Fresh from my inbox: " Dear Sir/Madam We regret to inform that your Visa/Mastercard secure has been set off because to many attendings, and we beleive that others were ussing your details. Please download the attach   to reactivate the account." Yeah, right. To many attendings, eh?  Others ussing my details?  Unbeleivable! I'm still haunted by the memory of a printed sign I saw in the lobby of a hotel in Sierra Leone, along the lines of "419ers are not permitted here".  Actually I wish I had photographed it for posterity.  Ho hum.

From Wired :  "Four Romanian nationals have been charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers, according to an indictment unsealed Thursday ... The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs." Which begs the obvious question: why would anyone put their P oint O f S ale systems on the Internet, with remote desktop software to boot?  The answer presumably involves the millions of retail outlets that don't have an in-house IT function but rely on external 'point of sale IT specialists' to install, manage and maintain their card readers and often the electronic tills, accounting and stock management systems. I wonder if the mom-n-pop retailers are sufficiently ...

Wow!  Lucky me!  I've won a prize from the MSN Foundation! I guess Microsoft must have fallen on hard times. ($1.5)USD isn't exactly thrilling. Endless junk like this leaches bandwidth from the network, wastes processing cycles, consumes bytes on disk and exercises my grey matter (admittedly, not a lot). I guess the cretins sending it have nothing better to do than annoy the rest of us.

December's awareness module on network security has just been released. Here's one of six new security awareness poster designs in the module. Computer networks, particularly the Internet, enable employees, business partners, suppliers and customers to share information and collaborate more or less instantaneously.  The advantages of networking are enormous and have revolutionized modern business life – we are in the midst of an “information revolution”.  However, the World Wide Web is not unlike the Wild Wild West.  Hackers and organized criminals (the Internet’s outlaws) are plundering vulnerable online businesses to steal the gold (information assets).  There are precious few sheriffs in cyberspace and the outlaws pack powerful weapons. Consequently there are significant risks associated with networking and strong security controls are necessary to protect the organization...

Interesting new slant on an old 419 scam now circulating: Hello Dear, I am writing you from Heir Hunters Company in the United kingdom . Heir Hunters probate detectives looking for distant relatives of people who have died without making a will,  the United Kingdom   government last year made over £18m from uncliamed assets. When people die intestate ( without a will ) and with no known relatives, their names are released by the Treasury. Every Thursday, a list of these unclaimed estates, the Bona Vacantia (Latin for "ownerless goods") is published on the Treasury Solicitor's website. The race is then on for heir locators to track down the often distant relatives in line for a windfall. Often heir hunters pick more unusual names first, as they are easier to trace. We came across your profile and email while searching   through genealogy database,we will be glad if you can get back to us with your full name, date of birth,  address and your direct number if it corresp...

Brian Krebs is an excellent journalist and blogger on information security matters.  He often seems to pick up infosec stories that nobody else covers and his advice is generally sound. In respect of password choices , however, I think Brian's missing a trick. He offers the stock advice on avoiding common words, using miXed case and punctuation ... etc . all fair enough but neglects to mention the coolest tip of all, which is to use long pass phrases. Long passwords used to be counterproductive on old Windows systems that broke them all into weak 7-character chunks. Windows hasn't done this for years.  The only other issue I'm aware of is that some dinosaurs of the mainframe era still restrict password length to about 8 characters. But hey, it's only the mainframe, so nothing much to protect there, eh? My favorite passphrases are the complete lines of songs, complete with punctuation, spaces, capiTaliZation and tricks such as duplicating, omitting or substituting certa...

Presumably as a result of international pressure on the Colombian authorities, a colleague sending me a letter had to attach a photocopy of his REPUBLICA DE COLOMBIA - IDENTIFICACION PERSONAL - CEDULA DE CIUDADANIA (what appears to be his Colombian government-issued ID card), front-and-back including his mugshot and fingerprint, to the "CARTA DE RESPONSABILIDAD" form PR-OP-AD-001-FR-001 endorsed by somebody working for the POLICIA ANTINARCOTICOS at Aeropuerto El Dorado - Bogota. The bottom of the form reads "Nota: Recuerde que es obligatorio anexar fotocopia del documento de identidad". With my rather primitive understanding of Spanish, I take that to mean that it was compulsory for the sender to attach the photocopy of his ID card, presumably to be able to send me the letter. I was absolutely amazed to receive all that personal information 'in plaintext', attached by sticky tape to the rear of the airmail letter that arrived in my NZ postbox today. I guess ...

