Re: Was Re: RAID 5 drive replacement schedule - Now "Availability"

["Mike Hale" <eyeronic.design () gmail com>]

"Your definition of Availability is not correct."
Correct.  I used a fairly specific definition in a security context,
not one I grabbed from Dictionary.com.  Sorry.

"The term Availability has nothing to do with authorization."
Fine.

"Security can, but does not always have something to do with
Availability and Visa Versa"
When you're talking about information security, yes it does.

"That entirely depends on the entity."
Wrong if you're talking about InfoSec.

"Availability is a vague term that is not always a component of security"
It's an integral component of an effective InfoSec policy.  It's up to
the user to define it, specifically, for the network he or she is
securing.

"As such your CIA acronym..."
It's not 'my' acronym.  It's one the core components of the SANS
Security 401, as well as many other basic security classes out there.

So are you saying that, say, an email server outage is not a
'critical' situation for a large company?  Is a DDOS attack on a
company that brings down it's network not a critical issue?  Is the
Janitor accidentally kicking out the plug for the core switches not
critical?

All that falls under the availability heading, and can not be ignored
nor marginalized.

"Anyway, I think that we've beaten this subject to death."
Not at all.  I, for one, would love to see how you justify ignoring
the availability of data and resources in a company's network.

On 6/21/08, Adriel Desautels <adriel () netragard com> wrote:
> Mike,
>        First, Thank you very much. Your definition of Availability is not
> correct. The word Availability is an adjective that means "suitable or ready
> for use; of use or service; at hand". When one speaks of the Availability of
> data, systems, etc, they are talking about the use of a service or the
> readiness of the service for use. The term Availability has nothing to do
> with authorization.
>
>        Likewise, your definition of Security is not correct. The actual
> definition of security is "freedom from danger, risk, etc.; safety."
> Security can, but does not always have something to do with Availability and
> Visa Versa. That entirely depends on the entity.
>
>        The reason why I am spending so much of my time discussing this is
> because our industry has a serious problem with defining terms and using
> terms properly. Availability is a vague term that is not always a component
> of security, but it can be. It all depends on what "being secure" means to a
> particular entity. The same risks to different entities do not always carry
> the same weight. As such your CIA acronym does not always hold true.
> Security is not the product of CIA, it can't be defines by such basic terms.
> Security is an ongoing process made up of many sub-processes.
>
>        Large financial corporations consider the loss of availability of
> transaction systems to be critical as it creates significant harm to their
> business. In this case I agree that Availability is a security concern.
> Security is freedom from danger, harm can be the result of exposure to
> danger.
>
>        Likewise, the same Large financial corporations consider the outage
> of their FTPS servers to be non-critical because there may be no harm caused
> to their businesses as the result of an outage. No harm, no foul, no
> security concern. (Remember, we're not talking about a compromise, just an
> outage that results in the lack of Availability.)
>
>        With all that said the creation of a drive replacement schedule is
> not a security concern. Creating that schedule does not introduce risk. The
> execution of that schedule, the replacement of those drives, and the
> disposal of those drives can introduce risk. Those risks are security
> concerns for "some" entities.
>
>        Anyway, I think that we've beaten this subject to death.
>
>
> Regards,
>        Adriel T. Desautels
>        Chief Technology Officer
>        Netragard, LLC.
>        Office : 617-934-0269
>        Mobile : 617-633-3821
>        http://www.linkedin.com/pub/1/118/a45
>
>        Join the Netragard, LLC. Linked In Group:
>        http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>
> Netragard Whitepaper Downloads:
> -------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j
> Three Things you must know  : http://tinyurl.com/26pjsn
>
>
> Mike Hale wrote:
> > Availability is allowing your authorized users to access the data when
> > they need to.
> >
> > "that in its self is not _always_ a security concern, but it can be."
> > I disagree with you.  Availability is a fundamental portion of it
> > because without availability, that data is useless.  If you don't have
> > access to it when you need it, I think your security system has
