Friday, March 13, 2009

SSD: The Spin Stops Here…

So who out there has ever experienced a Hard Disk failure? Sure, a lot of you have. Current magnetic spinning disks are (very) slowly being replaced by faster, longer lasting, Solid State Disks. Solid State Disks are nothing new. But they do offer many benefits over their predecessor. The major benefits over older technology are what really set apart this new technology.

With no moving parts, higher resistance to dropping and lower power consumption, laptop users are loving this new technology. Accident prone people who drop their laptops are enjoying their data staying put, road warriors are enjoying longer battery life, and power users are enjoying longer disk life.

The market share for Solid State Disks is relatively small at this point in time. Some people project the whole solid state market to be at 7.5 Billion in 2012, whereas the current market for Seagate (a hard disk manufacturer) was 3 Billion… just for the third quarter of 2008. So the traditional hard disks aren’t going anywhere soon.

So when a drive fails, how easy is it to retrieve the data from the drive? Depending on the drive size and whether or not there is any type of drive encryption, it is fairly easy given the proper tools. This trend is about to change with SSDs. SSDs don’t use the same technology that the traditional SATA (Serial Advanced Technology Attachment) and PATA (Parallel Advanced Technology Attachment) drives do.

But what kinds of issues are still alive for SSDs? Well, the costs are still outrageous for the common end user (especially in today’s economy). Disks are small in size, averaging 64GB of space for $150 which puts them on par with current SAS (Serial Attached SCSI (pronounced Skuzzy)) Drives. SAS Drives are built for Servers and offer stunning specs, including lots of cache, 10,000 and 15,000 RPM spin speeds, and lightning fast response times. Older desktop and laptop drives spin anywhere from 4600RPM to 7200 RPM which makes them much slower, but at the same time more affordable.

SSDs also are able to endure more abuse. This is rated in G-force. One G is equal to a mass’ normal weight. SSDs are able to take 1500G and more; that is 1500 times its own weight! This happens when a hard drive is dropped. Traditional drives can’t take that much abuse, while SSDs are said to be able to be dropped off of a 2 story building and still work. Try that with a normal SATA drive.

Think of your USB thumb drive that is used to transfer files from computer to computer; that is the type of technology used with Solid State drives. The difference is that traditional HDDs seek data at specific memory locations that are assigned distinct locations on a platter of the hard disk. SSDs don’t have this because there isn’t a spinning platter. This is what is called NAND Technology. This technology makes these drives much faster than traditional HDDs. You can’t physically point out a location for memory in NAND technology.

There are two types of Flash Memory; NAND and NOR. While NOR is best suited for small memory sticks, NAND is used in USB and now SSDs. NOR operates by sending electrical signals to the cells that form the whole storage memory. Each cell contains either a 1 or a 0 and all of those 1s and 0s make up your files, pictures and word documents. NAND on the other hand, operates by using gates. Writing data is called “tunnel inject” and reading data is called “tunnel release.” Because of how data is stored in flash memory, access times are significantly faster. Flash memory just about instantly accesses the data location and responds. In some cases random access times are dropped to 1-3ms! Traditional hard disks have normal access times of 7-10ms.

Also, these data locations are stored in onboard RAM that can have almost instant access to a memory location allowing for up to 250MB/sec data access. To put that into perspective SATA drives work at about 40-70MB/sec and PATA drives are even slower. So moving large files, such as MP3s and AVIs, goes much quicker (on the order 4-7 times faster!) This is most significant when moving Gigabytes of data.

Comparing three types of drives, SATA, SAS and SSD, how do you know what to do these days? There are many factors that can affect your decision. Cost, speed, reliability, MTBF (Mean Time Before Failure), form factor and transfer speed. Well for now, in mobile platforms, you will most likely be looking at SATA drives, although, if you have the extra money you could get a SSD. The server market eventually will be using SSDs but for now they are still using older SCSI drives or newer SAS drives. Normal desktop machines will probably be the last to move to SSDs due to size. People with 500 GB of music and terabytes of movies won’t be able to afford SSDs to replace their SATA drives for at least another 5-10 years.

The biggest issue with hard drives is that hardly anyone backs up their data. Even today, with disk space so cheap, backups are still almost non-existent in the home. Businesses are doing much better these days than even a few years ago in backing up data, but these backups are still on slow tapes that still take a lot of time to backup to and restore from.

So what’s the moral of the story? SSDs are moving in at a slow pace. But eventually all hard drives will be some kind of non-mechanical disk. They are energy efficient, fast and very long lasting. Even so, if the MTBF is 1,000,000 or longer as advertised by many SSDs, backup is crucial to data. Multiple copies of data in multiple locations is the only safe way to store data. What happens when a disk fails? That’s when you call us to get your data back.

Read more!

Thursday, March 12, 2009

Fast-Track Not for the weak...

As many of you know I've invested a ton of time and effort into an open-source tool called Fast-Track. I won't get into the nitty gritty details about the inner-workings of the tool, but it has gotten heavy backing lately in the security community. I present at all the normal ISSA, ISACA, Infraguard, OWASP, Defcon, Shmoocon, INFOSEC, HTCIA, NOTACON conferences and try to portray my knowledge and vision in security to other people. SecureState puts on free seminars and is one of the thought leaders in the information security realm. Our goal is to help our customers but also present the "SecureState Way" in security. With any popularity you always get the select few that don't understand, lack experience, or perceive themselves above everyone else. Fast-Track isn't just a small side project for me, its been something that I take great pride in and invested a considerable amount of time to better the security community. For the one person out there that talks negatively about Fast-Track through podcasts, to others, and not directly towards us really show an individuals true colors. I open the comments section to anyone that's got a gripe with me and Fast-Track and we can do some fun internet blogging wars! :P This post is really directed at one person... If you wish to remain hidden and in the shadows I would cease on what you do, or I can really start to embarrass you publicly in front of thousands of people :-)

Read more!

President Obama: Good for Information Security?

Let me preface this entire blog by stating that I am neither republican nor democrat. I consider myself moderate and in turn find good and bad in both parties. With that said, this blog isn’t based on how I view politics, but rather how I view the new administration with regards to information security. I believe that President Obama’s administration may be good for information security (emphasis on “may” and “information”).

There is no question that President Obama ran the most technological campaign in American History. President Obama leveraged social networking sites like Facebook, online resources such as YouTube and Twitter, as well as his own website to reach out to the masses. At the end of President Obama’s campaign approximately 1.5 million accounts were created on “”. Barack Obama received over $600 million in contributions from more than three million people, many of whom donated through his website. This fact leads me to my first point. With this type of internet presence, I can only assume that information security had to be at the forefront of this campaign. After all, it doesn’t exactly look good if website is hacked allowing information for over 1.5 million people to be compromised.

The Obama administration is currently reviewing the policies and procedures for defending cyberspace and plans to propose any changes by the end of April. Now obviously we will have to wait to see what comes from this review to really determine just how the new administration views information security but the fact that they are taking on this task so early in the administration, in the midst of more serious problems, does say something. What that “something” is, has yet to be determined. This leads me to my second point and I will defend this position with blurb from an article written by Robert Lemos in an article titled “Law makers voice concerns over cybersecurity plan” posted on

“The U.S. government gave short shrift to cybersecurity issues at the beginning of the decade. While the Bush Administration released its National Strategy to Secure Cyberspace in 2003, the final document significantly softened the government's stance on securing critical infrastructure, which is primarily maintained by private companies. The Administration also collected most of the cybersecurity capabilities into the Department of Homeland Security and then failed to fund the efforts. While Congress established the position of Assistant Secretary for Cybersecurity within the DHS in 2005, the Bush Administration failed to fill the leadership role for more than a year, finally appointing Greg Garcia, a former information-technology lobbyist, to the post. In the last two years, however, the Bush Administration has focused more intently on securing government networks.”

It does certainly appear that the new administration is taking a more timely and proactive look at cyber security than the previous administration. That’s not to say that my opinion would not change if, in April, it comes to fruition that the new administration is actually cutting our cyber security defenses.

My last point will be made with a couple sections from an article titled “Staff Finds White House in the Technological Dark Ages” written by Anne E. Kornblut in the Washington Post:

“…Obama officials ran smack into the constraints of the federal bureaucracy yesterday, encountering a jumble of disconnected phone lines, old computer software, and security regulations forbidding outside e-mail accounts.”

It later states:

“The team members, accustomed to working on Macintoshes, found computers outfitted with six-year-old versions of Microsoft software. Laptops were scarce, assigned to only a few people in the West Wing. The team was left struggling to put closed captions on online videos.”

Some of you may ask, “Why this is important?”, or, “How do the above statements make the Obama administration any more or less security focused?” To answer these questions I will ask you this: Why was this important to the Obama staff in the first place and how exactly did it make national news? My only guess is someone in Obama’s administration must have realized that running Windows 95 may not be the most security conscious decision and therefore needed to be remediated. This is something I would have expected the previous administration to have known was a problem and have corrected long ago.

Read more!

Wednesday, March 11, 2009

Mission: Possible

It’s a problem with many names. Some refer to it as corporate espionage. Some say it’s business intelligence. Others may even refer to it as spying. Let’s call a spade a spade. It’s not some work of fiction seen only in movies like Mission Impossible or a Tom Clancy novel. Its occurring right here, right now and your organization may be a target. Don’t think so? Neither did The Cleveland Clinic, Kodak, MasterCard, Avery Denison, DuPont, Metaldyne, 3DGeo, or numerous other companies you may or may not have heard of.

Economic espionage, the most commonly accepted term for it, is a federal crime prosecutable under the Economic Espionage Act of 1996. Without getting into technical definitions of what constitutes economic espionage, it is the stealing of trade secrets, from the rightful owner, for the economic benefit of another. As the rightful owner of trade secrets, does this give you a “warm and fuzzy” feeling because there will be repercussions if the offender is caught? Do you feel safe just because someone can be convicted of a crime for stealing your secrets?

There is one hitch however: A provision in the Act that states the owner of that information must take reasonable measures to keep that information secret. What measures are you or your organization taking to ensure that you meet this provision? Are you classifying your data? Are you marking hard and soft copies of files with “Confidential Information”? Are you storing this information in locked file cabinets or safes? Are you using encrypted emails to send this information? Are you encrypting your hard drives on your laptops? Have you had a risk assessment performed? How about a penetration test? Are you educating your employees on what is sensitive information and how to protect it?

If your answer to one or more of these questions is no, good luck trying to convince anyone that you are taking “reasonable measures” to keep your information secret. Lucky for you, if you haven’t already ended up on the front page of the newspaper, you still have time to correct it. This problem can be fixed, and if you made it to this blog, you know who can help you! Good luck!

Read more!

Monday, March 9, 2009

Hungry, Hungry, HIPAA

Over the last year we have seen a small surge in HIPAA assessments from our clients. The few years leading up to that were pretty darn quiet compared to the initial storm when the regulation first came out. So why is that? Well, it’s something we say over and over and that’s “no one does security unless they have to,” though there is some due diligence. But that’s all about to change.

With HIPAA, other than some initial work a long time ago, it wasn’t that scary until the audits started. And most of the work was done under some risk-based assessment that likely favored the business over security. Even so, statistically speaking, your organization isn’t likely to get ‘hit’ any time soon based on the number of audits being performed. In previous postings, we tried to make it easy for you and talked about using the NIST 800-66 framework.

Now despite all our efforts, the current administration – like them or not – realizes that HIPAA still needs more teeth. I don’t know about you, but the $100,000 HIPAA audit fine for an organization in Seattle was nearly laughable compared to the millions of dollars being levied for PCI. So of course your ‘risk assessment’ is going to say doing security isn’t worth it versus the costs given what we’ve seen to date. So we need to make it more painful, right? Make it so that you feel like you have to do it, right?

Buried within the American Recovery and Reinvestment Act of 2009 (ARRA) signed in February is the Health Information Technology for Economic and Clinical Health Act's (HITECH Act) – though this isn’t really high tech, go figure. This includes quite a few revisions to HIPAA such as increased coverage for non-entities. But the high impact area is mandatory breach notification and subsequent requirements. To enforce this, it is tied to increased penalties, fines and overall liability, and improved enforcement. Fines can reach $1.5M now. Civil lawsuits can now leverage HIPAA. And finally, there is an increase in audits.

So, do we have your attention now? It’s time for organizations to dust off their HIPAA compliance manuals from 5+ years ago and get some new, independent review on what the real risks are and using an accepted framework. It’s time for organizations to get risk assessments performed, like penetration tests that truly simulate breaches to see if it could really happen there. Failure to do some assessment/audit work prior to a CMS audit is likely going to result in fines and reactive security, or worse, a very expensive breach. It’s better that experts like SecureState find the problem than CMS or the hacker – and for a lot less.

Read more!