http://www.techworld.com/storage/news/index.cfm?newsID=8341&pagtype=samechan
Quite interesting, when someone that's come to save your data ends up destroying it :-) albeit inadvertently.
Apparently those responsible for backing up data for a bunch of files from Jan 2006 never "checked a box" requesting it be backed to tape. When a glitch arose in an EMC (www.emc.com) array the specialist figured out that the fix was to clean the area that was corrupted. In the process some key SQL files were deleted as well, making restoring of the lost data impossible. Why? Because the data had never been backed to tape, that's why. A single, simple unchecked check-box. See what happens when you don't have formal processes and procedures to accomplish even seemingly mundane IT tasks and duties?
Now they're coming up with a formal backup plan.
Now imagine if this had been a public/private company and not the govt. Hmmm.
In any case, what did they do to fix this? Go back to good ol' paper is what. Four part-timers over 2 months scanned in the paper copies and finished the task at a cost of $200K. Not something I'd want to pay for someone's dereliction of duty, but since when did us taxpayers get a say in the affairs of our govt!
Overall, this is what I'd recommend:
1. Institution of a Backup Policy:
a. Rate data (not information - that is to come later) in tiers of importance - say 1-4 (1=critical)
b. Critical data to have incremental backup every 30 minutes or every hour depending on activitiy, with full backup every 6 hours
c. Level 2 data incremental backup every 4 hours or so, with full backup every 6 hours
d. Level 3 data incremental backup every 6-8 hours, with full back up 10-12 hours
e. Level 4 data full backup every day
2. Follow Processes:
a. Implement ITIL/COBIT - they not only guide you on implementing specific processes, but also help you isolate responsibilities and increase productivity. ITIL is the future of the IT management. Without it you're not going to be able to converse intelligently with other entities that are ITIL compliant
b. Hire only those companies that follow ITIL methodologies themselves
c. Hire an independent consultant to take a look at the mess that's the IT dept and follow any and all reasonable suggestions. Break existing philosophy and destroy any comfort levels that you may have absorbed; this isn't your data - it belongs to US!
d. Run test runs every month - WITHOUT FAIL. If you're caught napping you're out
e. Do a FULL backup and recovery test every 3 months. I can't emphasize enough the importance of being prepared. What might cost you very little now will save you hundreds of thousands or even millions of dollars later on. Don't risk it - just test it
3. Follow-up:
a. Every quarter, have a meeting with the IT guys - what is missing, what can be improved, what needs to be changed, what should be chucked. Listen to them - they are your ears and eyes, and without them you're severely restricted in what you know. And while you don't have to do everything they say, at least think about it
b. Implement benchmarks 1 year from the time you started the project. No point having benchmarks too early in the game. Nothing to compare. Mark the improvement (hope it's improvement!) - on a chart and use it to inspire non-compliant members
c. Institute performance bonuses and rewards for education (ITIL certification etc)
d. Train every employee on the importance of data and its criticality
What is somewhat disturbing is the way the data got just wiped out. I mean, come on, a "specialist" can come by and simply destroy anything he wants (of course, by accident)? Shouldn't there be safeguards against precisely these kinds of incidents? How about getting permission from a resident IT expert before purging data, or just backing it up to another disk before attempting to delete something? I know it's very hard to imagine how erasing just a few files can cause havoc, but that' s nature of databases. Indexes, journaling, logging - you got to be aware of these concepts before you touch anything related to databases.
Thursday, March 22, 2007
Thursday, March 15, 2007
Google and Privacy - Together in the Same Sentence?
So, you must have read up on all the recent news about Google vowing to make privacy a very high priority issue by regularly purging data that could identify, and match a user with a given search term.
The huge brouhaha last year ended somewhat with a whimper when the Court asked Google to only release a sample of the searches on a random day, but that doesn't mean the information-hungry govt folks all over the world are going to give up so soon.
Google now represents not only a fantastic tool to mine the murky Internet (as also the WWW) but it also is a great first source for agencies looking to incriminate people ranging from murderous/murdering spouses to clean-cut, white-collar professionals. And why is that?
Because Google is no longer just a search engine - it's now a VERB. If you've ever used 'Google' as a verb you know what I mean.
The fact that other search engines pale in comparison to the relevance and depth of Google, helps GOOG not only power its growth, but also learn more and more about more and more - people, technologies, trends - well, really, everything. And thus if you've used Google as your exclusive search engine for the past several years you can trust it has a nice little background on you and your passion for whatever it is that you are passionate about.
There is not much to doubt that last year's Court motions have set these info-monsters in a state of panic - usability or privacy? Technology or privacy? Relevance or privacy?
AOL has already affirmed that it'd be purging identification data every 11 months - just enough to comply with the insane record-keeping requirements. YAHOO apparently has been a bit more nebulous, its statement clear as a San Francisco winter morning.
Where do users stand? Should you use tools that offer to 'whitewash' your trail? Should you opt for anonymizers? Or should you surf oblivious, ignorant, and blissfully unaware of the compromising trades that we make every single day whenever we submit to the 'more information, please' requests of the various websites that collect information about you via cookies, surveys, sweepstakes and so on?
If you have something to hide, or if you think it might be a good idea to play it safe nonetheless, why not use the local library to do your search, or use one of the many privacy tools available for free and for a few dollars? Might be worth it, if you value your isolation from the teeming bits and bytes that could be mirrors into your very soul.
Sesh
The huge brouhaha last year ended somewhat with a whimper when the Court asked Google to only release a sample of the searches on a random day, but that doesn't mean the information-hungry govt folks all over the world are going to give up so soon.
Google now represents not only a fantastic tool to mine the murky Internet (as also the WWW) but it also is a great first source for agencies looking to incriminate people ranging from murderous/murdering spouses to clean-cut, white-collar professionals. And why is that?
Because Google is no longer just a search engine - it's now a VERB. If you've ever used 'Google' as a verb you know what I mean.
The fact that other search engines pale in comparison to the relevance and depth of Google, helps GOOG not only power its growth, but also learn more and more about more and more - people, technologies, trends - well, really, everything. And thus if you've used Google as your exclusive search engine for the past several years you can trust it has a nice little background on you and your passion for whatever it is that you are passionate about.
There is not much to doubt that last year's Court motions have set these info-monsters in a state of panic - usability or privacy? Technology or privacy? Relevance or privacy?
AOL has already affirmed that it'd be purging identification data every 11 months - just enough to comply with the insane record-keeping requirements. YAHOO apparently has been a bit more nebulous, its statement clear as a San Francisco winter morning.
Where do users stand? Should you use tools that offer to 'whitewash' your trail? Should you opt for anonymizers? Or should you surf oblivious, ignorant, and blissfully unaware of the compromising trades that we make every single day whenever we submit to the 'more information, please' requests of the various websites that collect information about you via cookies, surveys, sweepstakes and so on?
If you have something to hide, or if you think it might be a good idea to play it safe nonetheless, why not use the local library to do your search, or use one of the many privacy tools available for free and for a few dollars? Might be worth it, if you value your isolation from the teeming bits and bytes that could be mirrors into your very soul.
Sesh
Phishing Attack with IE7?
http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx
A very interesting depiction of how phishing could be so very easily accomplished using the "Navigation Canceled" page feature in IE7. You simply direct users to a page with a proper-looking URL, but deep within there's a script being generated that'll redirect users elsewhere but with the same "genuine" URL.
IE7 will ask users to refresh the "Navigation Canceled" page to retry, and when the users do that, the script generated in the first step will lead them somewhere else, but with a perfectly legitimate URL. You got to see the video in order to see how easy it is.
Steps to protect oneself:
Don't use IE7
Don't click on link directly - type it in yourself, watching the spelling
Check for a proper, valid certificate if led to a secure site (double-click the padlock icon)
Sesh
A very interesting depiction of how phishing could be so very easily accomplished using the "Navigation Canceled" page feature in IE7. You simply direct users to a page with a proper-looking URL, but deep within there's a script being generated that'll redirect users elsewhere but with the same "genuine" URL.
IE7 will ask users to refresh the "Navigation Canceled" page to retry, and when the users do that, the script generated in the first step will lead them somewhere else, but with a perfectly legitimate URL. You got to see the video in order to see how easy it is.
