Wednesday, August 19, 2009

Hard disk accident

I got my tablet notebook ready for work again, after the nightmare of crashed hard disk.

The hard disk of my tablet computer, Acer TravelMate C110, suddenly crashed last week. Windows XP froze at once while the mouse pointer still could move when the disaster happened. Tried rebooting, reading on another computer, and reparing with HD utilities, no one worked. I gave up, at all, eventually.

Thanks God I did have a copy of most data on the died laptop. I virtualized the whole laptop in 2008 therefore all old files, since I started using the tablet in 2005, were kept in a virtual machine on my iMac. The biggest lose for me was the books I just recently downloaded for preparing my CISSP and CISA exams. I didn't save the links in bookmarks and I therefore had no idea to find them out again. Google didn't help here.

Since there were no explicit signs before this crash, I was curious about why this could happen, at that time, and in that way. After checking the official specification of the dead hard disk, Hitachi Travelstar 5K80, I realised that its lifetime jsut reached according to how it was used in the past years. As per this specification,

"Service life of the drive is approximately 5 years or 20,000 power on hours, which comes first, under the following assumptions:

• Less than 333 power on hours per month.
• Seeking/Writing/Reading operation is less than 20% of power on hours."

My 5K80 (HTS548080M9AT00) was about 4.5 years old. But I believe the power on hours must be over 333 hours per month (11 hours per day), and the relevant operations should be more than 20% of power on hours. I used the laptop intensively. So basically, the hard disk's quality was very good, it was just too tired, tired to death.

I got a new hard disk last weekend: Western Digital Scorpio WD2500BEVE, 250 GB, 5400 RPM, at A$135. It is rich in capacity compared with the 80GB of 58K80. But it seems that this model is not that good in quality according to the reviews directly from the end uers. Bad sectors and heat issues are the major problems. The shame is: I knew this after I bought the disk. Probably I am too sensitive now, as I have heard of some kind fo symbolic sounds (scratching and clicking) while writing this post. According to DataCent, they are the signs of unreadable bad sectors. My God!

Nevertheless, here are a few very useful links from where I learned the lessons.

DataCent - Professional Data Recovery

This site gives comprehensive information regarding common issues and recovery approaches of most hard disk available on the market. It also give recordings of disk sounds to help you understand different problems and situations.

New Egg - The most loved and trusted marketplace on the web

An online shopping mall for electronics based in the US. The site offers an easy way to see the comments from end users by rank, date, and your keywords. That would be very important to know the downsides of a product before putting your money in. I love reading the comments from the field, especially those negative comments.

Retrevo - The ultimate electronics marketplace

This site puts vendor's information (spec, review, user manual, and etc) and 3rd party reviews together. The good thing is: those 3rd party comments are automatically gathered from the Internet, such as blogs, shopping sites, and forums. That would be very convenienet for readers seeing the real quality a product could offer.

Sunday, August 02, 2009

What is the direction of information security?

In regard to the trend of Information Security, one point of view is that Information Security is moving from the technical domain to the management domain.

Indeed. I agree with this, as in general speaking Security is a management issue, therefore Information Security will eventually become into management domain.

In management domain, Security Awareness is the key to make a security program successful. As a result, the relevant awareness policy and/or awareness training will be a direction.

Another direction should be, as always, Standardization in turn to adopt the best practices in the management domain in varied industries.

The above are just my two cents.

How important are standards and certificates?

At first, I would say, theoretically, certificates are not that important for designing a secure infrastructure, as a certificate is just a kind of official document confirming some facts such as competence of an individual or an organization. In other words, it is optional.

Of course, however, digital certificates are essential for building a secure infrastructure. We know that is another story. :-))

In regard to the role of standards in designing a secure infrastructure, I would say it is not only important, it is essential, as standards are the best practices that have been widely recognized and well proven by authorities and experts all over the world. Standards tell people how to do the right thing in the right way.

Basically, standards are essence of knowledge.

Therefore, the best practice to do something is to follow the standard. The same for designing a secure infrastructure.

What is the biggest security threat this year?

Someone recently launched a survey at Linkedin regarding the biggest security threat to a organization this year. The survey listed six options as the answer including proliferation of mobile devices, adoption of social networking, internal treats, hackers, regulators, and lack of understanding by senior management.

I think none of the above options points out the biggest threat. My point of view is:
Lack of Security Awareness should be the biggest, as it is the root threat of other threats.

We know most organizations already have their security policies in place, let's talk about why in reality people (average users and security professionals) do not always obey the rules people defined in security policies: Lack of Security Awareness.

One CISSP at Microsoft commented this in the discussion: "There are two kinds of systems - those that have been compromised and those that will be".

I think it is a good point. This kind of negative consciousness in security is actually a survival technique. People with this kind of awareness can prevent incidents and damage, as awareness is the prime factor to make a security program successful.

Therefore, as I mentioned above, I always believe the biggest threat is not from technical domains, it’s from people’s mind: lack of security awareness, the root threat.

No awareness, no security. Not only for this year, it is permanent.