> > failed.
> >
> > You're also correct that if a system crashes, data is no longer
> > available.  Sometimes, attacks on a network seek to do just that.
> >
> > As far as the definition of security (especially in terms of data),
> > papers have been written trying to pin it down.  I think at it's most
> > basic, however, is CIA.  Confidentiality, Integrity and Availability.
> >
> > It's about preventing unauthorized access and change while maintaining
> > it's useability to authorized users.
> >
> > On 6/20/08, Adriel Desautels <adriel () netragard com> wrote:
> >
> > > Mike,
> > >       Thanks for responding so quickly, this is an interesting argument.
> > >
> > > When you talked about availability, you did not say "data availability".
> > > Even with "data availability" being the subject, that in its self is not
> > > _always_ a security concern, but it can be.
> > >
> > > Can you provide me with your definition of Availability with respect to
> > > Security?
> > >
> > >
> > > > Availability is not vague, nor "can" it have a role in security.  It's
> > > > in integral part, along with Confidentiality and Integrity.  If it's
> > > > ignored, the system itself has already failed, and is simply waiting
> > > > for someone to come along and take advantage of it.
> > > If a system crashes it is not available, its data is not available, and
> it
> > > can not be taken advantage of. If the data can't be accessed then isn't
> it
> > > more secure than it was when it was available?
> > >
> > > Can you also provide me with your definition of security?
> > >
> > >
> > >
> > >
> > >
> > > Regards,
> > >       Adriel T. Desautels
> > >       Chief Technology Officer
> > >       Netragard, LLC.
> > >       Office : 617-934-0269
> > >       Mobile : 617-633-3821
> > >       http://www.linkedin.com/pub/1/118/a45
> > >
> > >       Join the Netragard, LLC. Linked In Group:
> > >       http://www.linkedin.com/e/gis/48683/0B98E1705142
> ---------------------------------------------------------------
> > > Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> > > Penetration Testing, Vulnerability Assessments, Website Security
> > >
> > > Netragard Whitepaper Downloads:
> > > -------------------------------
> > > Choosing the right provider : http://tinyurl.com/2ahk3j
> > > Three Things you must know  : http://tinyurl.com/26pjsn
> > >
> > >
> > > Mike Hale wrote:
> > >
> > > > "That is not a security issue though. That is an IT related issue"
> > > > You're correct on that one, and I have no disagreement.
> > > >
> > > > Going back to CIA and the pyramid...
> > > >
> > > > "so on don't hold much water in my opinion."
> > > > So you're saying that data availability is marketing speak and not
> > > > something that needs to be built into a security system?
> > > > Seriously?
> > > >
> > > > "What does creating a drive replacement schedule have to do with
> security"
> > > > That's not what i was addressing.  I was addressing your statement
> > > > that "Availability is a vague term that can, but does not always have
> > > > a role in security."
> > > > Availability is not vague, nor "can" it have a role in security.  It's
> > > > in integral part, along with Confidentiality and Integrity.  If it's
> > > > ignored, the system itself has already failed, and is simply waiting
> > > > for someone to come along and take advantage of it.
> > > >
> > > > On 6/20/08, Adriel Desautels <adriel () netragard com> wrote:
> > > >
> > > >
> > > > > Mike,
> > > > >      First off, there are multiple "security pyramids", each of them
> > > > > different, most of them created for marketing, sales, etc. So CYA,
> > > TESSM,
> > >
> > > > > and so on don't hold much water in my opinion.
> > > > >
> > > > >      With that aside, I'm open to being educated but I still
> disagree
> > > > >
> > > that
> > >
> > > > > creating a drive replacement schedule requires any security
> expertise.
> > > > >
> > > As
> > >
> > > > > such I do not see the subject as being a security topic. There are
> > > certainly
> > >
> > > > > aspects of security that can be impacted by the act of changing the
> > > drives,
> > >
> > > > > I won't argue that. So...
> > > > >
> > > > > What does creating a drive replacement schedule have to do with
> > > security?
> > >
> > > > > Educate me.
> > > > >
> > > > >
> > > > > Regards,
> > > > >      Adriel T. Desautels
> > > > >      Chief Technology Officer
> > > > >      Netragard, LLC.
> > > > >      Office : 617-934-0269
> > > > >      Mobile : 617-633-3821
> > > > >      http://www.linkedin.com/pub/1/118/a45
> > > > >
> > > > >      Join the Netragard, LLC. Linked In Group:
> http://www.linkedin.com/e/gis/48683/0B98E1705142
> > > > >
> ---------------------------------------------------------------
> > > > > Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> > > > > Penetration Testing, Vulnerability Assessments, Website Security
> > > > >
> > > > > Netragard Whitepaper Downloads:
> > > > > -------------------------------
> > > > > Choosing the right provider : http://tinyurl.com/2ahk3j
> > > > > Three Things you must know  : http://tinyurl.com/26pjsn
> > > > >
> > > > >
> > > > > Mike Hale wrote:
> > > > >
> > > > >
> > > > > > Philippe is actually correct.
> > > > > >
> > > > > > CIA forms the security pyramid.
> > > > > >
> > > > > > Confidentiality.
> > > > > > Integrity.
> > > > > > Availability.
> > > > > >
> > > > > > That's the three components of data in a secure system.  Most
> > > > > > companies can only afford to focus on one of those aspects, but if
> you
> > > > > > ignore the others, you don't have a secure system.
> > > > > >
> > > > > > On 6/20/08, Adriel Desautels <adriel () netragard com> wrote:
> > > > > >
> > > > > >
> > > > > >
> > > > > > > Philippe,
> > > > > > >     I disagree with you and I think that the definition of
> security
> > > > > > >
> > > > > that
> > > > >
> > > > >
> > > > > > > you provided is partial, but thats just my opinion. Availability
> is
> > > > > > >
> > > a
> > >
> > > > > vague
> > > > >
> > > > >
> > > > > > > term that can, but does not always have a role in security.
> > > Determining
> > >
> > > > > what
> > > > >
> > > > >
> > > > > > > the proper schedule is for a drive replacement policy is
> something
> > > > > > >
> > > that
> > >
> > > > > can
> > > > >
> > > > >
> > > > > > > be done by IT without the security team. Deciding how to dispose
> of
> > > > > > >
> > > the
> > >
> > > > > > > drives on the other hand is security.
> > > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > >     Adriel T. Desautels
> > > > > > >     Chief Technology Officer
> > > > > > >     Netragard, LLC.
> > > > > > >     Office : 617-934-0269
> > > > > > >     Mobile : 617-633-3821
> > > > > > >      http://www.linkedin.com/pub/1/118/a45
> > > > > > >
> > > > > > >     Join the Netragard, LLC. Linked In Group:
> > > http://www.linkedin.com/e/gis/48683/0B98E1705142
> > >
> > > > > > >
> ---------------------------------------------------------------
> > > > > > > Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> > > > > > > Penetration Testing, Vulnerability Assessments, Website Security
> > > > > > >
> > > > > > > Netragard Whitepaper Downloads:
> > > > > > > -------------------------------
> > > > > > > Choosing the right provider : http://tinyurl.com/2ahk3j
> > > > > > > Three Things you must know  : http://tinyurl.com/26pjsn
> > > > > > >
> > > > > > >
> > > > > > > Rivest, Philippe wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > Adriel & Murda
> > > > > > > >
> > > > > > > > It is a security issue the way you store your data. In regards
> to
> > > > > > > >
> > > the
> > >
> > > > > raid
> > > > >
> > > > >
> > > > > > > > technologies, raid 5 improves the availability of the data by
> > > making
> > >
> > > > > sure
> > > > >
> > > > >
> > > > > > > > that a single drive failed will not impact the availability of
> the
> > > > > > > >
> > > > > data.
> > > > >
> > > > >
> > > > > > > > Remember that security is 1- Confidentiality
> > > > > > > > 2- Availability
> > > > > > > > 3- Integrity
> > > > > > > >
> > > > > > > > The main goal of a Raid 5 is to help #2. You are referring to
> the
> > > > > > > >
> > > > > disposal
> > > > >
> > > > >
> > > > > > > of
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > the HD which is the issue of confidentiality and that is not
> what
> > > > > > > >
> > > > > Murda
> > > > >
> > > > >
> > > > > > > was
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > aiming at. If it is, go for encryption, degaussing,
> destruction
> > > > > > > >
> > > and
> > >
> > > > > just
> > > > >
> > > > >
> > > > > > > > plain format (if the data is not confidential).
> > > > > > > >
> > > > > > > > As I explained to him offline, the MTTF and MTBF is about the
> same
> > > > > > > >
> > > for
> > >
> > > > > 2
> > > > >
> > > > >
> > > > > > > HD
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > bought/constructed at about the same time. How ever, those are
> not
> > > > > > > >
> > > > > > > absolute
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > numbers that state that, if one drive fails the other one is
> about
> > > > > > > >
> > > to
> > >
> > > > > go
> > > > >
> > > > >
> > > > > > > too.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > It's more an estimated value against which you should have
> some
> > > > > > > > confidence/hope, your drive should not fail before X hours (it
> > > could
> > >
> > > > > go
> > > > >
> > > > >
> > > > > > > > before but the average is X).
> > > > > > > >
> > > > > > > > In a raid 5, Drive A, B and C are online and working (they are
