computer security programs

SDI Welcomes Donald Zoufal as Safety and Security Industry Executive

CHICAGO, June 19 /PRNewswire/ -- SDI (System Development.Integration, LLC.), a systems integrator focusing on mission-critical systems and infrastructure of capital asset intensive organizations directly impacted by Homeland Security issues and ...

Local computer security programs Listings
Your Source for computer security programs. Find computer security programs Listings Here!
www.FindLinks.com

computer security programs Listings
Find and Compare Top Local computer security programs Listings Here.
www.WYP.net

computer security programs
Find Local Security Information. View Top Results.
www.AreaConnect.com



From: Adriel Desautels
Date: Fri, 20 Jun 2008 21:26:10 +0100

--------------050408000707080202070406
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Philippe,
	Alright forgive me, I was being too binary. With that said, I think=20
that watching for drive errors is most probably the best way to go (that=20
was in an earlier post from someone else too). I'm sure that there are=20
software technologies that monitor for "Failing drive errors", but I'm=20
not sure what they are.

Regards,
	Adriel T. Desautels
	Chief Technology Officer
	Netragard, LLC.
	Office : 617-934-0269
	Mobile : 617-633-3821
	http://www.linkedin.com/pub/1/118/a45

	Join the Netragard, LLC. Linked In Group:
	http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Rivest, Philippe wrote:
> I do think we are saying just about the same thing. But I may of not be=
 clear
> so let me restate.
>=20
> Raid 5 is an IT field & technologie, and adds to the security by making=
 1
> failed drive NOT impact availability. That's all I meant. No decision o=
r
> security implication should be done before or after that (unless theres=
 an
> incident). No security team should be implicated in the drive replaceme=
nt as
> this is normal IT operation.=20
>=20
> Raid 5 helps security in keeping the data accessible in the event of a =
failed
> drive.
>=20
> Side note:
> For my CAI is always security related and justified. Make it high or lo=
w
> availability it is security and has to be justified.=20
>=20
>=20
> Merci / Thanks
> Philippe Rivest, CEH
> V=E9rificateur interne en s=E9curit=E9 de l'information
> Courriel: Privest@transforce.ca
> T=E9l=E9phone: (514) 331-4417
> www.transforce.ca
>=20
>=20
> -----Message d'origine-----
> De : Adriel Desautels [mailto:adriel@netragard.com]=20
> Envoy=E9 : 20 juin 2008 14:00
> =C0 : Rivest, Philippe
> Cc : Murda Mcloud; security-basics@securityfocus.com
> Objet : Re: RAID 5 drive replacement schedule
>=20
> Philippe,
> 	I disagree with you and I think that the definition of security that=20
> you provided is partial, but thats just my opinion. Availability is a=20
> vague term that can, but does not always have a role in security.=20
> Determining what the proper schedule is for a drive replacement policy=20
> is something that can be done by IT without the security team. Deciding=
=20
> how to dispose of the drives on the other hand is security.
>=20
>=20
> Regards,
> 	Adriel T. Desautels
> 	Chief Technology Officer
> 	Netragard, LLC.
> 	Office : 617-934-0269
> 	Mobile : 617-633-3821
> 	http://www.linkedin.com/pub/1/118/a45
>=20
> 	Join the Netragard, LLC. Linked In Group:
> 	http://www.linkedin.com/e/gis/48683/0B98E1705142
>=20
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>=20
> Netragard Whitepaper Downloads:
> -------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j
> Three Things you must know  : http://tinyurl.com/26pjsn
>=20
>=20
> Rivest, Philippe wrote:
>> Adriel & Murda
>>
>> It is a security issue the way you store your data. In regards to the =
raid
>> technologies, raid 5 improves the availability of the data by making s=
ure
>> that a single drive failed will not impact the availability of the dat=
a.=20
>>
>> Remember that security is=20
>> 1- Confidentiality
>> 2- Availability
>> 3- Integrity
>>
>> The main goal of a Raid 5 is to help #2. You are referring to the disp=
osal
> of
>> the HD which is the issue of confidentiality and that is not what Murd=
a was
>> aiming at. If it is, go for encryption, degaussing, destruction and ju=
st
>> plain format (if the data is not confidential).
>>
>> As I explained to him offline, the MTTF and MTBF is about the same for=
 2 HD
>> bought/constructed at about the same time. How ever, those are not abs=
olute
>> numbers that state that, if one drive fails the other one is about to =
go
> too.
>> It's more an estimated value against which you should have some
>> confidence/hope, your drive should not fail before X hours (it could g=
o
>> before but the average is X).
>>
>> In a raid 5, Drive A, B and C are online and working (they are the sam=
e
> drive
>> bought at the same time). Drive A fails, you should NOT change drive B=
 & C
>> unless they are failing also. If you do, the cost of your raid 5 will =
be
>> greater then what it should be (the replacing of the parts are going t=
o
> cost
>> a lot). Change drive A and hope drives B & C will last longer.
>>
>>
>> The only issue is that 2 drives fail at the same time, which is very
>> improbable. And if it does, you should be going for your back ups.
>>
>>
>> I do hope this clarified the questions and that I wasn't to unclear wi=
th my
>> details!
>>
>> Merci / Thanks
>> Philippe Rivest, CEH
>> V=E9rificateur interne en s=E9curit=E9 de l'information
>> Courriel: Privest@transforce.ca
>> T=E9l=E9phone: (514) 331-4417
>> www.transforce.ca
>>
>>
>> -----Message d'origine-----
>> De : listbounce@securityfocus.com [mailto:listbounce@securityfocus.com=
] De
> la
>> part de Adriel Desautels
>> Envoy=E9 : 20 juin 2008 11:27
>> =C0 : Murda Mcloud
>> Cc : security-basics@securityfocus.com
>> Objet : Re: RAID 5 drive replacement schedule
>>
>> Murda,
>> 	The real answer to your question is that it is very, very improbable=20
>> that all of the drives in the array will fail at the same time. Most=20
>> drives are good for a certain period of years, after which point you a=
re=20
>> getting "extra time".
>>
>> 	That is not a security issue though. That is an IT related issue. The
>>
>> security issue comes into play when you dispose of your drives. Do you=
=20
>> shred them, just throw them in the dumpster, how do you dispose of the=
m?
>>
>> =09
>> Regards,
>> 	Adriel T. Desautels
>> 	Chief Technology Officer
>> 	Netragard, LLC.
>> 	Office : 617-934-0269
>> 	Mobile : 617-633-3821
>> 	http://www.linkedin.com/pub/1/118/a45
>>
>> 	Join the Netragard, LLC. Linked In Group:
>> 	http://www.linkedin.com/e/gis/48683/0B98E1705142
>>
>> ---------------------------------------------------------------
>> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
>> Penetration Testing, Vulnerability Assessments, Website Security
>>
>> Netragard Whitepaper Downloads:
>> -------------------------------
>> Choosing the right provider : http://tinyurl.com/2ahk3j
>> Three Things you must know  : http://tinyurl.com/26pjsn
>>
>>
>> Murda Mcloud wrote:
>>> In my mind, this a security related question as it has to do with ens=
uring
>>> availability.
>>>
>>> Does anyone have links towards any whitepapers etc that suggest
> replacement
>>> of disks in a RAID 5 array as part of a maintenance cycle?
>>>
>>> If all the drives in an array are the same age and one fails; does th=
is
>> mean
>>> the others are more likely to fail. I'd imagine so as they have had t=
he
>> same
>>> amount of usage.
>>>
>>>
>>>
>>>
>>>
>>> =20
>>>

--------------050408000707080202070406--
From: Jorge L. Vazquez
Date: Fri, 20 Jun 2008 23:09:25 +0100
check out ipcop....been using it for a while and it's great, was
developed from smoothwall, here are a couple of tutorial that should
help you get started

http://www.pctechtips.org/ipcop1.htm
http://www.pctechtips.org/ipcop_snort_addons.htm

thanks
Jorge


Charles Hardin wrote:
> The main reasons I switched to endian from smoothwall was at the time
> I did not have the 2003 box so I didnt have a good client vpn solution
> and endian provided one. Also endian has more options and features
> that appealed to me. I will look into ipcop and untangle as I havent
> studied those.
>
> On Fri, Jun 20, 2008 at 12:30 PM, Nick Vaernhoej
> <nick.vaernhoej@capitalcardservices.com> wrote:
From: Mike Hale
Date: Fri, 20 Jun 2008 22:10:24 +0100
Availability is allowing your authorized users to access the data when
they need to.

"that in its self is not _always_ a security concern, but it can be."
I disagree with you.  Availability is a fundamental portion of it
because without availability, that data is useless.  If you don't have
access to it when you need it, I think your security system has
failed.

You're also correct that if a system crashes, data is no longer
available.  Sometimes, attacks on a network seek to do just that.

As far as the definition of security (especially in terms of data),
papers have been written trying to pin it down.  I think at it's most
basic, however, is CIA.  Confidentiality, Integrity and Availability.

It's about preventing unauthorized access and change while maintaining
it's useability to authorized users.

On 6/20/08, Adriel Desautels <adriel@netragard.com> wrote:
> Mike,
>        Thanks for responding so quickly, this is an interesting argument.
>
> When you talked about availability, you did not say "data availability".
> Even with "data availability" being the subject, that in its self is not
> _always_ a security concern, but it can be.
>
> Can you provide me with your definition of Availability with respect to
> Security?
>
> > Availability is not vague, nor "can" it have a role in security.  It's
> > in integral part, along with Confidentiality and Integrity.  If it's
> > ignored, the system itself has already failed, and is simply waiting
> > for someone to come along and take advantage of it.
>
> If a system crashes it is not available, its data is not available, and i=
t
> can not be taken advantage of. If the data can't be accessed then isn't i=
t
> more secure than it was when it was available?
>
> Can you also provide me with your definition of security?
>
>
>
>
>
> Regards,
>        Adriel T. Desautels
>        Chief Technology Officer
>        Netragard, LLC.
>        Office : 617-934-0269
>        Mobile : 617-633-3821
>        http://www.linkedin.com/pub/1/118/a45
>
>        Join the Netragard, LLC. Linked In Group:
>        http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>
> Netragard Whitepaper Downloads:
> -------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j
> Three Things you must know  : http://tinyurl.com/26pjsn
>
>
> Mike Hale wrote:
> > "That is not a security issue though. That is an IT related issue"
> > You're correct on that one, and I have no disagreement.
> >
> > Going back to CIA and the pyramid...
> >
> > "so on don't hold much water in my opinion."
> > So you're saying that data availability is marketing speak and not
> > something that needs to be built into a security system?
> > Seriously?
> >
> > "What does creating a drive replacement schedule have to do with securi=
ty"
> > That's not what i was addressing.  I was addressing your statement
> > that "Availability is a vague term that can, but does not always have
> > a role in security."
> > Availability is not vague, nor "can" it have a role in security.  It's
> > in integral part, along with Confidentiality and Integrity.  If it's
> > ignored, the system itself has already failed, and is simply waiting
> > for someone to come along and take advantage of it.
> >
> > On 6/20/08, Adriel Desautels <adriel@netragard.com> wrote:
> >
> > > Mike,
> > >       First off, there are multiple "security pyramids", each of them
> > > different, most of them created for marketing, sales, etc. So CYA,
> TESSM,
> > > and so on don't hold much water in my opinion.
> > >
> > >       With that aside, I'm open to being educated but I still disagre=
e
> that
> > > creating a drive replacement schedule requires any security expertise=
.
> As
> > > such I do not see the subject as being a security topic. There are
> certainly
> > > aspects of security that can be impacted by the act of changing the
> drives,
> > > I won't argue that. So...
> > >
> > > What does creating a drive replacement schedule have to do with
> security?
> > > Educate me.
> > >
> > >
> > > Regards,
> > >       Adriel T. Desautels
> > >       Chief Technology Officer
> > >       Netragard, LLC.
> > >       Office : 617-934-0269
> > >       Mobile : 617-633-3821
> > >       http://www.linkedin.com/pub/1/118/a45
> > >
> > >       Join the Netragard, LLC. Linked In Group:
> > >       http://www.linkedin.com/e/gis/48683/0B98E1705142
> > >
> > >
> ---------------------------------------------------------------
> > > Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> > > Penetration Testing, Vulnerability Assessments, Website Security
> > >
> > > Netragard Whitepaper Downloads:
> > > -------------------------------
> > > Choosing the right provider : http://tinyurl.com/2ahk3j
> > > Three Things you must know  : http://tinyurl.com/26pjsn
> > >
> > >
> > > Mike Hale wrote:
> > >
> > > > Philippe is actually correct.
> > > >
> > > > CIA forms the security pyramid.
> > > >
> > > > Confidentiality.
> > > > Integrity.
> > > > Availability.
> > > >
> > > > That's the three components of data in a secure system.  Most
> > > > companies can only afford to focus on one of those aspects, but if =
you
> > > > ignore the others, you don't have a secure system.
> > > >
> > > > On 6/20/08, Adriel Desautels <adriel@netragard.com> wrote:
> > > >
> > > >
> > > > > Philippe,
> > > > >      I disagree with you and I think that the definition of secur=
ity
> > > > >
> > > >
> > > that
> > >
> > > >
> > > > > you provided is partial, but thats just my opinion. Availability =
is
> a
> > > > >
> > > >
> > > vague
> > >
> > > >
> > > > > term that can, but does not always have a role in security.
> Determining
> > > > >
> > > >
> > > what
> > >
> > > >
> > > > > the proper schedule is for a drive replacement policy is somethin=
g
> that
> > > > >
> > > >
> > > can
> > >
> > > >
> > > > > be done by IT without the security team. Deciding how to dispose =
of
> the
> > > > > drives on the other hand is security.
> > > > >
> > > > >
> > > > > Regards,
> > > > >      Adriel T. Desautels
> > > > >      Chief Technology Officer
> > > > >      Netragard, LLC.
> > > > >      Office : 617-934-0269
> > > > >      Mobile : 617-633-3821
> > > > >       http://www.linkedin.com/pub/1/118/a45
> > > > >
> > > > >      Join the Netragard, LLC. Linked In Group:
> > > > >
> http://www.linkedin.com/e/gis/48683/0B98E1705142
> > > > >
> > > > >
> > > > >
> > > >
> > >
> ---------------------------------------------------------------
> > >
> > > >
> > > > > Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> > > > > Penetration Testing, Vulnerability Assessments, Website Security
> > > > >
> > > > > Netragard Whitepaper Downloads:
> > > > > -------------------------------
> > > > > Choosing the right provider : http://tinyurl.com/2ahk3j
> > > > > Three Things you must know  : http://tinyurl.com/26pjsn
> > > > >
> > > > >
> > > > > Rivest, Philippe wrote:
> > > > >
> > > > >
> > > > > > Adriel & Murda
> > > > > >
> > > > > > It is a security issue the way you store your data. In regards =
to
> the
> > > > > >
> > > > >
> > > >
> > > raid
> > >
> > > >
> > > > >
> > > > > > technologies, raid 5 improves the availability of the data by
> making
> > > > > >
> > > > >
> > > >
> > > sure
> > >
> > > >
> > > > >
> > > > > > that a single drive failed will not impact the availability of =
the
> > > > > >
> > > > >
> > > >
> > > data.
> > >
> > > >
> > > > >
> > > > > > Remember that security is 1- Confidentiality
> > > > > > 2- Availability
> > > > > > 3- Integrity
> > > > > >
> > > > > > The main goal of a Raid 5 is to help #2. You are referring to t=
he
> > > > > >
> > > > >
> > > >
> > > disposal
> > >
> > > >
> > > > > of
> > > > >
> > > > >
> > > > > > the HD which is the issue of confidentiality and that is not wh=
at
> > > > > >
> > > > >
> > > >
> > > Murda
> > >
> > > >
> > > > > was
> > > > >
> > > > >
> > > > > > aiming at. If it is, go for encryption, degaussing, destruction
> and
> > > > > >
> > > > >
> > > >
> > > just
> > >
> > > >
> > > > >
> > > > > > plain format (if the data is not confidential).
> > > > > >
> > > > > > As I explained to him offline, the MTTF and MTBF is about the s=
ame
> for
> > > > > >
> > > > >
> > > >
> > > 2
> > >
> > > >
> > > > > HD
> > > > >
> > > > >
> > > > > > bought/constructed at about the same time. How ever, those are =
not
> > > > > >
> > > > > >
> > > > > absolute
> > > > >
> > > > >
> > > > > > numbers that state that, if one drive fails the other one is ab=
out
> to
> > > > > >
> > > > >
> > > >
> > > go
> > >
> > > >
> > > > > too.
> > > > >
> > > > >
> > > > > > It's more an estimated value against which you should have some
> > > > > > confidence/hope, your drive should not fail before X hours (it
> could
> > > > > >
> > > > >
> > > >
> > > go
> > >
> > > >
> > > > >
> > > > > > before but the average is X).
> > > > > >
> > > > > > In a raid 5, Drive A, B and C are online and working (they are =
the
> > > > > >
> > > > >
> > > >
> > > same
> > >
> > > >
> > > > > drive
> > > > >
> > > > >
> > > > > > bought at the same time). Drive A fails, you should NOT change
> drive B
> > > > > >
> > > > >
> > > >
> > > & C
> > >
> > > >
> > > > >
> > > > > > unless they are failing also. If you do, the cost of your raid =
5
> will
> > > > > >
> > > > >
> > > >
> > > be
> > >
> > > >
> > > > >
> > > > > > greater then what it should be (the replacing of the parts are
> going
> > > > > >
> > > > >
> > > >
> > > to
> > >
> > > >
> > > > > cost
> > > > >
> > > > >
> > > > > > a lot). Change drive A and hope drives B & C will last longer.
> > > > > >
> > > > > >
> > > > > > The only issue is that 2 drives fail at the same time, which is
> very
> > > > > > improbable. And if it does, you should be going for your back u=
ps.
> > > > > >
> > > > > >
> > > > > > I do hope this clarified the questions and that I wasn't to
> unclear
> > > > > >
> > > > >
> > > >
> > > with
> > >
> > > >
> > > > > my
> > > > >
> > > > >
> > > > > > details!
> > > > > >
> > > > > > Merci / Thanks
> > > > > > Philippe Rivest, CEH
> > > > > > V=E9rificateur interne en s=E9curit=E9 de l'information
> > > > > > Courriel: Privest@transforce.ca
> > > > > > T=E9l=E9phone: (514) 331-4417
> > > > > > www.transforce.ca
> > > > > >
> > > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : listbounce@securityfocus.com
> > > > > >
> > > > >
> > > >
> > > [mailto:listbounce@securityfocus.com] De
> > >
> > > >
> > > > > la
> > > > >
> > > > >
> > > > > > part de Adriel Desautels
> > > > > > Envoy=E9 : 20 juin 2008 11:27
> > > > > > =C0 : Murda Mcloud
> > > > > > Cc : security-basics@securityfocus.com
> > > > > > Objet : Re: RAID 5 drive replacement schedule
> > > > > >
> > > > > > Murda,
> > > > > >      The real answer to your question is that it is very, very
> > > > > >
> > > > > >
> > > > > improbable that all of the drives in the array will fail at the s=
ame
> > > > >
> > > >
> > > time.
> > >
> > > >
> > > > > Most drives are good for a certain period of years, after which
> point
> > > > >
> > > >
> > > you
> > >
> > > >
> > > > > are getting "extra time".
> > > > >
> > > > >
> > > > > >      That is not a security issue though. That is an IT related
> > > > > >
> > > > >
> > > >
> > > issue.
> > >
> > > >
> > > > > The
> > > > >
> > > > >
> > > > > > security issue comes into play when you dispose of your drives.=
 Do
> you
> > > > > >
> > > > > >
> > > > > shred them, just throw them in the dumpster, how do you dispose o=
f
> them?
> > > > >
> > > > >
> > > > > > Regards,
> > > > > >      Adriel T. Desautels
> > > > > >      Chief Technology Officer
> > > > > >      Netragard, LLC.
> > > > > >      Office : 617-934-0269
> > > > > >      Mobile : 617-633-3821
> > > > > >      http://www.linkedin.com/pub/1/118/a45
> > > > > >
> > > > > >      Join the Netragard, LLC. Linked In Group:
> > > > > >
> > > > > >
> > > > >
> > > >
> > > http://www.linkedin.com/e/gis/48683/0B98E1705142
> > >
> > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> ---------------------------------------------------------------
> > >
> > > >
> > > > >
> > > > > > Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> > > > > > Penetration Testing, Vulnerability Assessments, Website Securit=
y
> > > > > >
> > > > > > Netragard Whitepaper Downloads:
> > > > > > -------------------------------
> > > > > > Choosing the right provider : http://tinyurl.com/2ahk3j
> > > > > > Three Things you must know  : http://tinyurl.com/26pjsn
> > > > > >
> > > > > >
> > > > > > Murda Mcloud wrote:
> > > > > >
> > > > > >
> > > > > >
> > > > > > > In my mind, this a security related question as it has to do
> with
> > > > > > >
> > > > > > >
> > > > > >
> > > > > ensuring
> > > > >
> > > > >
> > > > > >
> > > > > > > availability.
> > > > > > >
> > > > > > > Does anyone have links towards any whitepapers etc that sugge=
st
> > > > > > >
> > > > > > >
> > > > > >
> > > > > replacement
> > > > >
> > > > >
> > > > > >
> > > > > > > of disks in a RAID 5 array as part of a maintenance cycle?
> > > > > > >
> > > > > > > If all the drives in an array are the same age and one fails;
> does
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > this
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > mean
> > > > > >
> > > > > >
> > > > > >
> > > > > > > the others are more likely to fail. I'd imagine so as they ha=
ve
> had
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > the
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > same
> > > > > >
> > > > > >
> > > > > >
> > > > > > > amount of usage.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
>
>


--=20
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
From: Adriel Desautels
Date: Fri, 20 Jun 2008 21:54:17 +0100
--------------070601020407050503060101
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Mike,
	Thanks for responding so quickly, this is an interesting argument.

When you talked about availability, you did not say "data availability".=20
Even with "data availability" being the subject, that in its self is not=20
_always_ a security concern, but it can be.

Can you provide me with your definition of Availability with respect to=20
Security?

 > Availability is not vague, nor "can" it have a role in security.  It's
 > in integral part, along with Confidentiality and Integrity.  If it's
 > ignored, the system itself has already failed, and is simply waiting
 > for someone to come along and take advantage of it.

If a system crashes it is not available, its data is not available, and=20
it can not be taken advantage of. If the data can't be accessed then=20
isn't it more secure than it was when it was available?

Can you also provide me with your definition of security?


=09
=09

Regards,
	Adriel T. Desautels
	Chief Technology Officer
	Netragard, LLC.
	Office : 617-934-0269
	Mobile : 617-633-3821
	http://www.linkedin.com/pub/1/118/a45

	Join the Netragard, LLC. Linked In Group:
	http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Mike Hale wrote:
> "That is not a security issue though. That is an IT related issue"
> You're correct on that one, and I have no disagreement.
>=20
> Going back to CIA and the pyramid...
>=20
> "so on don't hold much water in my opinion."
> So you're saying that data availability is marketing speak and not
> something that needs to be built into a security system?
> Seriously?
>=20
> "What does creating a drive replacement schedule have to do with securi=
ty"
> That's not what i was addressing.  I was addressing your statement
> that "Availability is a vague term that can, but does not always have
> a role in security."
> Availability is not vague, nor "can" it have a role in security.  It's
> in integral part, along with Confidentiality and Integrity.  If it's
> ignored, the system itself has already failed, and is simply waiting
> for someone to come along and take advantage of it.
>=20
> On 6/20/08, Adriel Desautels <adriel@netragard.com> wrote:
>> Mike,
>>        First off, there are multiple "security pyramids", each of them
>> different, most of them created for marketing, sales, etc. So CYA, TES=
SM,
>> and so on don't hold much water in my opinion.
>>
>>        With that aside, I'm open to being educated but I still disagre=
e that
>> creating a drive replacement schedule requires any security expertise.=
 As
>> such I do not see the subject as being a security topic. There are cer=
tainly
>> aspects of security that can be impacted by the act of changing the dr=
ives,
>> I won't argue that. So...
>>
>> What does creating a drive replacement schedule have to do with securi=
ty?
>> Educate me.
>>
>>
>> Regards,
>>        Adriel T. Desautels
>>        Chief Technology Officer
>>        Netragard, LLC.
>>        Office : 617-934-0269
>>        Mobile : 617-633-3821
>>        http://www.linkedin.com/pub/1/118/a45
>>
>>        Join the Netragard, LLC. Linked In Group:
>>        http://www.linkedin.com/e/gis/48683/0B98E1705142
>>
>> ---------------------------------------------------------------
>> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
>> Penetration Testing, Vulnerability Assessments, Website Security
>>
>> Netragard Whitepaper Downloads:
>> -------------------------------
>> Choosing the right provider : http://tinyurl.com/2ahk3j
>> Three Things you must know  : http://tinyurl.com/26pjsn
>>
>>
>> Mike Hale wrote:
>>> Philippe is actually correct.
>>>
>>> CIA forms the security pyramid.
>>>
>>> Confidentiality.
>>> Integrity.
>>> Availability.
>>>
>>> That's the three components of data in a secure system.  Most
>>> companies can only afford to focus on one of those aspects, but if yo=
u
>>> ignore the others, you don't have a secure system.
>>>
>>> On 6/20/08, Adriel Desautels <adriel@netragard.com> wrote:
>>>
>>>> Philippe,
>>>>       I disagree with you and I think that the definition of securit=
y
>> that
>>>> you provided is partial, but thats just my opinion. Availability is =
a
>> vague
>>>> term that can, but does not always have a role in security. Determin=
ing
>> what
>>>> the proper schedule is for a drive replacement policy is something t=
hat
>> can
>>>> be done by IT without the security team. Deciding how to dispose of =
the
>>>> drives on the other hand is security.
>>>>
>>>>
>>>> Regards,
>>>>       Adriel T. Desautels
>>>>       Chief Technology Officer
>>>>       Netragard, LLC.
>>>>       Office : 617-934-0269
>>>>       Mobile : 617-633-3821
>>>>       http://www.linkedin.com/pub/1/118/a45
>>>>
>>>>       Join the Netragard, LLC. Linked In Group:
>>>>       http://www.linkedin.com/e/gis/48683/0B98E1705142
>>>>
>>>>
>> ---------------------------------------------------------------
>>>> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
>>>> Penetration Testing, Vulnerability Assessments, Website Security
>>>>
>>>> Netragard Whitepaper Downloads:
>>>> -------------------------------
>>>> Choosing the right provider : http://tinyurl.com/2ahk3j
>>>> Three Things you must know  : http://tinyurl.com/26pjsn
>>>>
>>>>
>>>> Rivest, Philippe wrote:
>>>>
>>>>> Adriel & Murda
>>>>>
>>>>> It is a security issue the way you store your data. In regards to t=
he
>> raid
>>>>> technologies, raid 5 improves the availability of the data by makin=
g
>> sure
>>>>> that a single drive failed will not impact the availability of the
>> data.
>>>>> Remember that security is 1- Confidentiality
>>>>> 2- Availability
>>>>> 3- Integrity
>>>>>
>>>>> The main goal of a Raid 5 is to help #2. You are referring to the
>> disposal
>>>> of
>>>>
>>>>> the HD which is the issue of confidentiality and that is not what
>> Murda
>>>> was
>>>>
>>>>> aiming at. If it is, go for encryption, degaussing, destruction and
>> just
>>>>> plain format (if the data is not confidential).
>>>>>
>>>>> As I explained to him offline, the MTTF and MTBF is about the same =
for
>> 2
>>>> HD
>>>>
>>>>> bought/constructed at about the same time. How ever, those are not
>>>>>
>>>> absolute
>>>>
>>>>> numbers that state that, if one drive fails the other one is about =
to
>> go
>>>> too.
>>>>
>>>>> It's more an estimated value against which you should have some
>>>>> confidence/hope, your drive should not fail before X hours (it coul=
d
>> go
>>>>> before but the average is X).
>>>>>
>>>>> In a raid 5, Drive A, B and C are online and working (they are the
>> same
>>>> drive
>>>>
>>>>> bought at the same time). Drive A fails, you should NOT change driv=
e B
>> &amp

                
security programs   Federal   Program Managers'   Computer  expert assist team (CSEAT) • Federal    Cryptographic Module Validation Program. •  Research   NIST's   Resource Center: http://csrc.nist.gov. 12-10-03 -5. NIST and HAVA  . .

Links

Computer Security Programs
Home Computer Security
Home Network Security
Federal Information Security Management Act
Network Security Tools
Information Security Awareness Ideas
Information Systems Security
Computer Security Training