Month: March 2022

🎯 Fault Tolerance vs. System Resiliency

March 9, 2022

🎯 #CISSP Tips

🎯 Fault Tolerance vs. System Resiliency

🎤 Words have some intrinsic meanings, and based on its genesis (etymology) it inherits certain story/context. Interestingly, at times while language evolves and is conditioned across different cultures, meanings of words also travels in the invisible cosmos of human consciousness, making it a subject of change over times.

📚 CISSP demands the visualisation of definitions in certain context. Take the example of MTTF. MTTF is a rough indication of End-Of-Life of a system. However in CISSP-verse this is taken in the context of “backup tapes” indicating “the number of times a tape can be reused before removing it from the service”. This context confirms the EOL definition, but is more specific. Moreover you get the mental picture in your mind to stick this term with a magnetic tape.

🍀🌻🌴 This is crucial to know the “context” if we wish to pass the exam. Context for the definitions helps you to have a story in mind which keeps the definition alive. If you lose the story, you lose the definition. Think of the definition as a “fish” and the story as a nice “aquarium”. You lose the aquarium, you lose the fish. Think again, what mental picture you get when someone speaks BCP, DRP, IRP etc. If you do not get a picture, your definitions is bound to get forgotten over time.

🦠 ✈️ Past few years were all news with COVID and travel restrictions. Coming back to the topic with some relevant example. If you get COVID virus exposed to you and your fitness is intact, it means you have COVID tolerant immunity. However, if you get ill and got recovered, we can say that you have COVID resilient health. Similarly, a twin-engine aeroplane is a fault tolerant system, in a way if one engine fails, other engine will take over. This makes the aeroplane a crash resilient transport in the context of engine failure. You will realise with these examples that system resiliency is dependent on its component’s fault tolerance. I can safely say that resiliency is a function of tolerance.

Resiliency = f (tolerance)

🧮 This makes tolerance an independent variable, without it resiliency will not be possible. This interdependence is something I came up with and you can comment if you feel some example of tolerance free resiliency.

🪐 In CISSP-verse, talking about disks-mirroring is a fault tolerance feature, which will give rise to system resiliency for data availability. You may also think of dual power supply as a power fault tolerant mechanism which will give rise to system resiliency to power outages. I hope this make sense. You can provide feedback if you feel otherwise.

🧎‍♂️Thinking on the same line, a quote just took shape in my mind: You are resilient to self destruction if you have high tolerance to anger. Think and be cool while preparing CISSP. Happy Learning.

#cissptraining

CVE-2021-44228 – Log4Shell/Log4J

March 5, 2022

🪢 There has always been this tug-of-war between what is “comfortable” vs. what is “healthy”, since ages, and has been more of discussion with technology proliferation in our day to day affairs.

👨🏻‍💻 Software developers, while documenting and logging an application’s physiology, tend to be creative and use “variables” in making the program’s footprint more meaningful.

🤗 This is exciting, I mean how helpful it is to read and refer software logs if it contains useful runtime informations. In simple terms, knowing current directory, resource utilisations etc. while writing a piece of information in software logs bears enormous intelligence.

🎯 Personally I am a fan of using this methodology. I am not a software developer, but used this technique in automating alerts for link latency, resource utilisation using SolarWinds NPM. Back in year 2007-2008 I learned SolarWinds from Rajiv Bahl. I was mesmerised by the innovative approaches he used in using MS Visual Basics in demonstrating resiliency in key network components, animated presentations for packet flow, and most importantly harnessing the power of SolarWinds’s SQL database (in using key tables) in forming SLA reports. I took this inspiration and learning to level next in automating link latency alerts. So the boring latency, flap, jitter alerts were replaced with formally drafted email alerts starting with “Dear Team, I am ROUTERXXX…” and having a body of message embedding key values of troubleshooting importance, being called using SQL queries.

🧞‍♂️ This was magic. When I did this alert automation for call centre links and an automated SMS/Email when latency exceeds 170ms from Sydney to Mumbai; was highly appreciated by service management team. We were more proactive, excellent customer satisfaction, and I secured an “innovation Award” for that quarter.

🧐 When I look back, I see myself so charged with innovation and undermining security challenges it brings home. With CISSP, my lens changed so my frame of reference and I started to think these past memories from a totally new frame of reference. I don’t see it was bad from a security standpoint, but this Log4J, kind of rekindled my past life of using variables and bringing automation-driven intelligence to logging.

📚 The details are already documented here: [https://www.cygenta.co.uk/post/log4shell-in-simple-terms], and I will encourage people to read this excellent piece for a quick understanding.

🧪🔬 Using variables gives great power and ease. It make us use information in more intelligent way saving huge time and effort, but this ease comes at the cost of misusing these variable driven intelligence mechanism.

Log4J/Log4Shell is a classical example of this paradox we are faced with. Some enjoy ease and innovations, other enjoy exploitation and evil; and some stands guarding the castle. This is IT and every one enjoys what they love the most.

#security #log4j #log4jvulnerability #cissp #ccsp #solarwinds #grc #technology