> the
> > > > > > > >
> > > > > same
> > > > >
> > > > >
> > > > > > > drive
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > bought at the same time). Drive A fails, you should NOT change
> > > drive B
> > >
> > > > > & C
> > > > >
> > > > >
> > > > > > > > unless they are failing also. If you do, the cost of your raid
> 5
> > > > > > > >
> > > will
> > >
> > > > > be
> > > > >
> > > > >
> > > > > > > > greater then what it should be (the replacing of the parts are
> > > going
> > >
> > > > > to
> > > > >
> > > > >
> > > > > > > cost
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > a lot). Change drive A and hope drives B & C will last longer.
> > > > > > > >
> > > > > > > >
> > > > > > > > The only issue is that 2 drives fail at the same time, which
> is
> > > > > > > >
> > > very
> > >
> > > > > > > > improbable. And if it does, you should be going for your back
> ups.
> > > > > > > > I do hope this clarified the questions and that I wasn't to
> > > unclear
> > >
> > > > > with
> > > > >
> > > > >
> > > > > > > my
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > details!
> > > > > > > >
> > > > > > > > Merci / Thanks
> > > > > > > > Philippe Rivest, CEH
> > > > > > > > Vérificateur interne en sécurité de l'information
> > > > > > > > Courriel: Privest () transforce ca
> > > > > > > > Téléphone: (514) 331-4417
> > > > > > > > www.transforce.ca
> > > > > > > >
> > > > > > > >
> > > > > > > > -----Message d'origine-----
> > > > > > > > De : listbounce () securityfocus com
> > > > > [mailto:listbounce () securityfocus com] De
> > > > >
> > > > >
> > > > > > > la
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > part de Adriel Desautels
> > > > > > > > Envoyé : 20 juin 2008 11:27
> > > > > > > > À : Murda Mcloud
> > > > > > > > Cc : security-basics () securityfocus com
> > > > > > > > Objet : Re: RAID 5 drive replacement schedule
> > > > > > > >
> > > > > > > > Murda,
> > > > > > > >     The real answer to your question is that it is very, very
> > > > > > > improbable that all of the drives in the array will fail at the
> same
> > > > > > >
> > > > > time.
> > > > >
> > > > >
> > > > > > > Most drives are good for a certain period of years, after which
> > > point
> > >
> > > > > you
> > > > >
> > > > >
> > > > > > > are getting "extra time".
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > >     That is not a security issue though. That is an IT related
> > > > > issue.
> > > > >
> > > > >
> > > > > > > The
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > security issue comes into play when you dispose of your
> drives. Do
> > > > > > > >
> > > you
> > >
> > > > > > > >
> > > > > > > shred them, just throw them in the dumpster, how do you dispose
> of
> > > > > > >
> > > them?
> > >
> > > > > > > > Regards,
> > > > > > > >     Adriel T. Desautels
> > > > > > > >     Chief Technology Officer
> > > > > > > >     Netragard, LLC.
> > > > > > > >     Office : 617-934-0269
> > > > > > > >     Mobile : 617-633-3821
> > > > > > > >     http://www.linkedin.com/pub/1/118/a45
> > > > > > > >
> > > > > > > >     Join the Netragard, LLC. Linked In Group:
> > > > > http://www.linkedin.com/e/gis/48683/0B98E1705142
> > > > >
> > > > >
> > > > > > > >
> ---------------------------------------------------------------
> > > > > > > > Netragard, LLC - http://www.netragard.com  -  "We make IT
> Safe"
> > > > > > > > Penetration Testing, Vulnerability Assessments, Website
> Security
> > > > > > > > Netragard Whitepaper Downloads:
> > > > > > > > -------------------------------
> > > > > > > > Choosing the right provider : http://tinyurl.com/2ahk3j
> > > > > > > > Three Things you must know  : http://tinyurl.com/26pjsn
> > > > > > > >
> > > > > > > >
> > > > > > > > Murda Mcloud wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > In my mind, this a security related question as it has to do
> > > with
> > >
> > > > > > > > >
> > > > > > > ensuring
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > > availability.
> > > > > > > > >
> > > > > > > > > Does anyone have links towards any whitepapers etc that
> suggest
> > > > > > > > >
> > > > > > > replacement
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > > of disks in a RAID 5 array as part of a maintenance cycle?
> > > > > > > > >
> > > > > > > > > If all the drives in an array are the same age and one
> fails;
> > > > > > > > >
> > > does
> > >
> > > > > this
> > > > >
> > > > >
> > > > > > > > >
> > > > > > > > mean
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > the others are more likely to fail. I'd imagine so as they
> have
> > > > > > > > >
> > > had
> > >
> > > > > the
> > > > >
> > > > >
> > > > > > > > >
> > > > > > > > same
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > amount of usage.


-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0