Post #291,041
8/17/07 1:54:01 PM
|
Data recovery on Striped drives
This is actually a work related question.
If I have a drive that is RAID 5, striped, and pull one drive out of the array, what is the likelyhood of finding any usable data?
PCI DSS...
Currently vendor pulls bad drives from the raid and replaces with a new drive. They then take the old drive "home" with them for repair/reuse/whatever. This may would be ok IF the data cannot be reconstructed to find sensitive information.
I have already asked the storage management manager to ask the vendors for their opinion, but I would also like an "independent" group to give me answers.
TIA,
Joe
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
|
Post #291,045
8/17/07 2:13:24 PM
|
Any recovery would be pretty unlikely
The minimum configuration for raid 5 is three drives and you need two good ones to reconstruct anything. With one drive it seems to me pretty much impossible to get anything coherent out of it.
That is my understanding - the CIA data lab may feel otherwise but I kinda doubt it even there.
[link|http://www.aaxnet.com|AAx]
|
Post #291,046
8/17/07 2:15:44 PM
|
You may be Ok, but not guaranteed safe.
Striping only puts part of the data on each spindle. However, apparently each "block" can have multiple consecutive sectors so if you want no chance of outsiders reading the data you may be in trouble.
See [link|http://www.acsdata.com/raid-5-data-recovery.htm|ACS Data Recovery] and [link|http://en.wikipedia.org/wiki/Standard_RAID_levels#RAID_5|Wikipedia RAID 5].
To be absolutely sure that data can't be extracted from a drive you probably want to put the drive in a [link|http://www.magnetechcorp.com/Hard_drive_eraser.htm|hard drive eraser] or the like.
HTH a bit.
Cheers, Scott.
|
Post #291,047
8/17/07 2:22:23 PM
|
can useful information be pulled and re-assembled by block?
depends on the nature of the data. Unless an awful lot of tiny sensitive files are kept it would be a huge chore. If I was in an IP challenged or defense site I might worry. Any NDA/IP between you and vendor should cover this issue. thanks, Bill
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari? Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep
reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
|
Post #291,051
8/17/07 4:31:10 PM
|
Depends on chunk size and what you are hiding
You are giving away 1/4 of your data in (hmm, let's say) 32K chunks. If you have a file smaller than 32K, then there is a 1 in 4 possibility you have handed it to someone else. If you have a database, then you have handed bits and pieces.
If you are mostly sure it is OK, but not CONVINCED, please the drive on a linux box, and (assuming is is /dev/sdb) (and you want the 1st partition) execute the following (change the 1 to increment partitions): dd if=/dev/sdb1 | strings | less
It'll dump the drive and let you read any text. You may find enough recognizable things that disturb you and make you want to treat it a bit more securely.
|
Post #291,074
8/18/07 6:19:28 AM
|
Thanks for all the replys, let's add clarification
You know where I work. We have huge NAS and SAN. So many drives, that losing 50 - 100 drives a month is not considered bad. All are under warranty. Vendor (EMC) comes in, pulls bad drive and puts in new drive. The old drive it taken by the vendor for recycling (repair and reuse), therefore the drives cannot be degaussed. If we don't return the old drive, we have to buy it at a cost of ~3k/drive (= millions of $/yr)
We must now comply with PCI DSS (Payment Card Industry - Data Security Standards). I am talking about YOUR credit card information. A 32k block could contain a lot of credit card transactions from the DB2 database. (No, the database cannot use column encryption - cannot go into details).
Given all this information, let's construct the situation that concerns me.
One of the drives in the "middle" of my CC transaction DB2 database fails. Vendor replaces the drive. Then repairs the drive. The technician analyzes the disk and is able to determine that the disk contains CC information and then sells your credit card information - full PAN, full MAG Sripe, or whatever is collected.
Is the above possible? Would there be enough data available? If it was your data center, would you be concerned about the security of the data?
I don't know the blocking factor, yet. If it is 32k, that could contain a lot of information.
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
|
Post #291,075
8/18/07 6:22:01 AM
|
Move the risk?
Write it into the contract that when you swap a drive out, it's up to EMC to ensure it's blankety blank before being reconditioned.
Peter [link|http://www.no2id.net/|Don't Let The Terrorists Win] [link|http://www.kuro5hin.org|There is no K5 Cabal] [link|http://guildenstern.dyndns.org|Home] Use P2P for legitimate purposes! [link|http://kevan.org/brain.cgi?pwhysall|A better terminal emulator] [image|http://i66.photobucket.com/albums/h262/pwhysall/Misc/saveus.png|0|Darwinia||]
|
Post #291,077
8/18/07 6:38:46 AM
|
That will be one of my suggestions.