'Credentials' is the rather formal title of November's security awareness module on identification and authentication. Authentication associates a person unambiguously to an identity, excluding others. It reduces the possibility of fraud and hacking, helps maintain the integrity of the systems and data, and is a prerequisite for personal accountability for IT activities. Authenticated individuals can safely be given access to sensitive and valuable information resources which they are authorized to access. Without authentication, unauthorized access would be a much bigger problem and the information security risks would be even greater. From the ordinary worker's perspective, the key issues are choosing good passwords and keeping staff ID cards safe.

A nicely presented online tool from Qualys lets us check the security of SSL configurations used by public websites .  SSL is not exactly the security panacea that is usually implied by online businesses.  It can be configured on the servers to negotiate and establish connections using older, weaker algorithms, instead of the more recent, stronger, recommended ones - or not. The Qualys tool connects and tries to persuade the tested site to fall back to one of the deprecated SSL algorithms, marking down the site's score if it succeeds. This is a simple illustration of the complexity of IT security management today, and the value of routine independent penetration testing of corporate websites.

A backup tape containing medical records and other personal information on nearly 5 million US military personnel in the TRICARE scheme has been stolen from an SAIC employee's car.  TRICARE is a US " health care program serving Uniformed Service members, retirees and their families worldwide". SAIC ( S cience A pplications I nternational C orporation) is a "scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding".  It is best known as an IT oursourcer/service provider. TRICARE's statement "retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system an...

Today we released the October awareness module on privacy. The awareness materials introduce basic privacy concepts using the OECD privacy principles, emphasizing compliance with privacy laws and regulations, as well as corporate privacy policies and procedures.  Information security controls underpin privacy for personal information and data.  Ethical considerations take privacy beyond mere compliance into the realm of appropriate and inappropriate use and disclosure of private matters, while the business impacts of privacy breaches, and the costs of privacy controls, are also discussed. The awareness quiz is a new idea.  I hope customers will have fun with that.  The quiz format will no doubt continue to evolve over future months, and as always improvement suggestions are very welcome.

Seems free speech is alive and well in the US ... "Most of the social media policies that we've been presented are very, very overbroad," Solomon said in an interview. "They say you can't disparage or criticize the company in any way on social media, and that is not true under the law."  ... Doreen Davis, a management-side labor lawyer based in Philadelphia, said many of her corporate clients are often "surprised and upset" when they learn they can't simply terminate employees for talking about work online. Employers should develop sound, legally-sanctioned policies concerning what employees can and can't say about them on Facebook or whatever, but more importantly they need to provide mechanisms for employees to voice genuine grievances and have them addressed properly by management, without fear of persecution or recrimination.  That's the real issue here, isn't it? And it's a governance matter in my book. So why is it...

Rob Slade and I wrote an article capturing forty business continuity lessons arising from the massive earthquakes in New Zealand and Japan.   It has just been published in EDPACS and, thanks to the generosity of the publishers Taylor and Francis, it is available as a free PDF download . Aside from the specific lessons concerning resilience, crisis management, disaster recovery, and contingency management, our article illustrates a broader point, namely that it is not necessary to experience disasters first-hand in order to learn from them.  If you are fortunate enough not to live and work in an earthquake-prone area, there are still valid lessons here to help you survive other natural and unnatural disasters.

While contemplating the latest PwC security survey report , I was intrigued to read: "At first glance, the nearly six out of every 10 (58%) respondents who report their organization has a contingency plan in place for security incidents is a healthy number. (Figure 15)  But when you factor this number by the percentage who report that their plan is effective (63%), the results are disheartening.  In effect, most organizations (63%) have no plan or the plan they have doesn’t work."  I'm curious about the implication that about a third of organizations have nonfunctional contingency plans for information security incidents. Presumably they know their plans don't work because: They have used the plans but they failed in operation. It's possible some such organizations are too busy trying to recover from the incidents, or conceivably they are too badly damaged, to work on their contingency plans right now. What are the others doing?; They have tested the plans but the...

Information security involves far more than just computer security.  It's about protecting information in all its forms against all sorts of risks using whatever security controls are cost-effective.  Technology-based controls such as logins, firewalls and antivirus programs, plus physical controls such as padlocks, are merely parts of the information security space - important parts, maybe, but not sufficient in themselves to secure our information assets.  This is where the modern approach to information security departs from traditional IT security in particular.  We need to secure not just the computer systems and networks but also the human beings - the people who design, develop, test, implement, use, manage and maintain the systems and networks, plus those who seem to get by perfectly well without IT ... Information security is very much a human endeavor, which of course makes it an ideal security awareness topic, not least as security cannot be addressed thro...

Phishers are already using the US hurricanes as the pretext: "... After several stormy rainfall occurred recently, We regret to inform you that a computer failure has affected some of the modules of our systems notament sending wire transfers and credit card payments online.  But our teams have set up a verification process and reactivate your account.  To complete verification, you will be taken through the following stages:    1. Input your Personal Information  2. Input your Account Information  3. Input your Online Banking Information    4. Click on Continue ..." Anyone gullible enough to believe that 'several stormy rainfall' is enough to knock out a bank's computer systems and require them to 'verify' themselves probably shouldn't have a bank account.   :-)

I've been reading the recently-issued revised FFIEC guidance to US financial institutions on user authentication and related 'layered' controls, and puzzling as to why such guidance is required  Is it really necessary for the FFIEC to tell banks, for example, to use "enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk"?  Is that not stating the bleedin' obvious?  Isn't it clearly in the banks' interest to make their valued customers aware of keylogging Trojans, phishing, 419s, money-mules and a zillion other scams? The financial institutions in which I have worked have all been hot on risk management, and have usually worked at or close to the cutting-edge of brand new security technologies.  My risk, security and fraud colleagues definitely appreciated the issues relating to failing to identify and authenticate customers, not least for Internet banking systems, while on t...

Distribute.IT, an ISP that suffered a devastating hacker attack on June 11th was attempting disaster recovery by June 13th but in serious trouble by June 17th and finally admitted defeat with the complete loss of several important customer-facing servers by June 21st, just ten days after the hack. Some 4,800 domains and customer accounts were lost, with (it appears) no offsite data backups from which they might have been restored. With 20/20 hindsight, someone in Distribute.IT's management presumably made some extremely unwise decisions regarding the risk that materialized. Whether they simply didn't consider or appreciate the risk, considered it too remote to address, or failed to treat the risk adequately, is now a moot point: whatever they did do was patently not good enough, and it looks like the business has failed. Controls that are meant to prevent hacks fail quite often in practice, so it would have been sensible to make suitable disaster recovery and business contin...

The website for the Sun newspaper, formerly a competitor to the now defunct News of the World , has been hacked, compromising personal details of entrants to an online competition .  Whether this is linked to Lulzsec and Anonymous hacks remains to be seen, but I'm glad I'm not an information security manager for the British tabloid press, or in fact any British news media.

EMC, which owns RSA, spent US$66m 'between April and June' as a result of the Trojan/hack incident in March that compromised their SecureID product. $66m may be Information Week 's headline figure and that's a staggering amount of money for starters, but that's just it - it's for starters. We're told " It doesn't include post-breach expenses from the first quarter, when EMC began investigating the attack, hardening its systems, and working with customers to prevent their being exploited as a result of the attacks." so we know for sure it is an underestimate of the full breach costs.  The wording of the disclosure also implies that it only covers the direct costs that are readily-attributed to the breach. Indirect costs such as the brand/reputation damage, customer defections, lost sales prospects, damaged employee morale and more are hard to even estimate, let alone with sufficient accuracy to satisfy the bean-counters and marketing people w...

These are some of the key resources we use routinely to find out about and learn from information security incidents: Google , of course.  We search often using the Google toolbar in our browser.  We have learnt to craft more effective queries by exploiting Google’s search syntax including the advanced search functions .  Google Alerts are a helpful way to trawl the Web daily for specific news and tidbits relevant to the monthly topics, especially since we discovered how to integrate alerts into our RSS/blog reader … Google Reader is, currently, our RSS/blog reading weapon of choice.  Have you spotted the not-too -subtle pattern here?  Google rocks!  Hyperlinks embedded within other sources. Blogs, particularl...

Information security incident management processes are meant to help the organization contain and recover more efficiently from incidents.  Well-designed processes also enable the organization to understand the risks that materialized, analyze and identify the root causes, and make improvements to the security controls in order to reduce the risk of further incidents. The School of Hard Knocks is an effective but rather brutal institution.  We can certainly learn from the information security incidents we suffer directly, but they can be costly - devastating even.  The worst can literally threaten the organization’s survival.  Hard knocks indeed!   The awareness materials this month extend the idea of learning from our own information security incidents to take in lessons from incidents affecting third parties.  The idea is to gain the knowledge without actually suffering the adverse impacts of information security failures.  It’s obvious when yo...

Security Week invites readers to complete a checklist/questionnaire to figure out whether their security awareness programs are "good enough".  I was pleased to rate myself in the top-scoring category: "If you scored 55 or more “yes” answers, you already know this stuff and have yourself under control. You could probably be teaching other organizations how to design and implement security awareness programs. You have a well-defined and executed program that pretty consistently exceeds standards of due care. Maintain your program and stay vigilant on quality updates." Well yes, in a sense I am 'teaching other organizations how to design and implement security awareness programs' through our awareness service so the high score is to be expected. In fact, we deliver rather more than the checklist requires*, but it got me thinking about whether it is realistic to expect our customers, or indeed less fortunate organizations :-) to adopt all the awareness practic...

An unusual news item in the Federal Times says that the US DoD is proposing to impose information security requirements on defense contractors regarding un classified information, supplementing those for classified information.  The article goes on about blurring the distinctions between classified and unclassified information, and claims the compliance costs across the industry will be enormous, but if so I'm puzzled at the implication that such information is not already being adequately protected by contractors.  Surely any organization that handles classified military information is well aware of information security risks and controls, so I would be very surprised if unclassified information is as insecure as the journalist suggests.

A well-presented video tutorial from the OWASP team explains in simple terms how one form of XSS - cross site scripting - works. XSS is a bit tricky to explain.  The video makes good use of graphics to put the message across, without getting too technical. If you are a web developer, you should be well aware of XSS, in sufficient depth to know how to prevent this form of attack on visitors to your websites.  The tutorial barely hints at the technical controls needed but future editions will go into more depth.  Meanwhile, the excellent OWASP site includes lots more information and even some code snippets to give you a head start on securing your site.

... while we force you to enter your passphrase into your computer to decrypt the data potentially comprising or incriminating evidence. According to the cNet article : "Prosecutors stressed that they don't actually require the passphrase itself, meaning Fricosu would be permitted to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form." The ramifications of governments 'allowing' 'ordinary' 'citizens' access to strong encryption are many and varied. What if citizens have the nerve to protect information which they consider highly confidential but which the government desires to access? Of course the government has the resources to try to defeat the cryptosystem, whether by brute-force attack or cryptanalysis. It also has the resources and means to attempt to steal passphrases using Trojans or o...

Engendering a culture of security is something we normally talk about in relation to organizations and parts thereof (for example, changing the culture within management or within the IT department).  I'm sure that most people who have actually tried to do this would agree that it's a tough challenge.  It's not even entirely obvious how to define, let alone influence or change corporate cultures. It's one of those things that is easier to say than to do. OK, now imagine your task is to engender a culture of security across a massive public body - like for example the UK's National Health Service.  According to a piece in SC Magazine , the Information Commissioner is calling for changes in the NHS: “The sector needs to bring about a culture change so that staff can give more consideration to how they store and disclose data. Complying with the law needn't be a day-to-day burden if effective measures are built in and then become second nature." Actually, t...

If your organization conducts background checks on candidates prior to employing them into roles involving access to highly classified information, or when promoting employees to more responsible and trusted positions (good on yer!), your security probably depends heavily on those checks and hence on the checkers.  Given the risks inherent in the process, you should definitely ensure that the process controls are adequate. For example, if you outsource your background checks, is the outsourcer competent and diligent?  Do you need to check up on them?  If so, how, and how often, should you check?  Who, within your organization, is accountable for the quality of the checks and for any security incidents that result if the checks prove inadequate? I'm asking these questions because it has been known for background checkers to falsify evidence of the checks they are supposed to have conducted .  Incidents of this nature are hard to uncover, expensive to investigate ...

Our security awareness topic for July is "information protection", a deliberately nonsspecific title covering a wide-range of subjects such as:  ownership and accountability for information assets; classification and  baseline security.

Writing in the Courier Mail , journalist Mike O'Connor takes a particularly cynical view of  the Auditor-General's latest official report into information systems governance and security at the Queensland Government : "IF YOU ran a business that spent $1.5 billon a year on information technology systems that contained highly sensitive, confidential data, then you would very likely take care that you were getting your money's worth.  You might also ensure the best-practice security systems were in place and that your staff knew what to do and how to do it.  The Queensland Government, however, takes a more relaxed approach to the value it gets for its $1.5 billion, one best characterised by those two delightful Australian synonyms for incompetence and ineptitude, "She'll be right'' and "No worries''."  The audit report identified issues such as: Weaknesses in the overall governance of IT; No clear business owners for whole-of-gove...

A report by Jeanette Fitzgerald, Epsilon Data Management's General Counsel, to the U.S. House of Representatives' Committee on Commerce, Manufacturing, and Trade outlines the sequence of events involved in the Epsilon data breach on March 30th that compromised names and email addresses on the mailing lists of about 50 Epsilon clients .  Epsilon's business is to provide the infrastructure enabling massive email marketing campaigns for its clients.  While that may sound to some rather like legitimized spamming, Epsilon refers to it as "permission-based marketing" since recipients supposedly opt-in to the campaigns (albeit perhaps by failing to deselect the relevant option hidden deep in some marketing materials or during an inquiry or sales transaction) and have the ability to opt-out later.  The hackers and scammers now in possession of the stolen personal information are unlikely to respect opt-in or opt-outs however.  There have been gloomy predictions of spea...

The New York Times has reported on a state-funded US program to help 'dissidents' establish covert wireless networks and Internet connections without relying on the government-controlled facilities. There are significant risks with such a venture, including the political issue of being seen to support subversion and destabilization of foreign governments: "Mrs. Clinton has made Internet freedom into a signature cause. But the State Department has carefully framed its support as promoting free speech and human rights for their own sake, not as a policy aimed at destabilizing autocratic governments. That distinction is difficult to maintain, said Clay Shirky, an assistant professor at New York University who studies the Internet and social media. “You can’t say, ‘All we want is for people to speak their minds, not bring down autocratic regimes’ — they’re the same thing,” Mr. Shirky said." Another risk concerns the creation of 'dual use technology' that c...

Emailing confidential personal data to the wrong addressees cost Surrey County Council a fine from the Information Commissioner's Office of £40k ... for each of the three times it happened in less than a year. Somewhat belatedly, the council said: " Measures have already been taken to reduce the risk of sensitive personal data being wrongly addressed and extra training on handling data securely has been given." If only they had done that before the first incident!

Spear-phishing email attacks are a serious concern, a risk that is probably increasing. The attacks work by fooling victims into doing something inapppropriate/unwise, such as visiting a dodgy website or opening a dodgy attachment. 'Fooling victims' is the crux of it, and email is just one of many possible ways of perpetrating the fraud. The 'spear' part of the name refers to messages that narrowly target specific individuals, using information about them or their interests to hook them. The most obvious way to tackle the spear phishing threat is to explain it, help potential victims limit the amount of potential lure material they release, recognize when they are being speared, and show them how to respond. Security awareness in other words. It's what we do. Anti-malware is another part of the defense, along with various other security controls to limit the damage after a victim is fooled. And now, if you have $130-150k to spare, you can even buy an " applianc...

