THE CIA TRIAD – THE BASIS OF CYBERSECURITY (AVAILABILITY)

Kip Boyle:          
Hey, welcome to Your Cyber Path. I hope you’re doing good today. My name’s Kip Boyle, I’m here with Jason Dion and it’s time for another episode of Your Cyber Path. Thanks for being here. Christmas. It’s Christmas now.

We’re recording this way in advance, which you’re probably listening to it right on the cusp of Christmas and I don’t have any particular Christmas plans this year. I’m going to stay home and rest because I’ve been all over the place this year.

I see no need to go anywhere, but I know that’s not true for Jason. Jason doesn’t want any chance for MOS to grow around his feet. So I know you’re going somewhere. Tell everybody where you’re going.

Jason Dion:        
Now you sound like my wife. She’s always giving me hassle about the fact that I like to travel too much. I do love traveling. Yeah. So we actually do have Christmas plans. So I’m spending the entire month down here in Puerto Rico for December and then we are actually taking a cruise out of Puerto Rico to San Juan to do a Southern Caribbean cruise.

So we’re going to go down to Aruba and Carousel and Bonaire and a couple other places on the NCL Epic is the cruise ship we’re going on out of San Juan and we leave on the 23rd, which is right now, if you are listening to this episode as it came out, it came out on December 23rd.

So I’m on a cruise ship right now, not really as I’m talking to you, but when the episode drops I’ll be on the cruise ship and it’s a week long cruise. So I’ll get back the day before the new year and then I’ll be spending some more time down in Puerto Rico. But yeah, I love cruising.

We were talking before the show and I found out that Kip here has never been on a cruise and that just surprised me because I love cruising. I go quite a bit and I used to actually work on cruise ships. That’s actually one of my first professional IT jobs. I used to run networks on cruise ships for Carnival and Royal Caribbean.

And so I spent about three years on cruise ships and then I joined the Navy and did that for a long time. And then I have retired from the Navy and now I do this in my training company and things like that. And I still love-

Kip Boyle:          
And you continue to go on cruise still.

Jason Dion:        
… cruising as much as I can, but I love it. So yeah, to me it’s one of the best ways of traveling and it’s a very affordable way of traveling in general. When we had young kids, we used to love going because you would pay more for a hotel on land than you would for a cruise for a week.

And that cruise includes your food, your travel, your entertainment. They kids club. They have basically summer camp for the kids on board and all sorts of stuff. And it’s just a great way to travel. In my opinion, I love it. So that’s where I’ll be for Christmas.

Kip Boyle:          
Okay. So Merry Christmas to you down in the Caribbean where there’s not a flake of snow to be seen. So tell me, people like cruising for different reasons. Is it the buffet? What do you like about it the most?

Jason Dion:        
So a couple of things I really enjoy about cruising, right? One is, it is everything is just done for you. So I don’t have to worry about cooking. I don’t have to worry about cleaning. I don’t have to worry about getting in the car and driving to work.

And then because of my business is so online, I can do it from anywhere. So literally on the cruise ships they have Wi-Fi and so you can pay to have Wi-Fi and internet access and I can work while I’m on the cruise ship if I need to.

In fact, the last cruise I took, which was about four or five months ago, I actually brought my recording kit with me because I had some touchups I had to do on some courses and my team was working on like, “Hey, as we’re editing the course, we need you to resay this line.”

And so I had my recording kit with me and I carried it on and in my state room I was able to record that and send it off and my team could keep working. So for me it’s I can be connected without being fully connected. Whereas when I’m in a hotel, people expect me to be online all the time.

When I’m on a cruise and they’re like, “Oh, you’re on a cruise. We don’t expect you to be online, but when you get back to us, we’re really happy that you did.” So I can still keep base but not be fully involved.

Kip Boyle:          
Okay. So it’s an extended trip on an airplane kind of thing, right? Because when I’m on an airplane, I don’t think I get any of that.

Jason Dion:       
I get so much work done. Yeah. So when I’m on an airplane, I get so much work done. I can do the exact same thing on a cruise. If you don’t want to be connected, don’t buy the internet package and you could just sit in your room and sit on the balcony, look at the waves and work on your computer if you want to work or there’s shows, there’s entertainment.

I love comedy so when I go on Carnival, they have a different comedy show every night with live comedians and to me it’s a lot of fun. It’s a great way to get out and I can mix my work and my time off and really kind of take advantage of both while I’m there.

Kip Boyle:          
Well, you’ve given me a lot to think about, but I’m based in Seattle, so if I go on a cruise, it’s probably going to be to Alaska to see if I like it. And then because I mean, it’s an odyssey just to get to Fort Myers from here to onboard the boat.

Jason Dion:        
So Tamara and I, we’ve been looking at going to an Alaska cruise. We had one scheduled two years ago, but obviously it got canceled because COVID, nobody was sailing at the time.

So we had it booked and then 2020 happened, cruises got canceled and when we rebooked we just did a Southern Caribbean one because we were already here and it was easier to get to out of Orlando or Puerto Rico is much easier to get to the Caribbean obviously. Being that Puerto Rico is in the Caribbean, it makes it really easy.

Kip Boyle:          
Totally.

Jason Dion:        
So we do plan on going back out to Alaska. So in 2023 we’re going to go to Alaska and we’re going to have to make sure that you and Mrs. Boyle join us.

Kip Boyle:          
Okay, now you’re talking. All right. All right. On that note, people are probably sick of hearing us talk about cruising. Why are we really here? We’re going to talk about availability. The availability to cruises.

Jason Dion:        
Yeah. So not the availability of cruises, but if you want cruising, let me know. I can help you out. I got a guy. So yeah, we’re here on episode 86. So if you go to yourcyberpath.com/86, you’ll be able to see the show notes for this episode as we go through it. And what we are going to be talking about today is the third part of the CIA triad.

And this is the A in CIA. And this is the availability. So we talk about availability, we’re really going to be focused on how does this work in the real world, What are some things you should be thinking about from an availability perspective? Why is this considered something in the cyber security world you should even be worried about.

Because confidentiality and integrity, those really make sense in the cyber security world. I need this confidentiality, I need to encrypt this thing, I need integrity, I want to hash it. But when it comes to availability, a lot of people are like, why is that important to cybersecurity?

And so we’ll talk about that as well and then we’ll talk about some keywords you should associate with availability. And then we’re going to go into our mock interviews and see if we’ll play stump the champ with Kip and Jason and see if we can stuck each other with some questions.

Kip Boyle:          
Stump the geek.

Jason Dion:       
There you go. So to start out, let’s talk about what is availability. Kip, What is your definition of availability?

Kip Boyle:          
So I think of availability as when I would like to use a system, it’s there waiting for me. If I want to submit a transaction or if I want to purchase something or if I want to retrieve some information, the moment I hit the send button, I want something coming back from that site either saying I’m working on it, hang on, or ideally here’s the answer.

And I don’t want to have to wait for very long. And I certainly don’t want to show up to a website that gives me a 404 error or something like that that says, “Hey, we’re offline. Can’t help you. Sorry.” So just as a person living my life, that’s how I think of availability a lot.

Jason Dion:       
Yeah, I think that’s a great example. I mentioned earlier, you can go to our website yourcyberpath.com to get the show notes. The availability of that means that no matter what time of day you want to go look at that, if you go to yourcyberpath.com, it should be up and running and delivering information.

Kip Boyle:          
Even on Christmas Day.

Jason Dion:        
Even on Christmas. It works 24/7, 365, unlike us.

Kip Boyle:          
Exactly.

Jason Dion:        
And because of that availability, it always has to be online and available when you go to get it, but it doesn’t necessarily have to be confidential and it doesn’t necessarily have to have integrity. For example, if I go to yourcyberpath.com, everything on that front page is fully open for anybody to access.

They don’t need a username, they don’t need a password, they don’t need to put in a credit card, they can just go and get all that great free content. No problem at all. That is because we have availability, but we don’t necessarily have confidentiality because all publicly available.

Now there are some things that are held behind a paywall. For instance our YCP, Your Cyber Path Pro program, which is our mentorship program that is behind a paywall. And so if you want access to that, you have to put in your username and password, you have to authenticate with us and then you’ll be able to get access.

But even once you do that, you want 100% availability once you’re in that system. And so availability is all about making sure the system is up and ready to do what it’s supposed to do.

Kip Boyle:          
Yeah, and it’s interesting because when you said, “Oh, what does availability have to do with cybersecurity?” Well, I think one of the reasons why people think that is because that’s what IT people get beat up about all the time is when a system’s unavailable, that’s where IT people are cringing because that’s like all they care about.

It seems like whenever I work with infrastructure people, it’s always about availability. And quite frankly, I think they do. On the whole, I think IT does a great job of keeping things available because they really get beat up when things are not available.

And so they’ve really learned that that’s important. And so I find I’m talking about confidentiality and integrity a lot and I really don’t need to tell them about the importance of availability.

Jason Dion:       
Yeah. When we talk about availability, it really is focused on this IT operations side, but the reason why we’re talking it about cyber security is because it still is so critical to what we do. Because if that system is offline, it doesn’t matter how secure it is, it doesn’t matter how well you’ve encrypted the files, it doesn’t matter how much integrity you have.

If I can’t access it, it does mean no good. For instance, I used to always use this example when I worked with the DOD and the military folks.

You can have this top secret piece of information and you want to make sure it’s confidential and I can take that offline, I can print it out, put it in a desk drawer, lock it up, put it into a locked room, put it in a safe inside that locked room, put that locked room inside of a locked building and have guards or anything else.

And I can put layers and layers and layers and layers upon stuff. But if I locked the front door and lost the key and can’t get in to get that document when I need it, it does mean no good.

And so availability is making sure you have access to that information if you properly supposed to because you’ve been authenticated, because you have identified yourself, because you have the key based on encryption and all those other things. And so that’s really what we’re going to be focused on here when we talk about availability.

The other thing that I really think about with availability, especially as a CEO of a company, is how do I keep my business running? Because availability is really focused on that. And so in my world, I run an e-commerce website that sells training and vouchers and things like that.

I want that stuff to have good integrity. I want it to have good confidentiality, but I need it to have good availability. Because if my site is offline, you can’t put in your credit card, I can’t take your money and neither of us is happy because I want your money and you want my products.

Hopefully, right? That’s what it comes down to. And so as a business, I need to figure out how am I going to build availability into my system. So this brings us into our real life part of this episode, which is when you think about real life availability, what are some of the things that you’re thinking about, Kip, as a CIO and a CSO?

Kip Boyle:          
Yeah. Well, certainly if I am working for an organization that has the commerce on the internet, it’s the same as what you just said. No uptime means no revenue and that’s a big frowny face for everybody. So that’s really important. Now if I’m a part of an organization that doesn’t really sell stuff online, let’s say healthcare.

I mean, I really don’t sell on healthcare. I might book appointments. Somebody might do a self-help appointment. So I would want availability for that. Mostly in the healthcare space, I think what I want availability for is his health records.

So that when somebody shows up for an appointment, that I can retrieve their record and that I could see what’s their situation. If I’m a physician, I want to see what’s their current medication list. I want to know if there’s any new diagnosis that somebody else has made that I haven’t seen yet.

And that’s why ransomware attacks are so devastating for healthcare because it takes these health systems offline. You can’t see patient’s records. You can’t look at their appointments. They show up, “Hi, I’m here for my appointment.”

And you’re like, “Yeah, course you are,” but I don’t know that because I can’t see the patient schedules anyway. Anyway, but it’s really going to depend on what kind of organization you work at and that’s really going to drive how you think about availability.

Jason Dion:       
Yeah, I think that’s a great point. And what I was thinking about when you mentioned healthcare was, yeah, we need availability. But in that case, you also need confidentiality because HIPAA rules apply to those medical records.

And so it’s important to realize that when we talk about the CIA triad, we’re covering each one individually as we go through these episodes that we’ve been doing as a series of episodes, but they don’t work in isolation. Availability is important, but so is confidentiality.

And for each system you’re going to decide how much of each is important. In my case, if I’m doing a public facing website, I care much more about the fact that I have availability, that the site is up and that there’s integrity, that nobody has gone in there and defaced my website, that I do about confidentiality. Confidentiality’s a very small piece of it for me. On the other hand-

Kip Boyle:          
You’re willing to give up confidentiality if push comes to shove.

Jason Dion:        
Yes.

Kip Boyle:          
So you can have the other things.

Jason Dion:        
Most certainly. And these are choices we make as cyber security analysts, as cyber security engineers and as CISOs or physios in the field. So these are the things you have to think about as you start thinking about where do I place my money? Where do I place my priority as I’m building out the system?

Kip Boyle:          
Yeah. And healthcare is really challenging because if these health records don’t have integrity, then you might give somebody the wrong dose of a medicine, right?

Jason Dion:      
Yeah.

Kip Boyle:          
If they’re supposed to get 50 milligrams, but the integrity is wrong and it says 500 milligrams, you could kill them.

Jason Dion:       
Exactly. And that’s a huge deal. And so in that case, we would want to place a little bit higher on the integrity than maybe availability, but we also don’t want a low availability because we need to be able to read that record to be able to see that it said-

Kip Boyle:          
So it’s really demanding in a healthcare environment.

Jason Dion:        
It really is. And so you got to think about those as you think about what organization you’re in. And this goes back to the concept of being able to do a business impact analysis. And we’ll talk a little bit more about that later, but I know there’s something you do all the time as a CISO.

When you come into an organization, the first thing you do is go, “Well, let me figure out what’s important to this organization based on their business model.” Because every business is different and you have to know what that is to be able to support them better. So that’s kind of some background in the real world of this availability thing.

Some other things I think about with availability is my company, we have two places that we’re working out of this year. We have Puerto Rico and we have Orlando, Florida. Both of those tend to be in an area that gets shwacked by hurricanes. And so-

Kip Boyle:          
Shwacked. Wow. Is that the word of the year? I hadn’t heard that yet.

Jason Dion:      
You haven’t heard of that? Oh, sorry, that’s that’s an old Navy thing that we used to talk about. But yeah, so they get hit up pretty badly by hurricanes. This year is a great example of that. I was down in Puerto Rico and we had a hurricane come through. I flew up to Orlando two weeks later and we had a hurricane go through Orlando.

So the hurricanes just were following me around apparently in September and October. And between Fiona and Ian, both areas got hit. And so as a CEO for an organization that runs an e-commerce business, out of these two areas that are prone to hurricanes, I have to think about things like power redundancy, network redundancy, heating and cooling redundancy.

Making sure that if the site in Puerto Rico goes down, we can continue to do operations by shifting up to Orlando. And if that goes down, I have to shift it someplace else. And how are we going to do all that business continuity stuff, whether we’re using hot sites and warm sites and cold sites and business continuity and business interruption insurance and multiple interconnections and all that stuff all goes into this idea of availability.

And so that’s really what we’re going to be focused on as we go through this topic today. And that brings us to our second kind of key part of this discussion, which is when you’re taking a certification exam where you’re studying for a certification, what are words that are kind of go along with availability?

And these are kind of the key words that I usually use when I’m talking to my students. I talk about availability in terms of redundancy, in terms of failover, in terms of business continuity and disaster recovery. And all of those terms all fit into this A of CIA of availability. Anything I’m missing there? I think I got them all.

Kip Boyle:          
I think at eye level, you’re absolutely correct. That word redundancy is going to come up over and over and over again in the IT space because you can have redundant servers, you can have redundant network connections, you can have redundant power supplies, redundant network interface cards.

You can get redundant like crazy in the IT space, redundant internet connections, on and on and on and on. So that’s the only thing that I would just say is that if we unpack that word, we could spend the whole episode.

Jason Dion:        
Oh yeah, definitely. And the big thing you have to remember for you guys in the audience that are listening to us is that when it comes to availability, it is not an all or nothing thing. And sometimes you’re going to be making choices based on the designers of your system, either the limitations you have or the limitations you’re going to accept because you’re willing to accept those limitations for a lower cost.

And as we go into some of these interview questions, we’ll kind of tee some of those out so you’ll see what I’m talking about. But a lot of times you can’t afford to be 100% redundant on every single thing. I think about my family right now, we have one car in our family.

And so if that car doesn’t work or it’s in the shop, we have zero cars, so we have zero redundancy. But that was a decision we made as a family that we were okay with. And the reason for that is we know that we’re currently in an area where we have taxis, we have Uber, we have Lyft.

And so if my car’s in the shop and I need to Uber around for the next three days, it’s not a huge deal and it’s cheaper to do that than it is to buy a second car for 20, 30, 40, $50,000. And so that was a choice we made as a family. But if we both went to different jobs each day, having one car wouldn’t work.

We would have to have two cars and maybe a third as a spare in case one broke down. And so these are the things you have to think about. And the same thing happens in our cybersecurity businesses and the way that we build our networks is sometimes it’s cheaper to not have redundancy, but that’s not always the best answer.

Saving money’s not always the best answer, but it can be. And it depends on what you are putting into it and what is your business doing and what can you afford to do, right? Because some components you want redundancy, it may be a $50,000 component, you just don’t have an extra $50,000 to put it in the closet waiting in case the first one breaks.

Kip Boyle:          
And funny you would say that because when we were doing show prep, that’s exactly what you were saying, that you worked in a very larger organization and there was a $50,000 single point of failure and y’all had to decide, okay, how are we going to deal with this?

Because if it goes down, we can’t have it down forever. So are we going to buy another $50,000 thing to just sit there and just wait in case or something else? What did you guys do?

Jason Dion:      
Yeah. So in that case, this was back when I was probably 10, 15 years ago, I was running a very large network operations center and security operations center for the military in the Middle East and we had about 10, 15,000 users across multiple countries. And all of that data went through a single premise router, which was basically the farthest edge point before we touched the internet.

And so if that router went down the entire everything behind it, we could still operate inside of the network, but we couldn’t get out to the internet, we couldn’t communicate with our partners and things like that. When we looked at it, that device was about a $50,000 router.

And so we had a couple of choices. We could choose to take that router and have a second one and have them in a dual configuration so that they both have a connection out to the internet and we do half this way and half that way and if one fails, we’ll push it over to the other way.

And that way we had some redundancy. Ultimately they decided not to engineer it that way because of the cost. The other thing you could have done was the single rider on the network and then had a spare sitting in the closet. So if the main one went down, you could just go to the closet, grab that old one, load up the configurations and have a takeover.

Ultimately they decide not to do that again because of the cost. It was another $50,000 for a piece of equipment that you may not use. Instead, what we ended up doing was we had a contract with the manufacturer of that particular router, which in our case was Cisco. And we had a contract for a warranty and repair that was a four hour response time.

So if my device died, they had four hours to get a technician and a device on site, have it installed and ready to go. So by four to five hours we were back online. That was the decision we ended up going with because the cost for that was significantly less than having our own extra router sitting around.

And when we did our business impact analysis, we determined that we could live without a connection to the internet for four to eight hours. So that four hour warranty was a good solution instead of having this router sitting there that wasn’t being used in the process.

Kip Boyle:          
And then eventually the router in production and that spare would go obsolete.

Jason Dion:        
Right. Because every three to four years you have to replace it with a newer model that supports the latest firmware and the latest-

Kip Boyle:          
So even if you never busted it out of it’s shipping container?

