Skip to main content

Posts

PCI DSS

With over 257 billion card transactions for goods and services worldwide, the payment cards (credit or debit cards) serve as one of the most preferable modes of payment. In fact, many surveys show that over 70% people prefer card payments over cash. Payment Card - PCI DSS While alternate modes of payment are catching up (such as IBAN in Europe, UPI in India etc.), the card industry will continue to thrive for several years, on account of its worldwide acceptance, transaction success rate and ease of use. Of course, like all other electronic media, security is of paramount importance when it comes to payment cards. While there is a legal structure for protecting the interests of the card users, the underlying security (both infrastructure and application) is governed by PCI DSS compliance. So what is PCI DSS? It stands for Payment Cards Industry - Data Security Standards. Five different companies Visa, MasterCard, American Express, Discover and JCB International - each of them who alrea...

Database Recovery Strategies

Be it a natural disaster striking your primary data center and obliterating all your databases or some technical error that brings it down, forcing you to consider moving your database to your backup DR (disaster recovery) location, the right disaster recovery strategy would definitely save the day. How do we accomplish this? Well, there are primarily three strategies, you can considering, depending upon your downtime tolerance level: Electronic Vaulting Remote Journaling Remote Mirroring Let us see what each one of them has in store for us: Electronic Vaulting These are essentially bulk transfers wherein the database backups are moved from the primary site to the remote (backup / DR) site via network There is a significant delay between the time you declare a disaster and the time to recover your database backups Entire Backup files are transferred Not suited for hot sites where the recovery should be instantaneous Remote Journaling These are much more frequent and faster than Electro...

RAID

Stands for Redundant Array of Inexpensive Disks (or Redundant array of Independent Disks) It is a data storage virtualization technology that combines multiple physical disk drives into logical units to ensure data redundancy and performance improvement The standard RAID levels including there features and the number of disks that ensure their functionality are : RAID levels Features Number of disks RAID 0 Striping At least 2 RAID 1 Mirroring At least 2 RAID 5 Striping with parity At least 3 but upto 16 RAID 6 Striping with double parity At least 4 RAID 10 Combining mirroring and striping At least 4 RAID types A bit more... RAID 0 : It improves the disk subsystem performance, but it does not provide fault tolerance RAID 1: It uses same disks which both hold the same data. If one disk fails, the other disk continues to operate as usual. RAID 5: It uses three or more disks with the equivalent of one disk holding parity information. If one disk fails, the RAID array will continue to oper...

CISSP - Fagan Inspection Process

Fagan Inspection Process The Fagan Inspection process consists of the following steps: Planning Overview Preparation Meeting Rework Follow-up

CISSP - Bell-LaPadula Model

This was the first formal state machine model developed to protect confidentiality. The Bell-LaPadula model focuses on data confidentiality, unlike Biba model (which focuses on integrity). It is also called "read down, write up" model. This implies trusted subjects may read content below their security level and write content above their security level. Bell-LaPadula Model The model defines two mandatory access control (MAC) rules: The Simple Security Property states that a subject at a given security level may not read an object at a higher security level . The * (star) Security Property states that a subject at a given security level may not write to any object at a lower security level . Limitations Only addresses Confidentiality (out of the three - confidentiality, integrity and availability) Covert channel communication is not addressed comprehensively

CISSP - Biba Model (Biba Integrity Model)

Origin: Published in 1977 at the Mitre Corporation, one year after the Bell La-Padula model. While BLP model addresses Confidentiality (and nothing about Integrity), Biba proposed this model to address Integrity Biba Integrity model describes a set of access control rules that are designed to ensure data integrity. Subjects and Objects are grouped into various ordered levels of integrity. Access modes of Biba Model Modify : This allows a subject to write to an object. In layman parlance, it is equivalent to write mode in other models. Observe : This allows a subject to read an object. This command is synonymous to the read command of other models. Invoke : This allows one subject to communicate with another subject. Execute: This allows a subject to execute an object. The command essentially allows a subject to execute a program which is the object This model is directed towards data integrity (rather than confidentiality). It is also called "read up, write down" model. This...

CISSP - FAR, FRR, CER

What is false acceptance rate? FAR = the percent of unauthorized users incorrectly matched to a valid user's bio metric parameter What is false rejection rate? FRR = the percent of incorrectly rejected valid users What is crossover error rate? The Crossover Error Rate (CER) describes the point where the False Rejection Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system. Moral of the story : As the sensitivity of a biometric system increases, FRRs will rise and FARs will drop. Conversely, as the sensitivity is lowered, FRRs will drop and FARs will rise.