You are on page 1of 16

Assuring Reliable and Secure IT

Services
Chapter 6

Availability Math
Availability of components in series

Five Components in Series (each 98% Available)

Component 1

Component 2

Component 3

Component 4

Component 5

98%
availability

98%
availability

98%
availability

98%
availability

98%
availability

.98 x .98 x .98 x .98 x .98 = service availability of 90%

Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management. Burr Ridge, IL: McGraw-Hill/Irwin, 2002.

Combining Components in Series Decreases Overall Availability


100%
90%
80%

Availability

70%
60%
50%
40%
30%
20%
10%
0%

Number of Components In Series (each 98% available)


Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management. Burr Ridge, IL: McGraw-Hill/Irwin, 2002.
Chapter 6 Figure 6-2

Five Components in Parallel (each 98% Available)

Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management. Burr Ridge, IL:
McGraw-Hill/Irwin, 2002.

Redundancy Increases Overall Availability


100.0%

Availability

99.5%

99.0%

98.5%

98.0%
1

10

Number of Components In Parallel (each 98% available)


Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management. Burr Ridge, IL: McGraw-Hill/Irwin, 2002.
Chapter 6 Figure 6-4

High-availability Facilities

Uninterruptible electric power delivery


Physical security
Climate control and fire suppression
Network connectivity
Help desk and incident response procedures

A Representative E-Commerce Infrastructure


Policy
Server 1

Policy
Server 2

Application
Server 1

Application
Server 2

Internet

Firewall 1
Router

Switch
Firewall 2

Web Server
1

Web Server
2

Database
Server

Disk Array
Source: Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan, Corporate Information Strategy and Management. Burr Ridge, IL: McGraw-Hill/Irwin, 2002.
Chapter 6 Figure 6-5

Classification of Threats
External attacks
Intrusion
Viruses and worms

Normal and DoS Handshakes


Normal Handshake
SYN: Users PC says hello
Web
Users PC

ACK-SYN: Server says Do you want to talk

Website
Server

ACK: Users PC says Yes, lets talk

DoS Handshake
SYN: Users PC says hello repeatedly
Web
Users PC

ACK-SYN: Server says Do you want to talk repeatedly

Website
Server

No Response: Users PC waits for server to timeout


Source: Austin, Robert D. "The iPremier Company, The (A), (B), and (C): Denial of Service Attack." Harvard Business School Teaching Note 602-033.

Chapter 6 Figure 6-6

A Distributed Denial of Service Attack


Attacker 1

Attack Leader
Attacker 2
Attacker 3
Attacker 4
Attacker 5
Attacker 6
Attacker 7

Website
Server

Attacker 8
Attack Leader facilitates SYN floods from multiple sources.

Source: Austin, Robert D. "The iPremier Company, The (A), (B), and (C): Denial of Service Attack." Harvard Business School Teaching Note 602-033.

Chapter 6 Figure 6-7

Spoofing
Information Packets
Sender
Address

Destination
Address

Attacker

Target

Address: 12345

Address: 54321

Normal
12345

54321

Target server correctly interprets sender address

Spoofing
Target server incorrectly interprets sender address
90817

54321

Source: Austin, Robert D. "The iPremier Company, The (A), (B), and (C): Denial of Service Attack." Harvard Business School Teaching Note 602-033.

Chapter 6 Figure 6-8

Defensive Measures

Security policies
Firewalls
Authentication
Encryption
Patching and change management
Intrusion detection and network monitoring

A Security Management
Framework

Make deliberate security decisions.


Consider security a moving target.
Practice disciplined change management.
Educate users.
Deploy multilevel technical measures, as
many as you can afford.

Managing Infrastructure Risks:


Consequences and Probabilities

HIGH

High Consequence
Low Probability

High Consequence
High Probability

CRITICAL
Consequences

THREATS
PRIORITIZE
THREATS

Low Consequence
Low Probability
LOW

Low Consequence
High Probability

MINOR
THREATS

0
Source:

Applegate, Lynda M., Robert D. Austin, and F. Warren McFarlan


McGraw - Hill/Irwin, 2002.

Probability
,

Corporate Information Strategy and Management

1
. Burr Ridge, IL:
Chapter 6 Figure 6

Incident Management and


Disaster Recovery
Managing incidents before they occur.

Sound infrastructure design


Disciplined execution of operating procedures
Careful documentation
Established crisis management procedures
Rehearsing incident response

Managing during an incident.


Managing after an incident.