Security Basics mailing list archives
RE: Was Re: RAID 5 drive replacement schedule - Now "Availability"
From: "Steve Fox" <stevef () AeroGrow com>
Date: Wed, 25 Jun 2008 17:14:30 -0600
Thank You Mike! I agree that the CIA model is about as indisputable and lowest common denominator as it comes. Nothing worse than two engineers arguing a logic loop ;) LOL -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Mike Hale Sent: Friday, June 20, 2008 3:10 PM To: Mike Hale Cc: Rivest, Philippe; Murda Mcloud; security-basics () securityfocus com Subject: Re: Was Re: RAID 5 drive replacement schedule - Now "Availability" Availability is allowing your authorized users to access the data when they need to. "that in its self is not _always_ a security concern, but it can be." I disagree with you. Availability is a fundamental portion of it because without availability, that data is useless. If you don't have access to it when you need it, I think your security system has failed. You're also correct that if a system crashes, data is no longer available. Sometimes, attacks on a network seek to do just that. As far as the definition of security (especially in terms of data), papers have been written trying to pin it down. I think at it's most basic, however, is CIA. Confidentiality, Integrity and Availability. It's about preventing unauthorized access and change while maintaining it's useability to authorized users. On 6/20/08, Adriel Desautels <adriel () netragard com> wrote:
Mike, Thanks for responding so quickly, this is an interesting argument. When you talked about availability, you did not say "data availability". Even with "data availability" being the subject, that in its self is not _always_ a security concern, but it can be. Can you provide me with your definition of Availability with respect to Security?Availability is not vague, nor "can" it have a role in security. It's in integral part, along with Confidentiality and Integrity. If it's ignored, the system itself has already failed, and is simply waiting for someone to come along and take advantage of it.If a system crashes it is not available, its data is not available, and it can not be taken advantage of. If the data can't be accessed then isn't it more secure than it was when it was available? Can you also provide me with your definition of security? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Mike Hale wrote:"That is not a security issue though. That is an IT related issue" You're correct on that one, and I have no disagreement. Going back to CIA and the pyramid... "so on don't hold much water in my opinion." So you're saying that data availability is marketing speak and not something that needs to be built into a security system? Seriously? "What does creating a drive replacement schedule have to do with security" That's not what i was addressing. I was addressing your statement that "Availability is a vague term that can, but does not always have a role in security." Availability is not vague, nor "can" it have a role in security. It's in integral part, along with Confidentiality and Integrity. If it's ignored, the system itself has already failed, and is simply waiting for someone to come along and take advantage of it. On 6/20/08, Adriel Desautels <adriel () netragard com> wrote:Mike, First off, there are multiple "security pyramids", each of them different, most of them created for marketing, sales, etc. So CYA,TESSM,and so on don't hold much water in my opinion. With that aside, I'm open to being educated but I still disagreethatcreating a drive replacement schedule requires any security expertise.Assuch I do not see the subject as being a security topic. There arecertainlyaspects of security that can be impacted by the act of changing thedrives,I won't argue that. So... What does creating a drive replacement schedule have to do withsecurity?Educate me. Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142---------------------------------------------------------------Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Mike Hale wrote:Philippe is actually correct. CIA forms the security pyramid. Confidentiality. Integrity. Availability. That's the three components of data in a secure system. Most companies can only afford to focus on one of those aspects, but if you ignore the others, you don't have a secure system. On 6/20/08, Adriel Desautels <adriel () netragard com> wrote:Philippe, I disagree with you and I think that the definition of securitythatyou provided is partial, but thats just my opinion. Availability isavagueterm that can, but does not always have a role in security.Determiningwhatthe proper schedule is for a drive replacement policy is somethingthatcanbe done by IT without the security team. Deciding how to dispose ofthedrives on the other hand is security. Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group:http://www.linkedin.com/e/gis/48683/0B98E1705142---------------------------------------------------------------Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Rivest, Philippe wrote:Adriel & Murda It is a security issue the way you store your data. In regards totheraidtechnologies, raid 5 improves the availability of the data bymakingsurethat a single drive failed will not impact the availability of thedata.Remember that security is 1- Confidentiality 2- Availability 3- Integrity The main goal of a Raid 5 is to help #2. You are referring to thedisposalofthe HD which is the issue of confidentiality and that is not whatMurdawasaiming at. If it is, go for encryption, degaussing, destructionandjustplain format (if the data is not confidential). As I explained to him offline, the MTTF and MTBF is about the samefor2HDbought/constructed at about the same time. How ever, those are notabsolutenumbers that state that, if one drive fails the other one is abouttogotoo.It's more an estimated value against which you should have some confidence/hope, your drive should not fail before X hours (itcouldgobefore but the average is X). In a raid 5, Drive A, B and C are online and working (they are thesamedrivebought at the same time). Drive A fails, you should NOT changedrive B& Cunless they are failing also. If you do, the cost of your raid 5willbegreater then what it should be (the replacing of the parts aregoingtocosta lot). Change drive A and hope drives B & C will last longer. The only issue is that 2 drives fail at the same time, which isveryimprobable. And if it does, you should be going for your back ups. I do hope this clarified the questions and that I wasn't tounclearwithmydetails! Merci / Thanks Philippe Rivest, CEH Vérificateur interne en sécurité de l'information Courriel: Privest () transforce ca Téléphone: (514) 331-4417 www.transforce.ca -----Message d'origine----- De : listbounce () securityfocus com[mailto:listbounce () securityfocus com] Delapart de Adriel Desautels Envoyé : 20 juin 2008 11:27 À : Murda Mcloud Cc : security-basics () securityfocus com Objet : Re: RAID 5 drive replacement schedule Murda, The real answer to your question is that it is very, veryimprobable that all of the drives in the array will fail at the sametime.Most drives are good for a certain period of years, after whichpointyouare getting "extra time".That is not a security issue though. That is an IT relatedissue.Thesecurity issue comes into play when you dispose of your drives. Doyoushred them, just throw them in the dumpster, how do you dispose ofthem?Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group:http://www.linkedin.com/e/gis/48683/0B98E1705142---------------------------------------------------------------Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Murda Mcloud wrote:In my mind, this a security related question as it has to dowithensuringavailability. Does anyone have links towards any whitepapers etc that suggestreplacementof disks in a RAID 5 array as part of a maintenance cycle? If all the drives in an array are the same age and one fails;doesthismeanthe others are more likely to fail. I'd imagine so as they havehadthesameamount of usage.
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Current thread:
- Was Re: RAID 5 drive replacement schedule - Now "Availability", (continued)
- Was Re: RAID 5 drive replacement schedule - Now "Availability" Adriel Desautels (Jun 20)
- Re: Was Re: RAID 5 drive replacement schedule - Now "Availability" Mike Hale (Jun 20)
- RE: Was Re: RAID 5 drive replacement schedule - Now "Availability" Nick Vaernhoej (Jun 23)
- Re: Was Re: RAID 5 drive replacement schedule - Now "Availability" Mike Hale (Jun 23)
- RE: Was Re: RAID 5 drive replacement schedule - Now "Availability" Murda Mcloud (Jun 24)
- Re: Was Re: RAID 5 drive replacement schedule - Now "Availability" Adriel Desautels (Jun 23)
- Re: Was Re: RAID 5 drive replacement schedule - Now "Availability" Mike Hale (Jun 23)
- Re: Was Re: RAID 5 drive replacement schedule - Now "Availability" Adriel Desautels (Jun 23)
- Message not available
- Re: Was Re: RAID 5 drive replacement schedule - Now "Availability" Adriel Desautels (Jun 23)
- RE: Was Re: RAID 5 drive replacement schedule - Now "Availability" Nick Vaernhoej (Jun 23)
- RE: Was Re: RAID 5 drive replacement schedule - Now "Availability" Steve Fox (Jun 26)
- RE: RAID 5 drive replacement schedule Petter Bruland (Jun 20)
- RE: RAID 5 drive replacement schedule Murda Mcloud (Jun 23)
- RE: RAID 5 drive replacement schedule Burton Strauss (Jun 24)
- RE: RAID 5 drive replacement schedule Rivest, Philippe (Jun 20)
- Re: RAID 5 drive replacement schedule Adriel Desautels (Jun 20)
- RE: RAID 5 drive replacement schedule Murda Mcloud (Jun 23)
- Re: RAID 5 drive replacement schedule Adriel Desautels (Jun 24)
- Re: RAID 5 drive replacement schedule Mellow Marquis (Jun 25)
- RE: RAID 5 drive replacement schedule Rivest, Philippe (Jun 25)
- RE: RAID 5 drive replacement schedule Nick Vaernhoej (Jun 20)