Home page logo
/

basics logo Security Basics mailing list archives

Re: Was Re: RAID 5 drive replacement schedule - Now "Availability"
From: "Mike Hale" <eyeronic.design () gmail com>
Date: Fri, 20 Jun 2008 14:10:24 -0700

Availability is allowing your authorized users to access the data when
they need to.

"that in its self is not _always_ a security concern, but it can be."
I disagree with you.  Availability is a fundamental portion of it
because without availability, that data is useless.  If you don't have
access to it when you need it, I think your security system has
failed.

You're also correct that if a system crashes, data is no longer
available.  Sometimes, attacks on a network seek to do just that.

As far as the definition of security (especially in terms of data),
papers have been written trying to pin it down.  I think at it's most
basic, however, is CIA.  Confidentiality, Integrity and Availability.

It's about preventing unauthorized access and change while maintaining
it's useability to authorized users.

On 6/20/08, Adriel Desautels <adriel () netragard com> wrote:
Mike,
       Thanks for responding so quickly, this is an interesting argument.

When you talked about availability, you did not say "data availability".
Even with "data availability" being the subject, that in its self is not
_always_ a security concern, but it can be.

Can you provide me with your definition of Availability with respect to
Security?

Availability is not vague, nor "can" it have a role in security.  It's
in integral part, along with Confidentiality and Integrity.  If it's
ignored, the system itself has already failed, and is simply waiting
for someone to come along and take advantage of it.

If a system crashes it is not available, its data is not available, and it
can not be taken advantage of. If the data can't be accessed then isn't it
more secure than it was when it was available?

Can you also provide me with your definition of security?





Regards,
       Adriel T. Desautels
       Chief Technology Officer
       Netragard, LLC.
       Office : 617-934-0269
       Mobile : 617-633-3821
       http://www.linkedin.com/pub/1/118/a45

       Join the Netragard, LLC. Linked In Group:
       http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Mike Hale wrote:
"That is not a security issue though. That is an IT related issue"
You're correct on that one, and I have no disagreement.

Going back to CIA and the pyramid...

"so on don't hold much water in my opinion."
So you're saying that data availability is marketing speak and not
something that needs to be built into a security system?
Seriously?

"What does creating a drive replacement schedule have to do with security"
That's not what i was addressing.  I was addressing your statement
that "Availability is a vague term that can, but does not always have
a role in security."
Availability is not vague, nor "can" it have a role in security.  It's
in integral part, along with Confidentiality and Integrity.  If it's
ignored, the system itself has already failed, and is simply waiting
for someone to come along and take advantage of it.

On 6/20/08, Adriel Desautels <adriel () netragard com> wrote:

Mike,
      First off, there are multiple "security pyramids", each of them
different, most of them created for marketing, sales, etc. So CYA,
TESSM,
and so on don't hold much water in my opinion.

      With that aside, I'm open to being educated but I still disagree
that
creating a drive replacement schedule requires any security expertise.
As
such I do not see the subject as being a security topic. There are
certainly
aspects of security that can be impacted by the act of changing the
drives,
I won't argue that. So...

What does creating a drive replacement schedule have to do with
security?
Educate me.


Regards,
      Adriel T. Desautels
      Chief Technology Officer
      Netragard, LLC.
      Office : 617-934-0269
      Mobile : 617-633-3821
      http://www.linkedin.com/pub/1/118/a45

      Join the Netragard, LLC. Linked In Group:
      http://www.linkedin.com/e/gis/48683/0B98E1705142


---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Mike Hale wrote:

Philippe is actually correct.

CIA forms the security pyramid.

Confidentiality.
Integrity.
Availability.

That's the three components of data in a secure system.  Most
companies can only afford to focus on one of those aspects, but if you
ignore the others, you don't have a secure system.

On 6/20/08, Adriel Desautels <adriel () netragard com> wrote:


Philippe,
     I disagree with you and I think that the definition of security


that


you provided is partial, but thats just my opinion. Availability is
a


vague


term that can, but does not always have a role in security.
Determining


what


the proper schedule is for a drive replacement policy is something
that


can


be done by IT without the security team. Deciding how to dispose of
the
drives on the other hand is security.


Regards,
     Adriel T. Desautels
     Chief Technology Officer
     Netragard, LLC.
     Office : 617-934-0269
     Mobile : 617-633-3821
      http://www.linkedin.com/pub/1/118/a45

     Join the Netragard, LLC. Linked In Group:

http://www.linkedin.com/e/gis/48683/0B98E1705142





---------------------------------------------------------------


Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Rivest, Philippe wrote:


Adriel & Murda

It is a security issue the way you store your data. In regards to
the



raid



technologies, raid 5 improves the availability of the data by
making



sure



that a single drive failed will not impact the availability of the



data.



Remember that security is 1- Confidentiality
2- Availability
3- Integrity

The main goal of a Raid 5 is to help #2. You are referring to the



disposal


of


the HD which is the issue of confidentiality and that is not what



Murda


was


aiming at. If it is, go for encryption, degaussing, destruction
and



just



plain format (if the data is not confidential).

As I explained to him offline, the MTTF and MTBF is about the same
for



2


HD


bought/constructed at about the same time. How ever, those are not


absolute


numbers that state that, if one drive fails the other one is about
to



go


too.


It's more an estimated value against which you should have some
confidence/hope, your drive should not fail before X hours (it
could



go



before but the average is X).

In a raid 5, Drive A, B and C are online and working (they are the



same


drive


bought at the same time). Drive A fails, you should NOT change
drive B



& C



unless they are failing also. If you do, the cost of your raid 5
will



be



greater then what it should be (the replacing of the parts are
going



to


cost


a lot). Change drive A and hope drives B & C will last longer.


The only issue is that 2 drives fail at the same time, which is
very
improbable. And if it does, you should be going for your back ups.


I do hope this clarified the questions and that I wasn't to
unclear



with


my


details!

Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : listbounce () securityfocus com



[mailto:listbounce () securityfocus com] De


la


part de Adriel Desautels
Envoyé : 20 juin 2008 11:27
À : Murda Mcloud
Cc : security-basics () securityfocus com
Objet : Re: RAID 5 drive replacement schedule

Murda,
     The real answer to your question is that it is very, very


improbable that all of the drives in the array will fail at the same


time.


Most drives are good for a certain period of years, after which
point


you


are getting "extra time".


     That is not a security issue though. That is an IT related



issue.


The


security issue comes into play when you dispose of your drives. Do
you


shred them, just throw them in the dumpster, how do you dispose of
them?


Regards,
     Adriel T. Desautels
     Chief Technology Officer
     Netragard, LLC.
     Office : 617-934-0269
     Mobile : 617-633-3821
     http://www.linkedin.com/pub/1/118/a45

     Join the Netragard, LLC. Linked In Group:




http://www.linkedin.com/e/gis/48683/0B98E1705142









---------------------------------------------------------------



Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Murda Mcloud wrote:



In my mind, this a security related question as it has to do
with



ensuring



availability.

Does anyone have links towards any whitepapers etc that suggest



replacement



of disks in a RAID 5 array as part of a maintenance cycle?

If all the drives in an array are the same age and one fails;
does




this






mean



the others are more likely to fail. I'd imagine so as they have
had




the






same



amount of usage.























-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]