Jason Dion:        
Yup. You spent $50,000 just to have it on the shelf just in case. And so these are the kind of things you have to think about when you’re building up availability in your networks and in your business.

Kip Boyle:          
Right. Right. Yeah.

Jason Dion:       
So I think the next thing we’re going to do is we’re going to talk a little bit about interview questions here. So we’re going to pretend-

Kip Boyle:          
I can’t wait for you to pitch me technical questions that I can’t quite handle.

Jason Dion:       
I’ll be nice today, okay? I’m going to keep it at the high level for you because you are a C-suite executive and I should be nice to you that way.

Kip Boyle:          
I do not mind getting skewed as long as our audience benefits.

Jason Dion:        
As long as they learn something, right?

Kip Boyle:          
Yeah.

Jason Dion:       
And if you’re wondering why Kip is saying that, go back to last week’s episode and listen to me skewer him-

Kip Boyle:          
Or the week before.

Jason Dion:        
… on issues about integrity.

Kip Boyle:          
Or confidentiality too. You pitched some interesting questions there as well. Now I’m no dummy. I understand how this stuff works at a high level and once upon a time I knew all the details as well, but nobody expects me to know that anymore.

It’s not part of my job description. And if I do need that information, I can either look it up real quickly or I’ve got some folks that work for me who can show up and represent like nobody’s business.

Jason Dion:        
Exactly. And I think that’s important because I get a lot of people that… I teach people from extremely entry level, brand new to the industry, to people who are going for their CASP+ and have five to 10 years of experience. And as I’m teaching, it’s important to realize where you are in your career and what you need to know.

Because I have a lot of people who come in, they go, “There’s just so much information, how can I know it all?” And they look at somebody like Kip and they think he must know everything. He’s been doing this for 20, 25 years. Well, yes, but the things that you did 10, 15, 20 years ago, either you don’t do those anymore because you’re at a higher level or those things don’t even exist.

I think back to some of the things that I did in terms of reliability and availability back in 2000 and 2005 and 2010 and those things, we wouldn’t do those nowadays because we have things like cloud infrastructure and it’s so much cheaper to do it that way than it is to have a fully built out redundant system for my company.

Kip Boyle:          
Oh, absolutely.

Jason Dion:       
And so these are the things you have to think about as well as you’re going through your career of what level do I need? And there are going to be things that you’re going to forget over time because you just aren’t doing it every day. I used to program 15 languages. These days, I’m not a programmer.

I have plenty of guys on my team that are, and those guys and gals on my team that do programming, they do an excellent job. And if I have to debug their code, we’ve got problems. Because I’m just not that good anymore. I can read it, I can follow along, I can talk to that at a high level, but down at the basics, that’s just not me.

Kip Boyle:          
And importantly, in terms of delegation, and this is something as you go through your career, you need to understand this, right? You need to be focused on doing the things that only you can do and you need to be delegating the rest.

And that’s where Jason and I have both gotten in our working lives where there’s just some things that we do that nobody else can possibly do them, it can’t be delegated. And so we have to clear our plate and we need other people and that actually creates opportunities for you.

Jason Dion:        
Yeah, most definitely. So yeah, as I said, we’re going to jump into a couple of interview questions here.

I’m going to play hiring manager and ask Kip first, and then he’s going to return the favor and try to play stump the chump with Jason on the other side. And I’ll be the chump.

Kip Boyle:          
Let’s do it. That’s okay.

Jason Dion:       
All right. So I’m the hiring major. Thank you for joining us today, Kip. I’m glad you’re able to come in. So I’m hiring for a position as the CTO for Dion Training and we’re located down here in Puerto Rico.

So I want you to tell me what kind of things would you do to provide us with better availability for our systems to make sure that we can continue to operate even if something bad happens like an earthquake, a fire, a flood, a hurricane, because we’ve had all those things happen in Puerto Rico over the last couple years?

Kip Boyle:          
Right. Right. And I’ve seen things mentioned on the news, power outages and that sort of thing. So yeah, this is such an important question for you to have a great answer for. What I find is that a business impact analysis is really the first step to understanding how to provide Dion Training with better availability.

Because the solutions that you’re going to want are going to vary depending on the specific threats that you’re facing. And I can tell you as somebody who lives in Seattle, we don’t have to prepare for hurricanes, but we do have a risk of earthquake and volcano.

So the things that I would do here if Dion Training was located in Seattle would be different than what I would do for you given that you’re in Puerto Rico. So a business impact analysis would be the way to go.

And generally at the high level, what that consists of is identifying your assets and then looking at the threats to those assets, the specific threats based on where those assets are located. And then from that would come some solutions. And really I think that’s the way to approach it, Jason.

Jason Dion:        
Yeah, I think that’s a great answer.

Kip Boyle:          
End scene.

Jason Dion:       
Yes, end scene. Sorry, I was never a drama student. I don’t have to end scene.

