In today's lesson, I'll discuss availability. By the end of the lesson, you'll be able to understand what availability is, you'll be able to discuss why availability or how availability is achieved, and discuss through example how it is applied in information security. Let's talk about FIPS one more time. The US federal government special publication, outlines security categorization for Federal Information and Information systems. So, we break down that categorization into types or categories of information. So, it's also based off of FISMA compliance, which is the Federal Information Security Modernization Act. So, it's an ever changing document that outlines how we achieve security. And it's a pretty good guideline that we cannot only follow in industry but in really any sort of setting, whether this be higher education, whether it be health care, whether it's the government. They're great standards because they've been vetted many, many times. The definition of availability according to Title 44 of the the US Code, is ensuring timely and reliable access to and the use of information. So, in layman's terms, the ability to ensure systems remain available and functioning. So, you may have heard, when we talk about the CIA triad, the A stands for availability but other uses have also stood for the letter A such as accountability. In these few lessons, we're going to be talking about just the availability part and not accountability like you may have heard before. So, in layman's terms it's making sure systems are available. So, how does this apply? How do we use this term? So, each time we discuss an IT service or system and assess security, we must look at these three principles. So, if we go back to the FIPS 199 regulations and the publication, we look at availability or the loss thereof. Loss of availability is the disruption of access to, or use of information or an information system. So again, in layman's terms, basically, you need access to data. Think about the internet connection. What happens if your computer that you're currently watching these videos on goes down? What if there's a catastrophic virus that wipes out a system? Is that availability, if we only have one of something? So, let's talk about some examples to help you understand what availability really is. Healthcare information. The duty is to keep information available in case it is needed. There's regulations built in to say in case we actually need this data, we need to have access to it. So, think about a doctor's office. Or if something happens to you and you get hurt and you're allergic to some kind of medication. Do you want the hospital to know that you have this allergy? Well, of course. But what if you don't get access to it? The healthcare, as we've talked before, the healthcare industry is very locked down here in the US. Where we have to protect patient information. And if that means encrypting information for confidentiality, then that's what it means. But we still need to have some kind of access. Some way to get into that data if something happens. So, example two. So, these are not so common sense to some people. So, availability could be used for the case of backups and redundancy. For example, on the university, we run four data centers. Where do you think the information is stored? Do you think it's only stored in one? What happens if that one data center if we had information only stored in there were to, I don't know, we had a power outage, data got corrupted. Databases don't like power being ripped out from underneath the server. It could corrupt the database. So, in order to look at how we're protecting that data, we need to make sure that that data is available in more than one place. What about other backups? How do we store data? For example, and I believe I mentioned this in a previous lesson, is if you only have one backup, is it really a backup? What happens to more than that one backup if it's lost? So, examples of everyday use. RAID. Raid stands for redundant array of inexpensive disks. This is built into a lot of high end servers. This is built into data centers where we have different RAID levels depending on how much we need that data to be available. So, for example, RAID 1, which is mirroring the data, says that we're going to have one copy and we're going to back it up and we're going write to the second copy at the same time. Which is okay except you only have one failure. If you lose that other failure, then you're toast. Okay? Or like RAID 5, for example, means that we have several disks and use one stripe the data, and over all those disks and we can reconstruct that data over all those disks in case one of those goes down. So, we keep like five for example. So, if we have five disks, we can use four of them for a RAID array and keep one as a spare in case we need to. Server clustering. Server clustering is used all over the place. Think of how you get to Coursera. I guarantee you, and I'm not sure how actually Coursera balances their data out, but you're going to different data centers all around the world depending on where they decide to store that data. So, if I write to the data here in Colorado, that data might be mirrored in a data center in New York, for example, or maybe London or Paris. Amazon Web Services is a good example of this as well. Where depending on what region you're coming from, it goes to different data centers. Load balancers are another type of availability where we can basically say if one server is down, go to these others. So, availability comes into information security and it says. If this data is no longer available, am I going to be able to access it somewhere else? Think about a denial of service attack for example. Okay. The denial of service attack, the last major one, happened on October 21st in 2016. So where, a large majority of the United States, the East Coast, was taken out by a denial of service attack. Well, I bet you if you're here in the US, you knew what that was like because you couldn't access a lot of your websites. We couldn't access Netflix. We couldn't access Amazon. We couldn't access a whole lot of them. Companies, the damage done by the lack of availability because of that attack was almost $10 million a minute. It was astronomical how much business was lost because of that attack. How about the stock market? What happens if we don't have redundancy built into the stock market? What if the stock market isn't available? No matter what country you're from, you probably have a stock market that you can go back to and say, "This is how the economy works in my country." What happens if that key infrastructure just goes down.? How many millions of dollars, billions of dollars is lost in case something happens to that infrastructure? What about your bank information? It's the same thing. If there's only one source of data and that source of data is under attack, how do I make sure that I have a good plan in place to dispute it? So, the major failures that we see out of availability could be large scale denial service attacks. We've seen this with the Mirai botnet. That's what happened in October of 2016. What about fake news? Fake news and availability. If different news agencies are reporting different information that is fake, what happens to the reliability of their network? Do people get upset?
