Data Threats, Cyber threats and Raids

THE MOST COMMON NETWORK SECURITY THREATS

1. Computer virus

We’ve all heard about them, and we all have our fears. For everyday Internet users, computer viruses are one
of the most common threats to cybersecurity. Statistics show that approximately 33% of household computers
are affected with some type of malware, more than half of which are viruses.

Computer viruses are pieces of software that are designed to be spread from one computer to another. They’re
often sent as email attachments or downloaded from specific websites with the intent to infect your computer
— and other computers on your contact list — by using systems on your network. Viruses are known to send
spam, disable your security settings, corrupt and steal data from your computer including personal
information such as passwords, even going as far as to delete everything on your hard drive.

2. Rogue security software

Leveraging the fear of computer viruses, scammers have a found a new way to commit Internet fraud.

Rogue security software is malicious software that mislead users to believe there is a computer virus installed
on their computer or that their security measures are not up to date. Then they offer to install or update users’
security settings. They’ll either ask you to download their program to remove the alleged viruses, or to pay for
a tool. Both cases lead to actual malware being installed on your computer.

3. Trojan horse

Metaphorically, a “Trojan horse” refers to tricking someone into inviting an attacker into a securely protected
area. In computing, it holds a very similar meaning — a Trojan horse, or “Trojan,” is a malicious bit of
attacking code or software that tricks users into running it willingly, by hiding behind a legitimate program.

They spread often by email; it may appear as an email from someone you know, and when you click on the
email and its included attachment, you’ve immediately downloaded malware to your computer. Trojans also
spread when you click on a false advertisement.

Once inside your computer, a Trojan horse can record your passwords by logging keystrokes, hijacking your
webcam, and stealing any sensitive data you may have on your computer.

4. Adware and spyware

By “adware” we consider any software that is designed to track data of your browsing habits and, based on
that, show you advertisements and pop-ups. Adware collects data with your consent — and is even a
legitimate source of income for companies that allow users to try their software for free, but with
advertisements showing while using the software. The adware clause is often hidden in related User
Agreement docs, but it can be checked by carefully reading anything you accept while installing software. The

Data Threats, Cyber threats and Raids

1|Page
Data Threats, Cyber threats and Raids

presence of adware on your computer is noticeable only in those pop-ups, and sometimes it can slow down
your computer’s processor and internet connection speed.

When adware is downloaded without consent, it is considered malicious.

Spyware works similarly to adware, but is installed on your computer without your knowledge. It can contain
keyloggers that record personal information including email addresses, passwords, even credit card numbers,
making it dangerous because of the high risk of identity theft.

5. Computer worm

Computer worms are pieces of malware programs that replicate quickly and spread from one computer to
another. A worm spreads from an infected computer by sending itself to all of the computer’s contacts, then
immediately to the contacts of the other computers.

A worm spreads from an infected computer by sending itself to all of the computer’s contacts,, then
immediately to the contacts of the other computers

Interestingly, they are not always designed to cause harm; there are worms that are made just to spread.
Transmission of worms is also often done by exploiting software vulnerabilities.

6. DOS and DDOS attack

Have you ever found yourself waiting impatiently for the online release of a product, one that you’re eagerly
waiting to purchase? You keep refreshing the page, waiting for that moment when the product will go live.
Then, as you press F5 for the last time, the page shows an error: “Service Unavailable.” The server must be
overloaded!

There are indeed cases like these where a website’s server gets overloaded with traffic and simply crashes,
sometimes when a news story breaks. But more commonly, this is what happens to a website during a DoS
attack, or denial-of-service, a malicious traffic overload that occurs when attackers overflood a website with
traffic. When a website has too much traffic, it’s unable to serve its content to visitors.

A DoS attack is performed by one machine and its internet connection, by flooding a website with packets and
making it impossible for legitimate users to access the content of flooded website. Fortunately, you can’t
really overload a server with a single other server or a PC anymore. In the past years it hasn’t been that
common if anything, then by flaws in the protocol.

A DDoS attack, or distributed denial-of-service attack, is similar to DoS, but is more forceful. It’s harder to
overcome a DDoS attack. It’s launched from several computers, and the number of computers involved can
range from just a couple of them to thousands or even more.

Data Threats, Cyber threats and Raids

2|Page
Data Threats, Cyber threats and Raids

Since it’s likely that not all of those machines belong to the attacker, they are compromised and added to the
attacker’s network by malware. These computers can be distributed around the entire globe, and that network
of compromised computers is called botnet.

Since the attack comes from so many different IP addresses simultaneously, a DDoS attack is much more
difficult for the victim to locate and defend against.

7. Phishing

Phishing is a method of a social engineering with the goal of obtaining sensitive data such as passwords,
usernames, credit card numbers.

The attacks often come in the form of instant messages or phishing emails designed to appear legitimate. The
recipient of the email is then tricked into opening a malicious link, which leads to the installation of malware
on the recipient’s computer. It can also obtain personal information by sending an email that appears to be sent
from a bank, asking to verify your identity by giving away your private information.

Uncovering phishing domains can be done easily with SecurityTrails.

8. Rootkit

Rootkit is a collection of software tools that enables remote control and administration-level access over a
computer or computer networks. Once remote access is obtained, the rootkit can perform a number of
malicious actions; they come equipped with keyloggers, password stealers and antivirus disablers.

Rootkits are installed by hiding in legitimate software: when you give permission to that software to make
changes to your OS, the rootkit installs itself in your computer and waits for the hacker to activate it. Other
ways of rootkit distribution include phishing emails, malicious links, files, and downloading software from
suspicious websites.

9. SQL Injection attack

We know today that many servers storing data for websites use SQL. As technology has progressed, network
security threats have advanced, leading us to the threat of SQL injection attacks.

SQL injection attacks are designed to target data-driven applications by exploiting security vulnerabilities in
the application’s software. They use malicious code to obtain private data, change and even destroy that data,
and can go as far as to void transactions on websites. It has quickly become one of the most dangerous privacy
issues for data confidentiality. You can read more on the history of SQL injection attacks to better understand
the threat it poses to cybersecurity.

10. Man-in-the-middle attacks

Data Threats, Cyber threats and Raids

3|Page
Data Threats, Cyber threats and Raids

Man-in-the-middle attacks are cybersecurity attacks that allow the attacker to eavesdrop on communication
between two targets. It can listen to a communication which should, in normal settings, be private.

As an example, a man-in-the-middle attack happens when the attacker wants to intercept a communication
between person A and person B. Person A sends their public key to person B, but the attacker intercepts it and
sends a forged message to person B, representing themselves as A, but instead it has the attackers public key.
B believes that the message comes from person A and encrypts the message with the attackers public key,
sends it back to A, but attacker again intercepts this message, opens the message with private key, possibly
alters it, and re-encrypts it using the public key that was firstly provided by person A. Again, when the
message is transferred back to person A, they believe it comes from person B, and this way, we have an
attacker in the middle that eavesdrops the communication between two targets.

Here are just some of the types of MITM attacks:

 DNS spoofing
 HTTPS spoofing
 IP spoofing
 ARP spoofing
 SSL hijacking
 Wi-Fi hacking

CYBERTHREAT 

Definition
A cyberthreat refers to anything that has the potential to cause serious harm to a computer system. A
cyberthreat is something that may or may not happen, but has the potential to cause serious damage.
Cyberthreats can lead to attacks on computer systems, networks and more.

Cyberthreat
Cyberthreats are potentials for vulnerabilities to turn into attacks on computer systems, networks, and more.
They can put individuals’ computer systems and business computers at risk, so vulnerabilities have to be fixed
so that attackers cannot infiltrate the system and cause damage.
Cyberthreats can include everything from viruses, trojans, back doors to outright attacks from hackers. Often,
the term blended cyberthreat is more accurate, as the majority of threats involve multiple exploits. For
example, a hacker might use a phishing attack to gain information about a network and break into a network.
WHY IS IT NECESSARY TO PROTECT FROM CYBER THREATS?

Cyber threats are a big deal. Cyber attacks can cause electrical blackouts, failure of military equipment and
breaches of national security secrets. They can result in the theft of valuable, sensitive data like medical

Data Threats, Cyber threats and Raids

4|Page
 Data Threats, Cyber threats and Raids

records. They can disrupt phone and computer networks or paralyze systems, making data unavailable. It’s not
an exaggeration to say that cyber threats may affect the functioning of life as we know it.

The threats are growing more serious, too. Gartner explains, “Cybersecurity risks pervade every organization
and aren’t always under IT’s direct control. Business leaders are forging ahead with their digital business
initiatives, and those leaders are making technology-related risk choices every day. Increased cyber risk is real
— but so are the data security solutions.”

The US government is taking cyber threats seriously but appears to be moving too slowly to mitigate them.
The White House’s Office of Management and Budget revealed that, of 96 federal agencies it assessed, 74
percent were either “At Risk” or “High Risk” for cyber attacks. They needed immediate security
improvements.

The US government has experienced numerous crippling data breaches in the last few years. Examples
include the massive breach of the Federal Office of Personnel Management and the theft of secret US Naval
codes. Both attacks have been attributed to Chinese state intelligence agencies.

TYPES OF MODERN CYBERSECURITY THREATS

Cybersecurity threats come in three broad categories of intent. Attackers are after:

 Financial gain
 Disruption
 Espionage (including corporate espionage – the theft of patents or state espionage)

Virtually every cyber threat falls into one of these three modes. In terms of attack techniques, malicious actors
have an abundance of options

10 COMMON CYBER THREATS

 Malware. Software that performs a malicious task on a target device or network, e.g. corrupting data
or taking over a system.
 Phishing. An email-borne attack that involves tricking the email recipient into disclosing confidential
information or downloading malware by clicking on a hyperlink in the message.
 Spear Phishing. A more sophisticated form of phishing where the attacker learns about the victim and
impersonates someone he or she knows and trusts.
 “Man in the Middle” (MitM) attack. Where an attacker establishes a position between the sender
and recipient of electronic messages and intercepts them, perhaps changing them in transit. The sender
and recipient believe they are communicating directly with one another. A MitM attack might be used
in the military to confuse an enemy.
 Trojans. Named after the Trojan Horse of ancient Greek history, the Trojan is a type of malware that
enters a target system looking like one thing, e.g. a standard piece of software, but then lets out the
malicious code once inside the host system.

Data Threats, Cyber threats and Raids

5|Page
 Data Threats, Cyber threats and Raids

 Ransomware. An attack that involves encrypting data on the target system and demanding a ransom
in exchange for letting the user have access to the data again. These attacks range from low-level
nuisances to serious incidents like the locking down of the entire city of Atlanta’s municipal
government data in 2018.
 Denial of Service attack or Distributed Denial of Service Attack (DDoS). Where an attacker takes
over many (perhaps thousands) of devices and uses them to invoke the functions of a target system,
e.g. a website, causing it to crash from an overload of demand.
 Attacks on IoT Devices. IoT devices like industrial sensors are vulnerable to multiple types of cyber
threats. These include hackers taking over the device to make it part of a DDoS attack and
unauthorized access to data being collected by the device. Given their numbers, geographic
distribution and frequently out-of-date operating systems, IoT devices are a prime target for malicious
actors.
 Data Breaches. A data breach is a theft of data by a malicious actor. Motives for data breaches include
crime (i.e. identity theft), a desire to embarrass an institution (e.g. Edward Snowden or the DNC hack)
and espionage.
 Malware on Mobile Apps. Mobile devices are vulnerable to malware attacks just like other
computing hardware. Attackers may embed malware in app downloads, mobile websites or phishing
emails and text messages. Once compromised, a mobile device can give the malicious actor access to
personal

EMERGING CYBER THREATS

Cyber threats are never static. There are millions being created every year. Most threats follow the standard
structures described above. However, they are becoming more and more potent.

For example, there is a new generation of “zero-day” threats that are able to surprise defenses because they
carry no detectable digital signatures.

Another worrisome trend is the continuing “improvement” of what experts call “Advanced Persistent Threats”
(APTs). As Business Insider describes APTs, “It’s the best way to define the hackers who burrow into
networks and maintain ‘persistence’ — a connection that can’t be stopped simply by software updates or
rebooting a computer.”

The notorious Sony Pictures hack is an example of an APT, where a nation-state actor lurked inside the
company’s network for months, evading detection while exfiltrating enormous amounts of data.

SOURCES OF CYBERSECURITY THREATS

Cyber threats come from a variety of places, people and contexts. Malicious actors include:

 Individuals that create attack vectors using their own software tools
 Criminal organizations that are run like corporations, with large numbers of employees developing
attack vectors and executing attacks
Data Threats, Cyber threats and Raids
6|Page
 Data Threats, Cyber threats and Raids

 Nation states
 Terrorists
 Industrial spies
 Organized crime groups
 Unhappy insiders
 Hackers
 Business competitors

Nation states are the sources of many of the most serious attacks. There are several different versions of
nation-state cyber threats. Some are basic espionage— trying to learn another country’s national secrets.
Others are aimed at disruption.

For example, Chris Painter of the U.S. Department of State commented in a Brookings Institution article that
China and North Korea “have frequently exercised their cyber power to achieve their strategic goals around
the globe.”

He noted, though, “Their motivations and objectives differ: While North Korea primarily aims to develop
capabilities for revenue generation and destructive capabilities for potential conflicts outside North Korea,
China mainly utilizes its cyber means for espionage and intellectual property theft. “Naming and shaming”
has been an effective tool against China because of its government’s concerns on the potential blowback on its
soft power.”

BEST PRACTICES FOR CYBER DEFENSE AND PROTECTION

It’s easy to get frustrated over the severity of the threat environment. However, it is possible to protect your
business from cyber threats. Consumers can also defend themselves.

CYBER DEFENSE FOR BUSINESSES

Enterprise best practices for defense from cyber defense include basic but extremely important
countermeasures like patching systems. When a tech vendor discovers (or is informed of) a security flaw in
their product, they typically write code that fixes or “patches” the problem.

For example, if Microsoft finds that a hacker can gain root access to Windows Server through a code exploit,
the company will issue a patch and distribute it to all owners of Windows Server licenses. They, among many
others, do this at least once a month. Many attacks would fail if IT departments applied all security patches on
a timely basis.

A host of new technologies and services are coming onto the market that make it easier to mount a robust
defense against cyber threats. These include:

 Outsourced security services

 Systems that enable collaboration between security team members
 Continual attack simulation tools
Data Threats, Cyber threats and Raids
7|Page
 Data Threats, Cyber threats and Raids

 Point solutions for anti-phishing and secure browsing

CYBER DEFENSE FOR INDIVIDUALS

For individuals, the best practices are simple. The good news is that in most cases, some pretty big security
organizations stand between the consumer and the hacker, e.g. the SecOps team at Verizon or AT&T. There
are still preventative measures you should take to help ensure your information’s safety:

1. Password hygiene.
Big security organizations cannot protect consumers against phishing or hackers who can guess passwords
like “1234.” Common sense and password hygiene can go a long way to protect consumers from cyber
threats.

2. Anti-virus software.
Subscribe to anti-virus software and keep your system up to date with automated, scheduled scans.

3. Caution against phishing attacks.

Be careful about opening file attachments. Phishing and spear phishing emails ones that look real but are not.
if you pay attention. For instance, if you get an email that says “past due invoice” with a PDF attachment,
don’t open it unless you are 100% sure you know who sent it. If you double check, you’ll probably see it
comes from an unusual email, like this one,

RAID
RAID (Redundant Array of Inexpensive Disks[1] or Drives, or Redundant Array of Independent Disks) is
a data storage virtualization technology that combines multiple physical disk drive components into one or
more logical units for the purposes of data redundancy, performance improvement, or both. This was in
contrast to the previous concept of highly reliable mainframe disk drives referred to as "single large expensive
disk" (SLED).[2][3]
Data is distributed across the drives in one of several ways, referred to as RAID levels, depending on the
required level of redundancy and performance. The different schemes, or data distribution layouts, are named
by the word "RAID" followed by a number, for example RAID 0 or RAID 1. Each scheme, or RAID level,
provides a different balance among the key goals: reliability, availability, performance, and capacity. RAID
levels greater than RAID 0 provide protection against unrecoverable sector read errors, as well as against
failures of whole physical drives.
Overview
Many RAID levels employ an error protection scheme called "parity", a widely used method in information
technology to provide fault tolerance in a given set of data. Most use simple XOR, but RAID 6 uses two
separate parities based respectively on addition and multiplication in a particular Galois field or Reed–
Solomon error correction.
RAID can also provide data security with solid-state drives (SSDs) without the expense of an all-SSD system.
For example, a fast SSD can be mirrored with a mechanical drive. For this configuration to provide a
Data Threats, Cyber threats and Raids
8|Page
Data Threats, Cyber threats and Raids

significant speed advantage an appropriate controller is needed that uses the fast SSD for all read
operations. Adaptec calls this "hybrid RAID".
STANDARD RAID LEVEL
Main article: Standard RAID levels

Storage servers with 24 hard disk drives and built-in hardware RAID controllers supporting various RAID
levels
A number of standard schemes have evolved. These are called levels. Originally, there were five RAID levels,
but many variations have evolved, including several nested levels and many non-standard
levels (mostly proprietary). RAID levels and their associated data formats are standardized by the Storage
Networking Industry Association (SNIA) in the Common RAID Disk Drive Format (DDF) standard:

RAID 0
RAID 0 consists of striping, but no mirroring or parity. Compared to a spanned volume, the capacity of a
RAID 0 volume is the same; it is the sum of the capacities of the disks in the set. But because striping
distributes the contents of each file among all disks in the set, the failure of any disk causes all files, the entire
RAID 0 volume, to be lost. A broken spanned volume at least preserves the files on the unfailing disks. The
benefit of RAID 0 is that the throughput of read and write operations to any file is multiplied by the number of
disks because, unlike spanned volumes, reads and writes are done concurrently,[12] and the cost is complete
vulnerability to drive failures. Indeed, the average failure rate is worse than that of an equivalent single non-
RAID drive.
RAID 1
RAID 1 consists of data mirroring, without parity or striping. Data is written identically to two drives, thereby
producing a "mirrored set" of drives. Thus, any read request can be serviced by any drive in the set. If a
request is broadcast to every drive in the set, it can be serviced by the drive that accesses the data first
(depending on its seek time and rotational latency), improving performance. Sustained read throughput, if the
controller or software is optimized for it, approaches the sum of throughputs of every drive in the set, just as
for RAID 0. Actual read throughput of most RAID 1 implementations is slower than the fastest drive. Write
throughput is always slower because every drive must be updated, and the slowest drive limits the write
performance. The array continues to operate as long as at least one drive is functioning.

RAID 2
Data Threats, Cyber threats and Raids
9|Page
Data Threats, Cyber threats and Raids

RAID 2 consists of bit-level striping with dedicated Hamming-code parity. All disk spindle rotation is

synchronized and data is striped such that each sequential bit is on a different drive. Hamming-code parity is
calculated across corresponding bits and stored on at least one parity drive. This level is of historical
significance only; although it was used on some early machines (for example, the Thinking Machines CM-
2), as of 2014 it is not used by any commercially available system.
RAID 3
RAID 3 consists of byte-level striping with dedicated parity. All disk spindle rotation is synchronized and data
is striped such that each sequential byte is on a different drive. Parity is calculated across corresponding bytes
and stored on a dedicated parity drive.[12] Although implementations exist, RAID 3 is not commonly used in
practice.
RAID 4
RAID 4 consists of block-level striping with dedicated parity. This level was previously used by NetApp, but
has now been largely replaced by a proprietary implementation of RAID 4 with two parity disks,
called RAID-DP. The main advantage of RAID 4 over RAID 2 and 3 is I/O parallelism: in RAID 2 and 3, a
single read I/O operation requires reading the whole group of data drives, while in RAID 4 one I/O read
operation does not have to spread across all data drives. As a result, more I/O operations can be executed in
parallel, improving the performance of small transfers.
RAID 5
RAID 5 consists of block-level striping with distributed parity. Unlike RAID 4, parity information is
distributed among the drives, requiring all drives but one to be present to operate. Upon failure of a single
drive, subsequent reads can be calculated from the distributed parity such that no data is lost. RAID 5 requires
at least three disks. Like all single-parity concepts, large RAID 5 implementations are susceptible to system
failures because of trends regarding array rebuild time and the chance of drive failure during rebuild (see
"Increasing rebuild time and failure probability" section, below).Rebuilding an array requires reading all data
from all disks, opening a chance for a second drive failure and the loss of the entire array.
RAID 6
RAID 6 consists of block-level striping with double distributed parity. Double parity provides fault tolerance
up to two failed drives. This makes larger RAID groups more practical, especially for high-availability
systems, as large-capacity drives take longer to restore. RAID 6 requires a minimum of four disks. As with
RAID 5, a single drive failure results in reduced performance of the entire array until the failed drive has been
replaced. With a RAID 6 array, using drives from multiple sources and manufacturers, it is possible to
mitigate most of the problems associated with RAID 5. The larger the drive capacities and the larger the array
size, the more important it becomes to choose RAID 6 instead of RAID 5.RAID 10 also minimizes these
problems.
Nested (hybrid) RAID
Main article:  Nested RAID levels
In what was originally termed hybrid RAID, many storage controllers allow RAID levels to be nested. The
elements of a RAID may be either individual drives or arrays themselves. Arrays are rarely nested more than
one level deep.
Data Threats, Cyber threats and Raids
10 | P a g e
Data Threats, Cyber threats and Raids

The final array is known as the top array. When the top array is RAID 0 (such as in RAID 1+0 and
RAID 5+0), most vendors omit the "+" (yielding RAID 10 and RAID 50, respectively).
RAID 0+1: 
 creates two stripes and mirrors them. If a single drive failure occurs then one of the stripes has failed,
at this point it is running effectively as RAID 0 with no redundancy. Significantly higher risk is
introduced during a rebuild than RAID 1+0 as all the data from all the drives in the remaining stripe
has to be read rather than just from one drive, increasing the chance of an unrecoverable read error
(URE) and significantly extending the rebuild window.
RAID 1+0: 
 (see: RAID 10) creates a striped set from a series of mirrored drives. The array can sustain multiple
drive losses so long as no mirror loses all its drives.[31]
JBOD RAID N+N: 
 With JBOD (just a bunch of disks), it is possible to concatenate disks, but also volumes such as RAID
sets. With larger drive capacities, write delay and rebuilding time increase dramatically (especially, as
described above, with RAID 5 and RAID 6). By splitting a larger RAID N set into smaller subsets and
concatenating them with linear JBOD,write and rebuilding time will be reduced. If a hardware RAID
controller is not capable of nesting linear JBOD with RAID N, then linear JBOD can be achieved with
OS-level software RAID in combination with separate RAID N subset volumes created within one, or
more, hardware RAID controller(s). Besides a drastic speed increase, this also provides a substantial
advantage: the possibility to start a linear JBOD with a small set of disks and to be able to expand the
total set with disks of different size, later on (in time, disks of bigger size become available on the
market). There is another advantage in the form of disaster recovery (if a RAID N subset happens to
fail, then the data on the other RAID N subsets is not lost, reducing restore time).
Non-standard levels
Many configurations other than the basic numbered RAID levels are possible, and many companies,
organizations, and groups have created their own non-standard configurations, in many cases designed to meet
the specialized needs of a small niche group. Such configurations include the following:
 Linux MD RAID 10 provides a general RAID driver that in its "near" layout defaults to a standard
RAID 1 with two drives, and a standard RAID 1+0 with four drives; however, it can include any
number of drives, including odd numbers. With its "far" layout, MD RAID 10 can run both striped and
mirrored, even with only two drives in f2 layout; this runs mirroring with striped reads, giving the read
performance of RAID 0. Regular RAID 1, as provided by Linux software RAID, does not stripe reads,
but can perform reads in parallel.
 Hadoop has a RAID system that generates a parity file by xor-ing a stripe of blocks in a single HDFS
file.
 BeeGFS, the parallel file system, has internal striping (comparable to file-based RAID0) and
replication (comparable to file-based RAID10) options to aggregate throughput and capacity of
multiple servers and is typically based on top of an underlying RAID to make disk failures transparent.

Data Threats, Cyber threats and Raids

11 | P a g e
Data Threats, Cyber threats and Raids

 Declustered RAID scatters dual (or more) copies of the data across all disks (possibly hundreds) in a
storage subsystem, while holding back enough spare capacity to allow for a few disks to fail. The
scattering is based on algorithms which give the appearance of arbitrariness. When one or more disks
fail the missing copies are rebuilt into that spare capacity, again arbitrarily. Because the rebuild is done
from and to all the remaining disks, it operates much faster than with traditional RAID, reducing the
overall impact on clients of the storage system.
Implementations
The distribution of data across multiple drives can be managed either by dedicated computer hardware or
by software. A software solution may be part of the operating system, part of the firmware and drivers
supplied with a standard drive controller (so-called "hardware-assisted software RAID"), or it may reside
entirely within the hardware RAID controller.
Hardware-based
RAID controller
Configuration of hardware RAID
Hardware RAID controllers can be configured through card BIOS before an operating system is booted, and
after the operating system is booted, proprietary configuration utilities are available from the manufacturer of
each controller. Unlike the network interface controllers for Ethernet, which can usually be configured and
serviced entirely through the common operating system paradigms like ifconfig in Unix, without a need for
any third-party tools, each manufacturer of each RAID controller usually provides their own proprietary
software tooling for each operating system that they deem to support, ensuring a vendor lock-in, and
contributing to reliability issues.
For example, in FreeBSD, in order to access the configuration of Adaptec RAID controllers, users are
required to enable Linux compatibility layer, and use the Linux tooling from Adaptec, potentially
compromising the stability, reliability and security of their setup, especially when taking the long term view.
Some other operating systems have implemented their own generic frameworks for interfacing with any
RAID controller, and provide tools for monitoring RAID volume status, as well as facilitation of drive
identification through LED blinking, alarm management and hot spare disk designations from within the
operating system without having to reboot into card BIOS. For example, this was the approach taken
by OpenBSD in 2005 with its bio(4) pseudo-device and the bioctl utility, which provide volume status, and
allow LED/alarm/hotspare control, as well as the sensors (including the drive sensor) for health
monitoring; this approach has subsequently been adopted and extended by NetBSD in 2007 as well.
Software-based
Software RAID implementations are provided by many modern operating systems. Software RAID can be
implemented as:
 A layer that abstracts multiple devices, thereby providing a single virtual device (e.g. Linux
kernel's md and OpenBSD's softraid)
 A more generic logical volume manager (provided with most server-class operating systems,
e.g. Veritas or LVM)

Data Threats, Cyber threats and Raids

12 | P a g e
Data Threats, Cyber threats and Raids

 A component of the file system (e.g. ZFS, Spectrum Scale or Btrfs)

 A layer that sits above any file system and provides parity protection to user data (e.g. RAID-F)
Some advanced file systems are designed to organize data across multiple storage devices directly, without
needing the help of a third-party logical volume manager:
 ZFS supports the equivalents of RAID 0, RAID 1, RAID 5 (RAID-Z1) single-parity, RAID 6 (RAID-
Z2) double-parity, and a triple-parity version (RAID-Z3) Also referred to as RAID 7. As it always
stripes over top-level vdevs, it supports equivalents of the 1+0, 5+0, and 6+0 nested RAID levels (as
well as striped triple-parity sets) but not other nested combinations. ZFS is the native file system
on Solaris and illumos, and is also available on FreeBSD and Linux. Open-source ZFS
implementations are actively developed under the OpenZFS umbrella project.
 Spectrum Scale, initially developed by IBM for media streaming and scalable analytics,
supports declustered RAID protection schemes up to n+3. A particularity is the dynamic rebuilding
priority which runs with low impact in the background until a data chunk hits n+0 redundancy, in
which case this chunk is quickly rebuilt to at least n+1. On top, Spectrum Scale supports metro-
distance RAID 1.
 Btrfs supports RAID 0, RAID 1 and RAID 10 (RAID 5 and 6 are under development).
 XFS was originally designed to provide an integrated volume manager that supports concatenating,
mirroring and striping of multiple physical storage devices.However, the implementation of XFS in
Linux kernel lacks the integrated volume manager.
Many operating systems provide RAID implementations, including the following:
 Hewlett-Packard's OpenVMS operating system supports RAID 1. The mirrored disks, called a
"shadow set", can be in different locations to assist in disaster recovery.
 Apple's macOS and macOS Server support RAID 0, RAID 1, and RAID 1+0.
 FreeBSD supports RAID 0, RAID 1, RAID 3, and RAID 5, and all nestings via GEOM modules and
ccd.
 Linux's md supports RAID 0, RAID 1, RAID 4, RAID 5, RAID 6, and all nestings. Certain
reshaping/resizing/expanding operations are also supported.
 Microsoft Windows supports RAID 0, RAID 1, and RAID 5 using various software
implementations. Logical Disk Manager, introduced with Windows 2000, allows for the creation of
RAID 0, RAID 1, and RAID 5 volumes by using dynamic disks, but this was limited only to
professional and server editions of Windows until the release of Windows 8.[59][60] Windows XP can be
modified to unlock support for RAID 0, 1, and 5. Windows 8 and Windows Server 2012 introduced a
RAID-like feature known as Storage Spaces, which also allows users to specify mirroring, parity, or
no redundancy on a folder-by-folder basis. These options are similar to RAID 1 and RAID 5, but are
implemented at a higher abstraction level.
 NetBSD supports RAID 0, 1, 4, and 5 via its software implementation, named RAIDframe.
 OpenBSD supports RAID 0, 1 and 5 via its software implementation, named softraid.

Data Threats, Cyber threats and Raids

13 | P a g e
Data Threats, Cyber threats and Raids

If a boot drive fails, the system has to be sophisticated enough to be able to boot from the remaining drive or
drives. For instance, consider a computer whose disk is configured as RAID 1 (mirrored drives); if the first
drive in the array fails, then a first-stage boot loader might not be sophisticated enough to attempt loading
the second-stage boot loader from the second drive as a fallback. The second-stage boot loader for FreeBSD is
capable of loading a kernel from such an array.
Firmware- and driver-based

A SATA 3.0 controller that provides RAID functionality through proprietary firmware and drivers
See also: MD RAID external metadata
Software-implemented RAID is not always compatible with the system's boot process, and it is generally
impractical for desktop versions of Windows. However, hardware RAID controllers are expensive and
proprietary. To fill this gap, inexpensive "RAID controllers" were introduced that do not contain a dedicated
RAID controller chip, but simply a standard drive controller chip with proprietary firmware and drivers.
During early bootup, the RAID is implemented by the firmware and, once the operating system has been more
completely loaded, the drivers take over control. Consequently, such controllers may not work when driver
support is not available for the host operating system. An example is Intel Matrix RAID, implemented on
many consumer-level motherboards.
Because some minimal hardware support is involved, this implementation is also called "hardware-assisted
software RAID", "hybrid model" RAID,[71] or even "fake RAID". If RAID 5 is supported, the hardware may
provide a hardware XOR accelerator. An advantage of this model over the pure software RAID is that—if
using a redundancy mode—the boot drive is protected from failure (due to the firmware) during the boot
process even before the operating systems drivers take over.
Integrity
Data scrubbing (referred to in some environments as patrol read) involves periodic reading and checking by
the RAID controller of all the blocks in an array, including those not otherwise accessed. This detects bad
blocks before use.[73] Data scrubbing checks for bad blocks on each storage device in an array, but also uses
the redundancy of the array to recover bad blocks on a single drive and to reassign the recovered data to spare
blocks elsewhere on the drive.
Frequently, a RAID controller is configured to "drop" a component drive (that is, to assume a component
drive has failed) if the drive has been unresponsive for eight seconds or so; this might cause the array
controller to drop a good drive because that drive has not been given enough time to complete its internal
error recovery procedure. Consequently, using consumer-marketed drives with RAID can be risky, and so-
called "enterprise class" drives limit this error recovery time to reduce risk.Western Digital's desktop drives
Data Threats, Cyber threats and Raids
14 | P a g e
Data Threats, Cyber threats and Raids

used to have a specific fix. A utility called WDTLER.exe limited a drive's error recovery time. The utility
enabled TLER (time limited error recovery), which limits the error recovery time to seven seconds. Around
September 2009, Western Digital disabled this feature in their desktop drives (e.g. the Caviar Black line),
making such drives unsuitable for use in RAID configurations.[75] However, Western Digital enterprise class
drives are shipped from the factory with TLER enabled. Similar technologies are used by Seagate, Samsung,
and Hitachi. For non-RAID usage, an enterprise class drive with a short error recovery timeout that cannot be
changed is therefore less suitable than a desktop drive.[75] In late 2010, the Smartmontools program began
supporting the configuration of ATA Error Recovery Control, allowing the tool to configure many desktop
class hard drives for use in RAID setups.
While RAID may protect against physical drive failure, the data is still exposed to operator, software,
hardware, and virus destruction. Many studies cite operator fault as a common source of malfunction,[76]
[77]
 such as a server operator replacing the incorrect drive in a faulty RAID, and disabling the system (even
temporarily) in the process.
An array can be overwhelmed by catastrophic failure that exceeds its recovery capacity and the entire array is
at risk of physical damage by fire, natural disaster, and human forces, however backups can be stored off site.
An array is also vulnerable to controller failure because it is not always possible to migrate it to a new,
different controller without data loss.
Weaknesses
Correlated failures
In practice, the drives are often the same age (with similar wear) and subject to the same environment. Since
many drive failures are due to mechanical issues (which are more likely on older drives), this violates the
assumptions of independent, identical rate of failure amongst drives; failures are in fact statistically correlated.
[12]
 In practice, the chances for a second failure before the first has been recovered (causing data loss) are
higher than the chances for random failures. In a study of about 100,000 drives, the probability of two drives
in the same cluster failing within one hour was four times larger than predicted by the exponential statistical
distribution—which characterizes processes in which events occur continuously and independently at a
constant average rate. The probability of two failures in the same 10-hour period was twice as large as
predicted by an exponential distribution.[80]
Unrecoverable read errors during rebuild
Unrecoverable read errors (URE) present as sector read failures, also known as latent sector errors (LSE). The
associated media assessment measure, unrecoverable bit error (UBE) rate, is typically guaranteed to be less
than one bit in 10 for enterprise-class drives (SCSI, FC, SAS or SATA), and less than one bit in 10 for
desktop-class drives (IDE/ATA/PATA or SATA). Increasing drive capacities and large RAID 5 instances have
led to the maximum error rates being insufficient to guarantee a successful recovery, due to the high
likelihood of such an error occurring on one or more remaining drives during a RAID set rebuild. When
rebuilding, parity-based schemes such as RAID 5 are particularly prone to the effects of UREs as they affect
not only the sector where they occur, but also reconstructed blocks using that sector for parity computation.
Double-protection parity-based schemes, such as RAID 6, attempt to address this issue by providing
redundancy that allows double-drive failures; as a downside, such schemes suffer from elevated write penalty
—the number of times the storage medium must be accessed during a single write operation. Schemes that
Data Threats, Cyber threats and Raids
15 | P a g e
Data Threats, Cyber threats and Raids

duplicate (mirror) data in a drive-to-drive manner, such as RAID 1 and RAID 10, have a lower risk from
UREs than those using parity computation or mirroring between striped sets. Data scrubbing, as a background
process, can be used to detect and recover from UREs, effectively reducing the risk of them happening during
RAID rebuilds and causing double-drive failures. The recovery of UREs involves remapping of affected
underlying disk sectors, utilizing the drive's sector remapping pool; in case of UREs detected during
background scrubbing, data redundancy provided by a fully operational RAID set allows the missing data to
be reconstructed and rewritten to a remapped sector.
Increasing rebuild time and failure probability
Drive capacity has grown at a much faster rate than transfer speed, and error rates have only fallen a little in
comparison. Therefore, larger-capacity drives may take hours if not days to rebuild, during which time other
drives may fail or yet undetected read errors may surface. The rebuild time is also limited if the entire array is
still in operation at reduced capacity. Given an array with only one redundant drive (which applies to RAID
levels 3, 4 and 5, and to "classic" two-drive RAID 1), a second drive failure would cause complete failure of
the array. Even though individual drives' mean time between failure (MTBF) have increased over time, this
increase has not kept pace with the increased storage capacity of the drives. The time to rebuild the array after
a single drive failure, as well as the chance of a second failure during a rebuild, have increased over time.
Some commentators have declared that RAID 6 is only a "band aid" in this respect, because it only kicks the
problem a little further down the road. However, according to the 2006 NetApp study of Berriman et al., the
chance of failure decreases by a factor of about 3,800 (relative to RAID 5) for a proper implementation of
RAID 6, even when using commodity drives. Nevertheless, if the currently observed technology trends
remain unchanged, in 2019 a RAID 6 array will have the same chance of failure as its RAID 5 counterpart had
in 2010.
Mirroring schemes such as RAID 10 have a bounded recovery time as they require the copy of a single failed
drive, compared with parity schemes such as RAID 6, which require the copy of all blocks of the drives in an
array set. Triple parity schemes, or triple mirroring, have been suggested as one approach to improve
resilience to an additional drive failure during this large rebuild time.

Atomicity: including parity inconsistency due to system crashes

A system crash or other interruption of a write operation can result in states where the parity is inconsistent
with the data due to non-atomicity of the write process, such that the parity cannot be used for recovery in the
case of a disk failure (the so-called RAID 5 write hole). The RAID write hole is a known data corruption issue
in older and low-end RAIDs, caused by interrupted destaging of writes to disk.The write hole can be
addressed with write-ahead logging. Recently mdadm fixed it by introducing a dedicated journaling device (to
avoid performance penalty, typically, SSDs and NVMs are preferred) for that purpose.
This is a little understood and rarely mentioned failure mode for redundant storage systems that do not utilize
transactional features. Database researcher Jim Gray wrote "Update in Place is a Poison Apple" during the
early days of relational database commercialization.
Write-cache reliability
Data Threats, Cyber threats and Raids
16 | P a g e
Data Threats, Cyber threats and Raids

There are concerns about write-cache reliability, specifically regarding devices equipped with a write-back
cache, which is a caching system that reports the data as written as soon as it is written to cache, as opposed to
when it is written to the non-volatile medium. If the system experiences a power loss or other major failure,
the data may be irrevocably lost from the cache before reaching the non-volatile storage. For this reason good
write-back cache implementations include mechanisms, such as redundant battery power, to preserve cache
contents across system failures (including power failures) and to flush the cache at system restart time.

Understanding How RAID Storage Works – Part 1

Redundant Array of Independent (originally Inexpensive) Disks (RAID) is a term used for computer data
storage systems that spread and/or replicate data across multiple drives. RAID technology has revolutionized
enterprise data storage and was designed with two key goals:  increase data reliability and increase I/O
(input/output) performance.

Unfortunately though, RAID storage isn’t a perfect technology and as a result data loss can still occur when
using these systems. In this post we’ll explore how RAID levels work and how data can be stored (and lost!)
with this type of storage.

How does RAID work?

A RAID combines physical disks into a single logical unit by using either special hardware or software.
Hardware RAID solutions can come in a variety styles, from built onto the motherboard or add in cards, up to
large enterprise NAS or SAN servers. With these setups the operating system (OS) is unaware of the technical
workings or the RAID. Software solutions are typically implemented within the OS.

RAID is traditionally used on servers, but can be also used on workstations. The latter is especially true in
storage-intensive computers such as those used for video and audio editing, where high storage capacities and
data transfer speeds are required.

Data Threats, Cyber threats and Raids

17 | P a g e
Data Threats, Cyber threats and Raids

Commonly used terms

Before we go into any further detail, let’s take a look at some of the technical terms that are commonly used to
describe aspects of RAID storage:

RAID – A technology that supports various hard drive configurations for the purposes of achieving greater
performance, reliability and larger volume sizes through the use of consolidating disk resources and parity
calculations.

Parity – Distributed information which allows the recreation of data stored within a RAID array, even if one
disk fails.

Mirroring – Data from 1 or more hard drives is duplicated onto another physical disk(s).

Striping – A method where data can be written across multiple disks. In the example below the data is written
across the drives in a sequential order until the last drive, it then jumps back to the first and starts a 2nd stripe,
etc.

Block – A block is the logical space on each disk where the data is written, the amount of space is set by the
RAID controller.

Left / right symmetry – Symmetry in a RAID controls how the data and parity are distributed across the
drives. There are 4 main styles of symmetry – which one is used depends on the RAID vendor. Some
companies also make proprietary styles depending on their business needs.

Hot spare – There are a few different methods for dealing with drive failures within a RAID; one is the use of
a ‘hot spare’. It is a spare disk which can be used in place of a failed one.

Degraded mode – This happens when a drive in the RAID becomes unreadable; the drive is then considered
bad and is withdrawn from the RAID. The new data and parity are then written to the remaining drives within
the RAID, if any data is requested from the failed drive it is worked out with the parity on the others. This
degrades the performance of the RAID.

Still with me? Now that we’ve defined the key terms, in our next article we will take a look at the three key
concepts in RAID: mirroring, striping and error correction. We’ll also look at different RAID levels, how
modern arrays work and what challenges lie ahead if data is lost. See you next time!

If you’ve experienced data loss from a RAID, contact the experts at Ontrack by clicking here.

Data Threats, Cyber threats and Raids

18 | P a g e