Kip Boyle:          
me either, but I like making fun of that.

Jason Dion:       
Yeah. So for those of you listening in the audience, I want to point out that Kip’s answer is a great answer, especially for that level. So we were talking at the CTO, CSO, CIO level, really they’re going to be focused on BIAs, which is business impact analysis. You’re going to identify what is the company doing, what things happen for different processes in the organization?

So for instance, Kip coming in from the outside, he has no idea if we’re running Linux systems or Unix systems or Windows systems. He has no idea if we’re doing on-premise versus cloud or any of that stuff. So for him to be making an assumption that, oh, well, I’m just assuming you guys are in the cloud, even though we’re not, or if you’re in the prem, even though you’re not.

That would be a bad way to take that interview question. So I like how he kept it very, very high level and said, first thing I would do is I would figure out what you’re doing, why you’re doing it and how I can best add value to that thing. And that’s really what we’re talking about there.

So I think that’s really good. And then we’re going to kind of switch gears here for the other two questions and go a little bit more technical because that’s probably where most of you in the audience are at, where you’re going for a cyber security engineer job or an analyst job or an IT auditor job or a pen tester or one of these more technical type certs.

So we’ll go ahead and flip the roles here. And Kip is now going to be the hiring manager and Jason is going to be the champ getting asked the question.

Kip Boyle:          
Yes. So I’m going to put my hiring manager hat on right now and I’m going to say, Jason, thanks so much for spending some time with me. I really enjoy the opportunity to get to know you better and learn a little bit more about your capabilities. I want to ask you a question in the area of availability.

So could you tell me, what’s the difference between redundant components ready spares, or maybe having a warranty in place for a device that might fail? I mean, just can you explain to me how those different options work?

Jason Dion:       
Yeah. So when it comes to availability, there is lots of different things for us to consider and we have different availability or redundancy that can happen at different levels of our organization. So let’s take your gateway router as an example.

You may only have a single gateway router, but even inside that router at the gateway, it’s a single device, but it has redundant components inside of it. Any gateway router is normally going to have dual power supplies. So if one power supply dies, the other one can still carry the load while you can then go and replace the power supply that’s down.

To make that work though, you do have to have it attached to redundant power. And a lot of organizations don’t have redundant power. So in this case, you may have two different universal power supplies or one going through a search suppressor and one going through a UPS.

And if you’re lucky and you’ve built your facility in the right place, you may even have two power supplies coming in from two different power grids, one from your local power company and one from another.

Kip Boyle:          
I’m sorry, you said something, I don’t know what it is. What’s an UPS?

Jason Dion:       
An UPS is an uninterruptible power supply.

Kip Boyle:          
Oh, right. Okay, sorry. Sorry, keep going.

Jason Dion:       
Yeah. So we talk about redundant components and we talk about redundant power specifically. You’d have two different power supplies in this single router and then that would connect to two different power sources, whether it’s a battery backup, a generator or search suppressor, whatever it is.

In addition to that, you’re going to have multiple other redundant components such as multiple network interface cards. So you have two connections, and so if one dies, you have the other one that can still hold the load and you can do this across multiple different components in that one router or that one chassis.

Now in addition to that, if you want to take it a step further, you can also have a ready spare. Now ready spare is an additional router and you’re going to have the full cost of that router and it really isn’t even on the network. It’s sitting in a closet, usually.

And this means that when this router dies in your rack, you don’t have to wait for another one to be shipped in from Amazon or Google or whoever it is that you’re sending it to you. You can just go to the closet, grab it, put it into the rack, load the configurations and turn it back on so we can get up and running a lot faster.

This is very similar to using something like a warm site instead of a hot site mentality where you have the components, so you just need to plug them in and configure them. And then the third way you can do it is you can move into just having a warranty in place or a replacement plan in place.

And this is what I’ve done in some of my other organizations for very high priced equipment. Essentially this all goes back to your business impact analysis and what is your downtime that you can experience as an allowable downtime.

If you have an allowable down time of four hours, you can have a warranty in place with your manufacturer that says within four hours they’re going to fly you out a new router and a technician to install it. Or it may be a two day thing or it may a seven day thing.

It just depends on what your organization needs in terms of your availability based on your business case. And as you move from redundant devices to redundant components, to ready spares, to having a warranty in place, you do have a difference in cost on this. And so it all does depend on your budget and what you’re willing to spend towards it.

Kip Boyle:          
Jason, that was a very thorough answer. Thank you.

Jason Dion:       
It’s probably a little too long actually, I think I’ve been on it enough. But other than that, I think it was good one.

Kip Boyle:          
It was very thorough.

Jason Dion:        
Yeah, thorough means long. Yes. All right. Now I get-

Kip Boyle:          
I mean, if you were teaching somebody a certification, you’d be on point.

Jason Dion:        
Yes. All right. So I’m going to go ahead and give you another one, Kip. We’ll see how handle this one. You said I like to stump the chump, so I’m going to try to stump you with a technical question.