Steps to protect oneself:
Don't use IE7
Don't click on link directly - type it in yourself, watching the spelling
Check for a proper, valid certificate if led to a secure site (double-click the padlock icon)
Sesh
Monday, March 12, 2007
Seagate Ships Secure Disk Drives
http://www.pcworld.com/article/id,129734-c,harddrives/article.html
http://news.zdnet.com/2100-1009_22-6130824.html?tag=nl
http://news.zdnet.com/2100-1009_22-6166180.html
Apparently the system has a vulnerability - it's only "ON" when the machine is fully switched OFF. Meaning, if you have authenticated yourself to the system successfully, the data is open and available, much like a regular PC. The real value comes in, ironically and unfortunately and maybe expectedly, only when the machine gets stolen or someone makes off with the disk. If you forget the password - tough luck - Seagate will only "reset" the drive but the data is as good as lost.
You boot up the machine and it asks for a password. Further to that, the encryption keys (the algorithm being AES-128 - VERY strong) can be managed by third-party software - such as Wave Systems. Not sure where the keys live though, although unquestionably they'll be in an encrypted state. They also state that the data will be in encrypted condition until/unless requested by an application.
Overall, a very sound idea and I am sure a very neat product, but definitely some improvements should be forthcoming. As they say, a system is only as secure as its password. Choose a horrible password like, HEAVENS!, "password" and neither Seagate nor AES can save you :-) Of course, having two-factor authentication should help TREMENDOUSLY.
Two-factor authentication: Any two of "What you know (password, PIN etc)" "What you have (token, temporary authentication code)" "What you are (biometric, usually, such as iris, fingerprint)"
AES: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
http://news.zdnet.com/2100-1009_22-6130824.html?tag=nl
http://news.zdnet.com/2100-1009_22-6166180.html
Apparently the system has a vulnerability - it's only "ON" when the machine is fully switched OFF. Meaning, if you have authenticated yourself to the system successfully, the data is open and available, much like a regular PC. The real value comes in, ironically and unfortunately and maybe expectedly, only when the machine gets stolen or someone makes off with the disk. If you forget the password - tough luck - Seagate will only "reset" the drive but the data is as good as lost.
You boot up the machine and it asks for a password. Further to that, the encryption keys (the algorithm being AES-128 - VERY strong) can be managed by third-party software - such as Wave Systems. Not sure where the keys live though, although unquestionably they'll be in an encrypted state. They also state that the data will be in encrypted condition until/unless requested by an application.
Overall, a very sound idea and I am sure a very neat product, but definitely some improvements should be forthcoming. As they say, a system is only as secure as its password. Choose a horrible password like, HEAVENS!, "password" and neither Seagate nor AES can save you :-) Of course, having two-factor authentication should help TREMENDOUSLY.
Two-factor authentication: Any two of "What you know (password, PIN etc)" "What you have (token, temporary authentication code)" "What you are (biometric, usually, such as iris, fingerprint)"
AES: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
First Blog Entry...
Hello,
This is my first blog entry - evah! I'm going to (try and) write about Security, a pet subject of mine. No not the "To Protect and to Serve" kind, but the SSL/TLS/CIA kind, although the former could still technically fulfill the requirements...hmmm...maybe I should think some more about this.
Anyway, a quick snapshot of myself. While I'm too old to advertise my age, I can tell you that I'm not THAT old either :-)
A software engineer by profession, I occasionally dabble in poetry (metric/rhyming and free-verse) and have been published once or twice, mostly twice, ha ha!
I also enjoy photography, and might post some of my favorite pictures pretty soon.
With encouragement I should be able to find footing in the somewhat strange (to me, right now) land of blogging and I hope, be able to keep at it as well.
My Best,
Sesh
This is my first blog entry - evah! I'm going to (try and) write about Security, a pet subject of mine. No not the "To Protect and to Serve" kind, but the SSL/TLS/CIA kind, although the former could still technically fulfill the requirements...hmmm...maybe I should think some more about this.
Anyway, a quick snapshot of myself. While I'm too old to advertise my age, I can tell you that I'm not THAT old either :-)
A software engineer by profession, I occasionally dabble in poetry (metric/rhyming and free-verse) and have been published once or twice, mostly twice, ha ha!
I also enjoy photography, and might post some of my favorite pictures pretty soon.
With encouragement I should be able to find footing in the somewhat strange (to me, right now) land of blogging and I hope, be able to keep at it as well.
My Best,
Sesh
Subscribe to:
Posts (Atom)