A research project at UCal has determined that just three credit card processors are responsible for processing most credit card purchases responding to a sizable sample of spam advertisements, suggesting the possibility of persuading them to block purchases associated with spam campaigns. While I like their creative approach to this intractable problem, I can see some issues with the proposal.  First someone would need to identify the transactions corresponding to spams, differentiating them from transactions for the same or similar goods that are not the result of spamming.  Secondly, they would need to persuade the processors to block the transactions, presumably cutting their fee income in the process.  Thirdly, the spammers seem likely to respond to such an attack, for example by diversifying their card processing, so it would turn into a cat-n-mouse chase. That aside, the article includes some interesting spam stats: "Spam has proved notoriously difficult to defeat...

"Targeted emails that tempt a user to click a hyperlink are among the most prevalent methods of infecting computers with malware or of stealing information," Top Layer's Paquette told TechNewsWorld. Spear phishing is all over the infosec news at the moment, with Google disclosing spear phishing attacks against Gmail users , and then various infosec/antivirus companies following up with stories about phishing attacks on other webmail users. The truth is that spear phishing has been around for several years, and it is known to be effective using all forms of email and in fact other messaging systems, not just webmail: the common factor is that the recipient is a human being.  How they get the message is irrelevant.  Even a note on the windshield would work.  The really worrying part is that some of the attacks are almost certainly so stealthy that victims don't even know they have been hit.  Colour me paranoid ("You're a paranoid infosec freak, Gary!!...

Thanks to contributions by generous members of the ISO27k Forum , today we published an Excel file containing two spreadsheets : one concerns the gap between the organization's security management practices and those formally specified in ISO/IEC 27001.  The other concerns which of the information security controls recommended by ISO/IEC 27002 management deems relevant to the organization's risks. For anyone designing and implementing an ISO27k-compliant Information Security Management System, both aspects are of interest. Both spreadsheets incorporate simple unweighted counts of the number of items in each category (i.e. management system requirements fully, partially or not implemented, and information security controls fully, partially or not applicable).  Despite being so simplistic, these are surprisingly useful metrics for ISO27k implementation projects.  The Excel file is part of the free ISO27k Toolkit .  Enjoy!

A blog piece by David Lineman emphasizes the importance of having explicit corporate policies regarding private/personal use of corporate IT facilities.  David outlines three cases in which employees claimed that their emails were private, even though they were using the company systems and network.  His conclusion is straightforward enough: "All of these cases have happened within the last year, and they are likely to continue. The message for employers is clear: You must have acceptable use policies that cover internet and email, including the use of personal email accounts. In every case, employees had an uphill battle when there were policies in place." I would add two things.  Firstly, email is not the only issue here - as well as using the corporate email systems for personal reasons, employees often use the ICT facilities to access their webmail, and for SMS/TXT, IM, ICQ and other forms of person-to-person messaging.  Our model policy on person-to-person...

Our security awareness topic for June is electronic messaging - primarily email with some reference to online chat via I nstant M essaging and cellphone SMS/TXT messages. A lot of social interaction today occurs by electronic means, while organizations are increasingly adopting person-to-person messaging into their business processes for contacting employees, customers, suppliers and various others.  The days are long gone when email was merely a ‘nice-to-have’: email has all but replaced letters, FAXes and memos. Aside from the email junkies constantly checking their inboxes, most of us start to feel socially isolated if (when!) the messaging technologies let us down (not least me, living and working in the glorious but remote countryside of rural New Zealand).  Availability is clearly an issue, but so too are integrity and confidentiality. Phishing and other social engineering scams assault us from all sides, while many a personal or corporate secret has slipped out in casua...

Amazon's EC2 cloud computing service suffered a serious incident on April 21st.  Given that it affected several customers using its EBS (Elastic Book Store) service, Amazon could hardly deny it and has now published an interesting paper explaining what went wrong . The original trigger was a leeeetle mistake when reconfiguring network connectivity for some planned work.  Primary network traffic was redirected to a network with inadequate capacity, resulting in the servers losing the vital network connections they need to remain in synch as part of a cluster.  This in turn triggered the servers to try to re-synch, which exacerbated the network performance constraint until the house of cards fell. It caught my eye that Amazon's cloud-based relational database service was impacted by the incident: "In addition to the direct effect this EBS issue had on EC2 instances, it also impacted the Relational Database Service (“RDS”). RDS depends upon EBS for database and log storag...