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
|
Post #291,108
8/18/07 8:44:46 PM
|
Bulk Erase Tape Demanetizer.
There are ones that are "C" shaped and they are useful for making sure NOTHING survives or at least if ANY block are there they are at least most randomized.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey PGP key: 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C Alternate Fingerprint: 09F9 1102 9D74 E35B D841 56C5 6356 88C0 Alternate Fingerprint: 455F E104 22CA 29C4 933F 9505 2B79 2AB2
|
Post #291,109
8/18/07 8:53:28 PM
|
Can't use it if they expect to reuse the hard disk
Wipes the factory low level format as well.
|
Post #291,119
8/18/07 11:57:48 PM
|
That doesn't matter, if the disk has sensitive info.
The factory low-level format can be redone. It makes it tougher to re-use the disk but isn;t impossible.
Government requires a multi swipe policy
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey PGP key: 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C Alternate Fingerprint: 09F9 1102 9D74 E35B D841 56C5 6356 88C0 Alternate Fingerprint: 455F E104 22CA 29C4 933F 9505 2B79 2AB2
|
Post #291,121
8/19/07 12:35:52 AM
|
Sigh
Read the initial request, the situation, and the current cost / limitations involved.
|
Post #291,123
8/19/07 2:03:36 AM
|
If its PCI, its gotta be done.
Its a cost of dealing with the PCI.
Its the same with SSL/TLS.
PCI uses "Scan Alert" checks for stupid asinine things that mean nothing, but in order to "comply" you have to do them, no matter that we don't use Windows for ANYTHING on the server side. We still have to "do them" even though we can't. They don't care.
If you possibly have data being on a disk... good or bad.
You even have to have "wireless" security measures in place *EVEN* if you have *ZERO* wireless on your server network environment.
I can pull they survey questions if you'd like. They are very stupid, they assume Windows servers.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey PGP key: 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C Alternate Fingerprint: 09F9 1102 9D74 E35B D841 56C5 6356 88C0 Alternate Fingerprint: 455F E104 22CA 29C4 933F 9505 2B79 2AB2
|
Post #291,129
8/19/07 7:59:06 AM
|
I"ve had to live with these requirements
for the past three months. My initial project was to merge DSS with the corporate security standards, keeping the stricter of the two (Yes, some of the internal requirements are much stricter than PCI). The questions get quite interesting when you start to apply them to a mixed environment of mainframe, Unix, Linux, and Windows.
The questions about residual data on these drives is something that had been given only cursory investigation. PCI has force us to re-examine this issue.
The cost of destroying the drives exceeds the penalty for non-compliance. The cost to brand would be huge if there was a privacy leak.
Should we be destroying the drives? Maybe. As with every security issue it comes down to cost vs risk. My job is to report on risks and possible solutions. I do like Crazy's suggestion about setting up a workstation to scrub the disks before EMC takes them - if we are contractually allowed to remove the drives. I will also recommend that the EMC contract be reviewed to see if they are required to scrub the drives prior to reuse, and if they are not, see if we have the necessary language added.
And fwiw, we have other data storage vendors also. I just happened to start the discussion with the EMC group. It will only get uglier!
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
|
Post #291,136
8/19/07 11:49:44 AM
|
There is a certain point... that enough non-compliance...
will cause de-certification.
That would be BAD.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey PGP key: 1024D/B524687C 2003-08-05 Fingerprint: E1D3 E3D7 5850 957E FED0 2B3A ED66 6971 B524 687C Alternate Fingerprint: 09F9 1102 9D74 E35B D841 56C5 6356 88C0 Alternate Fingerprint: 455F E104 22CA 29C4 933F 9505 2B79 2AB2
|
Post #291,137
8/19/07 11:57:40 AM
|
I've done PCI before
I seem to recall (from my point of view) the level of effort was based on how many transactions you dealt with. That way small companies would not be killed by the overhead of dealing with it,
Also, I remember our Unix admin getting really pissed when we would not allow him to explain to the auditors that a particular sysem was Linux, did not have inbound email, did not present any shares using ANY protocol, was accessed strictly via secure shell from me and him, and had it's own very restrictive firewall settings and DID NOT NEED WINDOWS VIRUS SCANNING!
After meeting with the auditors once, we realized it was far easier to setup bullshit technical "fixes" that we could then check-off the list. The admin was ready to kill me. He was a talker, and was furious that we'd require him to setup and maintain software (including ongoing signature updates).
And then the flip side was worse. These auditors did not like the way something was done under Windows. My Windows admin pulls out the MS book, highlights the phrase "best practicies", and they then corrected their check-off lists to included whatever our admin told them.
Idiots.
|
Post #291,138
8/19/07 12:22:24 PM
8/19/07 12:23:58 PM
|
Well, we're definitely not a small merchant
And this is our first pass at PCI compliance. I've already annotated the lack of virus scans on the mainframe and the Sun boxes... :-) You are right in that the focus of these questions is definitely Windows based. However...
I have the IG office following right behind me. They are checking my work, ensuring that my questions did deep enough and that I don't ignore anything.
I wish we were a smaller organization. I have to tromp though many fiefdoms to get the info. The test say to document how we comply. The normal reply I've been getting back is "yes we comply". I'm glad that some of these questions can be applied enterprise wide, as we have many applications that must be certified PCI compliant. This is just number one.
From what I've been told, if we were to only keep the auth number and iirc last 4 of the PAN, then we would not have to comply with all these standards because we would not have any PCI sensitive data. For some reason HQ decided to keep the full PAN.
/rant
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
Edited by jbrabeck
Aug. 19, 2007, 12:23:58 PM EDT
|
Post #291,078
8/18/07 7:30:28 AM
|
that SHOULD be covered in your contract with EMC
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari? Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep
reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
|
Post #291,081
8/18/07 8:52:59 AM
|
What Peter and Box said.
And if you want to be really paranoid, try to get them to agree to random checks that said drives have in fact been erased. You may not have to actually do it, note, just threaten^W mandate them.
Wade.
Is it enough to love Is it enough to breathe Somebody rip my heart out And leave me here to bleed
| | Is it enough to die Somebody save my life I'd rather be Anything but Ordinary Please
|
-- "Anything but Ordinary" by Avril Lavigne. | · my · · [link|http://staticsan.livejournal.com/|blog] · · [link|http://yceran.org/|website] · |
|
Post #291,094
8/18/07 3:03:30 PM
8/18/07 3:15:49 PM
|
Like others said, but, that's pure political
I doubt your current contract mandates clean drives. There will be some type of bullshit best effort statement, but'll be meaningless and unenforceable.
It is very unlikely you get any changes now, since the system is already put in, and it will cost a LOT more than the cost of the disks, since now you are pushing the cost of lawsuits at them.
EMC arrays toss perfectly fine drives all the damn time. There are bunches of system configurable parameters that control your tolerance for retries, at the sector, disk, bus, etc, levels. Every time there is a hint of an error, the array has the choice of marking the drive bad and moving on.
It will toss the drive.
Now you can either rebuild to the drive or swap it. Since it is far less likely it is really the drive's fault (transient errors are almost always bus, connectors and cable, and (flip, flip, flip) electromagnetic solar flare due to the (garbled) effect) it is a realistic option to rebuild to the drive.
In my experience, we'd have a couple of possibly failed drives in transition. Since the we didn't know what the 1st failure was really for, we'd put a different drive in to rebuild. If that failed in the next week in the same manner, we'd know it was not a drive problem but an array issue, and start screaming about that.
It might be if they say the array is fine, than I'd suggest you notch up the retries associated with whatever is failing, since it'll keep happening and you are dealing with a design / unfixable environmental flaw at that point. Or you learn to scream louder and get a new drive tray, etc.
So, you might find yourself returning less drives once you've gone through a couple of cycles of real troubleshooting.
At this point, we focus on the drives. If the drives has failed in such a what you simply can't communicate with it, you don't have the ability to treat it. You MIGHT be able get them to sell it to you at cost but I wouldn't bet on it since they are just sending it back to vendor anyway for a replacement. Accept that fact you will eat the cost of a few drives.
In the case of drives that you can communicate with, setup a workstation with whatever board is required to talk to them (by the way, what type of drives?), and do a secure wipe before sending them back.
If we go worst case scenario on costs, assume it is a full time job:
Decent PC, lots of slots, high end 3rd party drive boards: $20K Full time tech, fully loaded cost: $100K
Of course, this is not a full time job, since the initial setup should take a couple of weeks, and then ongoing drive swap, menu choice to clear should be an entry level clerical job. The key is that you have a low level Linux / Hardware capable BOFH available for then the drive errors require a judgement call.
I figure it would take me 2 days to setup the box, setup a menu interface, and whip up a bunch a scripts that would allow hot adding of the failed drives and wiping them. If you wanted to be brain dead about it, allow a power cycle to probe them out and bring them in on boot.
Hmm, actually, not that I think about it, I could see this being a portable device. One that would be mandated to use in the field. Hell, I'm gonna patent that sucker.
Edited by crazy
Aug. 18, 2007, 03:03:52 PM EDT
Edited by crazy
Aug. 18, 2007, 03:15:49 PM EDT
|