All right. So Kip, thanks for joining us. How can you prevent a denial-of-service attack from being successful against an e-commerce website like diontraining.com? What would you do?

Kip Boyle:          
Honestly, I would outsource that. I would probably buy a subscription to CloudFlare and yeah, they could worry about that.

Jason Dion:       
That is such a CIO answer. The audience, this is what I’m talking about when we talk about tentacle versus C-suite. Yeah.

Kip Boyle:          
Too tough, man. It’s too tough.

Jason Dion:       
You’re not wrong.

Kip Boyle:          
My toes are aching just thinking about it.

Jason Dion:       
So yeah, denial service is a hard one, right?

Kip Boyle:          
It’s super hard.

Jason Dion:        
You can outsource this to something like CloudFlare, Akamai, and that’s a good answer. But at the end of the day, what are they doing from a technical perspective? So I’ll cover that. I’m not going to make you jump through hoops right now, Kip. I’ll be-

Kip Boyle:          
Okay, good. All right. I’ll just take a between and I’ll listen to you.

Jason Dion:        
Yeah. So how would I prevent a denial-of-service attack from being successful against an e-commerce website? Well, I would use something like CloudFlare, Akamai, as Kip said, that’s a good thing to use. Both of those have the ability to do denial-of-service protections for you.

But how do they do them? Well, the way they do this is either by using black-holing or they use redundancy, or they use scaling in a cloud infrastructure to be able to overcome the attack. When we talk about black-holing, if you see a bunch of bad traffic coming at you, such as the denial-of-service from a certain IP or IP address range, they can identify that and then block those ranges by sending them to the null interface on their router.

So essentially, if you’re using a service like Akamai or CloudFlare, all the traffic goes from the web to them and them to your web server. And so if they start seeing a bunch of DDoS traffic, distribute denial service traffic, they can then block those and simply route them to the null interface and it goes away and you don’t see it at all. So that’s a good-

Kip Boyle:          
What a minute, what’s a null interface? That sounds innately mathematical.

Jason Dion:       
Yeah. So a null interface is just, it’s actually called the slash null is the interface in a router inside of Cisco routers. You can basically route your traffic wherever you want. And each interface has a name like ETH0, ETH1 for ethernet zero, ethernet one.

One of those is called null, which is essentially just a garbage can. And we call it a blackhole because literally there’s nothing there listening. When you send stuff there it just goes away. It’s gone. It’s like when you’re driving down the street and you want to get rid of that stinky thing in your car, you just throw it out the window.

No, don’t do that. That’s bad. That would be a good one phrase, just start out the window when it disappears. Now, don’t do. But that’s what I’m talking about with black-holing and a null interface.

Kip Boyle:          
Right. Sometimes we call it the Bitbucket.

Jason Dion:        
The Bitbucket, yes, yes. Another way you do this is redundancy. So as an organization, we can have redundant systems. So if I have multiple servers, for instance, let’s say I have five servers and one of them is becoming overloaded, well, I could share the load across the other four and that way they could pick up the slack.

And so if you’re having a DoS, a denial-of-service against a single server, redundancy can help you with that. But if you’re doing a DDoS, distributed denial-of-service, that’s not going to solve it because they’re going to be able to overcome five servers pretty quickly.

And this brings us to what a lot of people do in the cloud world, which is we will just try to scale up or scale out in order to outlast the attack. And that’s what a lot of these cloud providers will do for you as well. Things like CloudFlare, Akamai as well as Amazon, Google and Microsoft, they all have their cloud services.

And so if I’m running my servers on there, all my servers are set up in an elastic cloud configuration, which means that if I have a single server and I have 10 people using it, and now I have 20 people, I’ll actually spin up a second server and I’ll put 10 on each server.

If I have more people, I’ll submit up a third server. Now I have 10, 10 and 10, and I can keep doing that as much as I need to. So because I have infinite scalability, essentially using something like AWS, I can scale outward as much as I need or upward by getting more resources.

There’s a problem with doing this though, and that’s that it costs you a lot of money because all this cloud time doesn’t come free. So if I spin up one server, maybe that’s $5 a month. If I spin up two servers, it’s $10 a month. If I spin up 500 servers, it’s $5,000 a month, whatever it happens to be.

And so if I have to spin up all these servers to take on this additional load and that load is not generating any useful business purpose for me, because it’s not my students trying to access my site. It’s some random DDoS attack. I’m spinning up these servers and I will outlast that attack at some point, but I’m spending a lot of money on compute and network time to be able to service this non-usable data.

And so from a DDoS protection perspective, it will work because I can outlast them hopefully, but I will run up big bills doing it. And so generally I prefer black-holing over using scaling up or scaling out, although all these things can work in tandem if you configure it properly to be able to out-use these DDoS attacks.

Kip Boyle:          
And every now and then we hear about these enormous distributed denial-of-service attacks with these peak terabit per second attacks where there’s a botnet that’s hurling traffic at this website. And Mirai was a big one a few years ago and-

Jason Dion:        
Yes. At four terabytes I think or something like that per second. It was tremendously huge.

Kip Boyle:          
Yeah. And it’s getting worse and worse and worse. So I mean, yeah, I was being a little silly about outsourcing, but really I think you’ve made the technical case that the size of denial service attacks that we can produce today could quickly overwhelm anybody’s ability to deal with it except for these organizations that are specifically dedicated to deal with it.

Jason Dion:      
Exactly. And for that reason, I think that it’s a great way of going. And then the last interview question I wanted to quickly cover would be if you could ask something like what kind of things could you do to increase the availability of our organization in terms of power or connections or something like that?

You should have a response for that. So if we talk about power, that means we want to make sure we’re setting up our server room in our data center by having the server. We have UPS’s inside the rack that provides power to those servers, but that usually lasts between 15 and 30 minutes.

In addition to that, you may have a entire rack that serves as a large UPS or battery backup for all the racks in that side. In addition to that, you also would have things like a diesel generator or a propane generator that can take the load if you lose power.

And so really your UPS and your battery backups are there to cover the transition time. Because if you’ve never dealt with generators before, and a lot of people don’t always probably never had to deal with a generator, if you lose power, it takes about 60 to 90 seconds for that generator to turn on, spin up, get up to speed and be ready to power at 60 hertz that your servers need.

And so you need something to cover that, otherwise your servers will drop and then they’ll all come back up and you don’t want that happening either. And that’s why we have these battery backups initially. And then we switch to the generator for a second.

Kip Boyle:          
And it’s not just an availability issue, the fact that your servers could all drop for 90 seconds. A sudden power loss can damage very expensive computer equipment if you have your own data center.

And so you could actually have the Power Restore and have some of these really expensive servers not spin back up again because some component on a motherboard fried or a hard drive controller is dead forever. So it’s a big deal.

Jason Dion:       
Yeah. And even if it doesn’t fry the actual components, if you’re using a Unix or a Linux system for instance, or even a window system, when you lose power like that and you instantly shut off the computer, it then has to run through check disk to recover all the files and put them back into order because things were open when you shut it down.

And that can take 30 to 60 minutes for it to run through check disc on a several terabyte disc. And so that 92nd outage now just turned into an hour outage because you’re waiting for check dis to finish before the server comes back online. So all those are things you need to think about as well.

And then the other thing is that when power drops like that, it does cause power spikes when the returns. And so that can also fry your equipment. This is a big problem we have in Puerto Rico. I can’t count the number of people whose air conditioners and refrigerators and things like that and TVs have gotten fried because when the power’s restored, you see this spike.

And if they don’t have a whole house search protector, it can destroy the equipment inside the house as well. And then when it comes to network availability, networks is a little bit easier to have multiple connections on. So you can have a router at your edge of your network that has multiple connections.

For instance, in my office, we have a cable link from the cable company, we have a microwave link from a microwave fixed wireless provider, and then we have a cellular backup as well. So if the cable goes down, we switch to microwave.

If microwave goes down, we switch to cellular and each one is a little bit slower than the last, but we can still survive and keep working. And that’s the idea of having redundant network connections across your network that the staff can use.

Kip Boyle:          
Right. Cool. I don’t know, check me, but have we talked availability into the ground at this point?

Jason Dion:        
I think we’ve done a good job and if you guys have any questions out there on availability that we didn’t cover, post them in the comments on our YouTube channel. We’d love to answer them for you. Or you can go to yourcyberpath.com/ask and you can record a message to us and we can take your message and we can respond to it either by email or here on the podcast as well.

And we’d love to hear from you and then see what you guys are thinking. In addition to that, I do want to remind you to go over to yourcyberpath.com where we have the show notes for this episode, which is episode 86 at yourcyberpath.com/86 for episode 86.

And on the main page of yourcyberpath.com, you could sign up for our free newsletter, which is our mentor notes that you’ll get from Kip and I, and you’ll learn lots of great stuff about the cyber security industry and how you can secure your place in it.

Kip Boyle:          
We would love to have you join our list and to be able to benefit from the thoughts that we share with you and nowhere else, right? Mentor notes is just a quiet conversation between you and me.

Jason Dion:        
I like that. A quiet conversation between you, the audience, and Kip.

Kip Boyle:          
Sure.

Jason Dion:       
Because I don’t actually see them until they come out and they end up in my inbox too because I’m subscribed to the mentor notes and I get to read them.

Kip Boyle:          
Tara. Jason’s living by example. I appreciate.

Jason Dion:      
Exactly. And even I even learn things in the mentor notes. Because again, Kip has different experiences than I do and he brings those real life experiences from his consulting work into those mentor notes and shares them with you.

So definitely a great place to get some great tips, tricks and information. So that said, thanks again for joining us for another episode of Your Cyber Path and we will see you next time.

Kip Boyle:          
Merry Christmas and Happy New Year.