IWETHEY v. 0.3.0 | TODO
1,095 registered users | 1 active user | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Thanks for all the replys, let's add clarification
You know where I work. We have huge NAS and SAN. So many drives, that losing 50 - 100 drives a month is not considered bad. All are under warranty. Vendor (EMC) comes in, pulls bad drive and puts in new drive. The old drive it taken by the vendor for recycling (repair and reuse), therefore the drives cannot be degaussed. If we don't return the old drive, we have to buy it at a cost of ~3k/drive (= millions of $/yr)

We must now comply with PCI DSS (Payment Card Industry - Data Security Standards). I am talking about YOUR credit card information. A 32k block could contain a lot of credit card transactions from the DB2 database. (No, the database cannot use column encryption - cannot go into details).

Given all this information, let's construct the situation that concerns me.

One of the drives in the "middle" of my CC transaction DB2 database fails. Vendor replaces the drive. Then repairs the drive. The technician analyzes the disk and is able to determine that the disk contains CC information and then sells your credit card information - full PAN, full MAG Sripe, or whatever is collected.

Is the above possible? Would there be enough data available? If it was your data center, would you be concerned about the security of the data?

I don't know the blocking factor, yet. If it is 32k, that could contain a lot of information.
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
New Move the risk?
Write it into the contract that when you swap a drive out, it's up to EMC to ensure it's blankety blank before being reconditioned.


Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
[link|http://kevan.org/brain.cgi?pwhysall|A better terminal emulator]
[image|http://i66.photobucket.com/albums/h262/pwhysall/Misc/saveus.png|0|Darwinia||]
New That will be one of my suggestions.
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
New Bulk Erase Tape Demanetizer.
There are ones that are "C" shaped and they are useful for making sure NOTHING survives or at least if ANY block are there they are at least most randomized.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
PGP key: 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
New Can't use it if they expect to reuse the hard disk
Wipes the factory low level format as well.
New That doesn't matter, if the disk has sensitive info.
The factory low-level format can be redone. It makes it tougher to re-use the disk but isn;t impossible.

Government requires a multi swipe policy
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
PGP key: 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
New Sigh
Read the initial request, the situation, and the current cost / limitations involved.
New If its PCI, its gotta be done.
Its a cost of dealing with the PCI.

Its the same with SSL/TLS.

PCI uses "Scan Alert" checks for stupid asinine things that mean nothing, but in order to "comply" you have to do them, no matter that we don't use Windows for ANYTHING on the server side. We still have to "do them" even though we can't. They don't care.

If you possibly have data being on a disk... good or bad.

You even have to have "wireless" security measures in place *EVEN* if you have *ZERO* wireless on your server network environment.

I can pull they survey questions if you'd like. They are very stupid, they assume Windows servers.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
PGP key: 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
New I"ve had to live with these requirements
for the past three months. My initial project was to merge DSS with the corporate security standards, keeping the stricter of the two (Yes, some of the internal requirements are much stricter than PCI). The questions get quite interesting when you start to apply them to a mixed environment of mainframe, Unix, Linux, and Windows.

The questions about residual data on these drives is something that had been given only cursory investigation. PCI has force us to re-examine this issue.

The cost of destroying the drives exceeds the penalty for non-compliance. The cost to brand would be huge if there was a privacy leak.

Should we be destroying the drives? Maybe. As with every security issue it comes down to cost vs risk. My job is to report on risks and possible solutions. I do like Crazy's suggestion about setting up a workstation to scrub the disks before EMC takes them - if we are contractually allowed to remove the drives. I will also recommend that the EMC contract be reviewed to see if they are required to scrub the drives prior to reuse, and if they are not, see if we have the necessary language added.

And fwiw, we have other data storage vendors also. I just happened to start the discussion with the EMC group. It will only get uglier!
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
New There is a certain point... that enough non-compliance...
will cause de-certification.

That would be BAD.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
PGP key: 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
New I've done PCI before
I seem to recall (from my point of view) the level of effort was based on how many transactions you dealt with. That way small companies would not be killed by the overhead of dealing with it,

Also, I remember our Unix admin getting really pissed when we would not allow him to explain to the auditors that a particular sysem was Linux, did not have inbound email, did not present any shares using ANY protocol, was accessed strictly via secure shell from me and him, and had it's own very restrictive firewall settings and DID NOT NEED WINDOWS VIRUS SCANNING!

After meeting with the auditors once, we realized it was far easier to setup bullshit technical "fixes" that we could then check-off the list. The admin was ready to kill me. He was a talker, and was furious that we'd require him to setup and maintain software (including ongoing signature updates).

And then the flip side was worse. These auditors did not like the way something was done under Windows. My Windows admin pulls out the MS book, highlights the phrase "best practicies", and they then corrected their check-off lists to included whatever our admin told them.

Idiots.
New Well, we're definitely not a small merchant
And this is our first pass at PCI compliance. I've already annotated the lack of virus scans on the mainframe and the Sun boxes... :-) You are right in that the focus of these questions is definitely Windows based. However...

I have the IG office following right behind me. They are checking my work, ensuring that my questions did deep enough and that I don't ignore anything.

I wish we were a smaller organization. I have to tromp though many fiefdoms to get the info. The test say to document how we comply. The normal reply I've been getting back is "yes we comply". I'm glad that some of these questions can be applied enterprise wide, as we have many applications that must be certified PCI compliant. This is just number one.

From what I've been told, if we were to only keep the auth number and iirc last 4 of the PAN, then we would not have to comply with all these standards because we would not have any PCI sensitive data. For some reason HQ decided to keep the full PAN.

/rant
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
Expand Edited by jbrabeck Aug. 19, 2007, 12:23:58 PM EDT
New that SHOULD be covered in your contract with EMC
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 51 years. meep

reach me at [link|mailto:bill.oxley@cox.net|mailto:bill.oxley@cox.net]
New What Peter and Box said.
And if you want to be really paranoid, try to get them to agree to random checks that said drives have in fact been erased. You may not have to actually do it, note, just threaten^W mandate them.

Wade.


Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please



-- "Anything but Ordinary" by Avril Lavigne.

· my ·
· [link|http://staticsan.livejournal.com/|blog] ·
· [link|http://yceran.org/|website] ·

New Like others said, but, that's pure political
I doubt your current contract mandates clean drives. There will be some type of bullshit best effort statement, but'll be meaningless and unenforceable.

It is very unlikely you get any changes now, since the system is already put in, and it will cost a LOT more than the cost of the disks, since now you are pushing the cost of lawsuits at them.

EMC arrays toss perfectly fine drives all the damn time. There are bunches of system configurable parameters that control your tolerance for retries, at the sector, disk, bus, etc, levels. Every time there is a hint of an error, the array has the choice of marking the drive bad and moving on.

It will toss the drive.

Now you can either rebuild to the drive or swap it. Since it is far less likely it is really the drive's fault (transient errors are almost always bus, connectors and cable, and (flip, flip, flip) electromagnetic solar flare due to the (garbled) effect) it is a realistic option to rebuild to the drive.

In my experience, we'd have a couple of possibly failed drives in transition. Since the we didn't know what the 1st failure was really for, we'd put a different drive in to rebuild. If that failed in the next week in the same manner, we'd know it was not a drive problem but an array issue, and start screaming about that.

It might be if they say the array is fine, than I'd suggest you notch up the retries associated with whatever is failing, since it'll keep happening and you are dealing with a design / unfixable environmental flaw at that point. Or you learn to scream louder and get a new drive tray, etc.

So, you might find yourself returning less drives once you've gone through a couple of cycles of real troubleshooting.

At this point, we focus on the drives. If the drives has failed in such a what you simply can't communicate with it, you don't have the ability to treat it. You MIGHT be able get them to sell it to you at cost but I wouldn't bet on it since they are just sending it back to vendor anyway for a replacement. Accept that fact you will eat the cost of a few drives.

In the case of drives that you can communicate with, setup a workstation with whatever board is required to talk to them (by the way, what type of drives?), and do a secure wipe before sending them back.

If we go worst case scenario on costs, assume it is a full time job:

Decent PC, lots of slots, high end 3rd party drive boards: $20K
Full time tech, fully loaded cost: $100K

Of course, this is not a full time job, since the initial setup should take a couple of weeks, and then ongoing drive swap, menu choice to clear should be an entry level clerical job. The key is that you have a low level Linux / Hardware capable BOFH available for then the drive errors require a judgement call.

I figure it would take me 2 days to setup the box, setup a menu interface, and whip up a bunch a scripts that would allow hot adding of the failed drives and wiping them. If you wanted to be brain dead about it, allow a power cycle to probe them out and bring them in on boot.

Hmm, actually, not that I think about it, I could see this being a portable device. One that would be mandated to use in the field. Hell, I'm gonna patent that sucker.
Expand Edited by crazy Aug. 18, 2007, 03:03:52 PM EDT
Expand Edited by crazy Aug. 18, 2007, 03:15:49 PM EDT
     Data recovery on Striped drives - (jbrabeck) - (19)
         Any recovery would be pretty unlikely - (Andrew Grygus)
         You may be Ok, but not guaranteed safe. - (Another Scott)
         can useful information be pulled and re-assembled by block? - (boxley)
         Depends on chunk size and what you are hiding - (crazy)
         Thanks for all the replys, let's add clarification - (jbrabeck) - (14)
             Move the risk? - (pwhysall) - (10)
                 That will be one of my suggestions. -NT - (jbrabeck)
                 Bulk Erase Tape Demanetizer. - (folkert) - (8)
                     Can't use it if they expect to reuse the hard disk - (crazy) - (7)
                         That doesn't matter, if the disk has sensitive info. - (folkert) - (6)
                             Sigh - (crazy) - (5)
                                 If its PCI, its gotta be done. - (folkert) - (4)
                                     I"ve had to live with these requirements - (jbrabeck) - (1)
                                         There is a certain point... that enough non-compliance... - (folkert)
                                     I've done PCI before - (crazy) - (1)
                                         Well, we're definitely not a small merchant - (jbrabeck)
             that SHOULD be covered in your contract with EMC -NT - (boxley)
             What Peter and Box said. - (static)
             Like others said, but, that's pure political - (crazy)

Powered by zeptotechnology!
64 ms