia defines RAID as “a data storage virtualization technology that combines multiple physical disk drive components into one or more logical units for the purposes of data redundancy, performance improvement, or both. Data is distributed across the drives in one of several ways, referred to as RAID levels, depending on the required level of redundancy and performance. The different schemes, or data distribution layouts, are named by the word “RAID” followed by a number, for example RAID 0 or RAID 1. Each schema, or RAID level, provides a different balance among the key goals: reliability, availability, performance, and capacity. RAID levels greater than RAID 0 provide protection against unrecoverable sector read errors, as well as against failures of whole physical drives.”

In environments where speed and redundancy are required, you need to select the proper RAID level that matches your requirements and budget. In general, a RAID-enabled system uses two or more hard disks to improve the performance or provide some level of fault tolerance for a NAS or server.

There are several RAID concepts that you must also understand:

Continue reading “Hard Drive RAID Levels Explained”

%d bloggers like this: