Home > Intel Communities > Open Port IT Community > IT@Intel > Blog > 2008 > August > 25
Up to Blog Posts in IT@Intel
Previous Next

IT@Intel Blog

August 25, 2008
John E. Simpson
4

The loud crash from upstairs brought me out of my restful state with a surge of adrenalin. As this wonder-drug coursed through my veins I immediately became aware of everything. The Tick-tock of the clock, the dog breathing in the corner and floorboard creaks from upstairs. I kept telling myself that the storm outside must have caused something to shift -- something simple and not so scary. Starting up the stairs, eyes darting, the beat of my heart drowned out my adrenalin edge. Near the top of the landing there was a flash of lighting, a large boom, and the lights went out as I saw a figure lunge at me, knocking me down to the landing below.

 

Nightmares can manifest themselves in many forms. I'll leave the ending up to you, however, I am currently living a nightmare with regards to my personal data at home.

 

About ten months ago I took the plunge into the terabyte (TB) arena and bought an external drive. This enabled me to pull information from many sources in order to supply a consolidated view of different media (movies, pictures and music) to the family. As I was going through this evolution I started removing data from internal drives, and making neat and organized structures on the external drive. It was fast and friendly and up until a few weeks ago, it was also reliable.

 

That's when the nightmare began.

 

One day I turned on my home system and noticed that the external drive would no longer connect (it actually connected and disconnected about five times a minute). This was the one time I had turned off the computer and forgot to turn off the external drive, so I figured it had just gotten hot and was in some self-protection mode with a thermal overload. No such luck.

 

The enclosure (device containing he hard-drives) had failed.

 

I contained my anxiety because it was obvious it was the enclosure and not the drives (through some hardware diagnostics). So I figured I would simply mount the drives and extract the data that was not backed-up on DVD (about 8 months of video and photos).

 

Again, no luck. The problem was caused by the type of enclosure I had purchased.

 

There are multiple types of drive configurations on the market, and if you are not aware of what type your enclosure uses, you could find yourself in the same boat I'm in. The specific one I had was configured (from the factory) as a RAID-0. For the unaware, RAID (redundant array of inexpensive disks, http://en.wikipedia.org/wiki/Redundant_array_of_independent_disks) has different settings (or levels), which are configured based on the level of security and speed you want for your data.

 

The vendor had configured this as a RAID-0 to maximize the space available and maximize speed. The benefits of a RAID-0 come at a price. This array configuration (with two drives) basically splits the data in half and writes each half, simultaneously, to each drive. Half the time to write, half the time to read, makes it very fast. The basic problem is that only half the data exists on each drive meaning no drive is of use without the other. And when there is corruption of a logical disk or you want to switch to a new enclosure, you are stopped by the fact that most hardware RAID controllers use proprietary disk layouts.

 

I know they are proprietary since I've tried reading these drives with three different RAID-0 arrays (which is also why I know the drives work fine, through diagnostics).

 

My next step is to try and perform a soft-RAID setup internally to my computer.

This involves creating an image of each drive and using software to try and detect the different parameters of the RAID setup, in order to emulate the hardware configuration. If this works I should be able to pull my data off of the drives.

 

What do I do with the data?

Well, I have sufficient internal storage to keep it while I catch up on 8-months worth of DVD back-ups. Long-term I am looking to a RAID-5 setup in hopes of solving my data storage, security and hardware failure worries.

 

Bottom line.

Be aware how your external (or internal) setup is configured. If you see RAID-0 or JBOD, then you have zero protection and must have a way to perform back-ups. Yes, I could try to have some external data recovery company perform the data restoration, however, I would rather do it myself and save the cash for a back-up system.

 

How do you ensure you don't lose anything of value?

Have you encountered a similar issue?

4 Comments Permalink Tags: personal_data, back_up
Matthew Rosenquist
0

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

 

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

 

Here is my Fortune Cookie advice for August:

 

Security policy is like a seatbelt. It will not protect you every time, but it is guaranteed to fail if you choose not to use it.

 

No security policy is perfect. In fact, it should be a continuously evolving body of work which is improved as the industry changes and learns. The biggest challenge is not the exactness of the policies; rather it is the awareness and consistent adoption by the employees. An appropriate level of effort must be directed at the successful marketing and support by the target audience.

 

It may not be sexy, but policy can empower the Management support and maintenance of policy are key factors in leveraging this tool. Clear and straightforward verbiage coupled with sufficient marketing saturation can deliver necessary awareness to affect behaviors. With employee support of security principles, an organization takes a great step forward in achieving an optimal security posture.

 

 

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

 

 

A Company’s Greatest Security Threat and Asset

 

 

Fortune Cookie Security Advice - June 2008

 

 

Fortune Cookie Security Advice - May 2008

0 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, policy
Matthew Rosenquist
8

Recently, security expert Bruce Schneier expounded security ROI figures were meaningless! Is it true? Well, yes and no.

 

The brutal truth.

Well respected information security expert Bruce Schneier recently provided a stark opinion regarding the value of ROI's.

Follow this link to see the story:

http://www.zdnetasia.com/news/security/0,39044215,62037905,00.htm

 

 

 

In brief, Bruce stated security because numbers can be manipulated to justify anything.

He explained that the amount spent on a product can change significantly by simply playing with the equation.
"If the chance of you being attacked is one in a million and I change it to one in two million... I have halved the amount of money you should spend.
"I can make an ROI model say whatever I want. I could justify or not justify anything based on these very, very rare and very, very damaging events," he said.

 

Tell me it is not true!

I believe Bruce is both right and is delivering a message which is a little incomplete. His general message is accurate and shocking enough to garner the right level of attention. Most of the information security ROI's I have read were speculative, could not be validated, were impossible to reproduce, and had great latitude to provide results which benefit the desires of the author. Nowadays audiences are being provided ‘information' under the auspices of ‘fact', when in reality they are more of an opinion. Such valuation assessments are based on qualitative data versus quantitative metrics.

 

I blogged about the The Problem of Measuring Information Security back in August 2007

 

Awareness must be raised. I applaud Bruce in helping to make this happen. His message, as brutal as it sounds, is bringing to light a shadowy area in our industry. I think the follow-up message for audiences is to scrutinize and apply common sense to any ROI they come across. Understand the methodology and if it makes sense in their context. Lifting the curtain can quickly reveal a puppet master pulling the strings to artificially show value.

 

Like Bruce, I too have a jaded perspective. I have seen some WILD ROI's. Much of what I have read from security vendors is pure folly. However, just because most are fiction, it does not mean all methodologies are without merit.

 

Intel published a Whitepaper - Measuring the Return on IT Security Investments which is applicable to some situations. This method, far from being a silver-bullet, is a good start and has proven its truthfulness.

 

For any method, the accuracy should be scrutinized. Can it be validated, repeated? Was the method exclusively developed solely for self serving purposes from someone trying to sell something shiny? Does it make sense? These are the questions I ask myself.

 

On the bright side, many bright sharp people are working very hard to make the industry better and develop more rigid processes to insure both accuracy and confidence.

 

In the end, there is much work to be done in the information security valuation space. In the meanwhile, savvy consumers should be aware of the challenges and dive deeper into prospective ROI's and determine if they are ‘meaningless'.

8 Comments Permalink Tags: model, risk, matthew_rosenquist, rosenquist, security, roi, value, rosi, information_security, optimal_security

Popular Blog Posts