Home page logo

basics logo Security Basics mailing list archives

Re: Was Re: RAID 5 drive replacement schedule - Now "Availability"
From: Adriel Desautels <adriel () netragard com>
Date: Mon, 23 Jun 2008 12:35:37 -0400

I do agree that coffee is a critical aspect of security and without it all other aspects of security fail. Therefore, the coffee machine is clearly the most business critical system with respect to its availability. An outage there could be catastrophic.

On a more serious note, I'd never ignore the availability aspect of security. I'd be ignorant if I did that.

        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821

        Join the Netragard, LLC. Linked In Group:

Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn

Mike Hale wrote:
"Is the horse dead yet?"
Apparently not.  :)  It has some twitches left.

You're correct on your writings about how companies deal with the
availability issues, and that, for some systems, it's not an issue if
they go down.  But that is part of the risk acceptance process.
Whether the system is up and running or not remains an issue of
availability, which a comprehensive InfoSec plan should deal with.

"In those non-harmful cases the issue falls under the responsibility
of IT/Networking/Whatever you want to call it."
You're absolutely right.  Even when it does brings harm it can fall
under the IT/Network side of things.  But the security plan in place
should address the availability of that resource, and either seek to
protect it or accept the risk of it going down.  That's all part of
the process.

Certainly, your definitions where accurate, but we're discussing (or I
am, anyway) security from an IT standpoint.  Otherwise, we need to
start adding in things like coffee makers (the availability of which
carries the highest priority in my security policy :) ).

To wrap things up, Availability is a part of the InfoSec process.
You're absolutely correct in that, for some systems, availability is
of limited concern.  However, decisions like that are also part of the
risk management process, which is a subset of a comprehensive security
plan.  What I'm not saying, or which I did not mean to say, is that
the criticality of an unavailable system is always the same.  What I
also did not mean to argue is that the original posting necessarily
fell under the security side of things.  It just looked like you were
ignoring the availability aspect of security, which is why I thought
it'd be good to have this discussion.  :)

- Mike

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]