Home page logo
/

basics logo Security Basics mailing list archives

RE: Was Re: RAID 5 drive replacement schedule - Now "Availability"
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Tue, 24 Jun 2008 10:51:01 +1000

"It does not mean that hardware reliability becomes a security issue."

This makes me think of a great story I heard at my GSEC course a few years
ago.

A king was worried that his minions were trying to kill him, so he went to
hide in a cave and gave his only trusted aide the ONLY key to the door(which
could not be opened from the inside) at the entrance to his cave.
His trusted aide was the only person to know about the cave and the key.
Well every few days, the aide would come and bring victuals to sustain the
monarch.
However, one day, the aide did not turn up as arranged and the king began to
wonder what was going on. Unfortunately, unbeknownst to the king, the aide
had had a heart attack due to drinking too much coffee. The king, eventually
starved to death dreaming of coffee and donuts.
So does that mean that the king was trapped and slowly starved to death due
to the unreliability of the hardware?

Just thinking out loud.
Thanks to Mark Hofman for a great story to illustrate a point.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Mike Hale
Sent: Tuesday, June 24, 2008 1:27 AM
To: Nick Vaernhoej
Cc: security-basics () securityfocus com
Subject: Re: Was Re: RAID 5 drive replacement schedule - Now
"Availability"

"It does not mean that hardware reliability becomes a security issue."
You're absolutely right, and I think I simply didn't post that clearly
enough.  :)

"This means that regardless of our security implementations we have to
make the data available to users."
Well, yes and no.  That's where the CIA triad comes in.  A company
needs to decide which of the points to focus on.  It's a trade-off,
and you really can't do all three things perfectly.  Sometimes, the
confidentiality of your data is of paramount importance.  In that
case, you do want to pull the plug if necessary while accepting the
risk of making the data unavailable.

On 6/23/08, Nick Vaernhoej <nick.vaernhoej () capitalcardservices com>
wrote:
Mike,

Based on my interpretation it seems to me like your interpretation will
make a customer attempting to access his online banking but fails
because the ISP has issues a security concern because his data isn't
available.

I think you say it best "It's about preventing unauthorized access and
change while maintaining it's useability to authorized users."

This means that regardless of our security implementations we have to
make the data available to users.
The availability criteria tries to make sure we do not unplug the
server
in our efforts to avoid an incident.
It does not mean that hardware reliability becomes a security issue.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."


-  -----Original Message-----
-  From: listbounce () securityfocus com
-  [mailto:listbounce () securityfocus com] On Behalf Of Mike Hale
-  Sent: Friday, June 20, 2008 4:10 PM
-  To: Mike Hale
-  Cc: Rivest, Philippe; Murda Mcloud; security-
basics () securityfocus com
-  Subject: Re: Was Re: RAID 5 drive replacement schedule - Now
-  "Availability"
-
-  Availability is allowing your authorized users to access the data
when
-  they need to.
-
-  "that in its self is not _always_ a security concern, but it can
be."
-  I disagree with you.  Availability is a fundamental portion of it
-  because without availability, that data is useless.  If you don't
have
-  access to it when you need it, I think your security system has
-  failed.
-
-  You're also correct that if a system crashes, data is no longer
-  available.  Sometimes, attacks on a network seek to do just that.
-
-  As far as the definition of security (especially in terms of data),
-  papers have been written trying to pin it down.  I think at it's
most
-  basic, however, is CIA.  Confidentiality, Integrity and
Availability.
-
-  It's about preventing unauthorized access and change while
maintaining
-  it's useability to authorized users.

This electronic transmission is intended for the addressee (s) named
above. It contains information that is privileged, confidential, or
otherwise protected from use and disclosure. If you are not the intended
recipient you are hereby notified that any review, disclosure, copy, or
dissemination of this transmission or the taking of any action in
reliance on its contents, or other use is strictly prohibited. If you
have received this transmission in error, please notify the sender that
this message was received in error and then delete this message.
Thank you.



--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault