Contingency Planning, Disaster Recovery, and Risk Assessments

1
Contingency Planning, Disaster Recovery, and
Risk Assessments

• Lesson 21

2
Some Terminology

• Nondisasters Disruptions in service stemming
  from system malfunction or other failure.
  Requires action to recover to operational status
  in order to resume service.
• Disasters Disruptions causing the entire
  facility to be inoperative for a lengthy period
  of time, usually more than one day. Requires
  action to recover operational status, usually the
  use of an alternate processing facility.
• Catastrophes Major disruptions entailing the
  destruction of the data processing facility.
  Short-term and long-term fallback is required.
  An alternate processing facility is needed to
  satisfy immediate operational needs, as in the
  case of a disaster.

3
Disaster Recovery

• A disaster recovery plan is often called a
  "business continuity plan" because the most
  important goal is to enable your company to
  remain in business.
• To determine your risk of a major disaster, ask
  yourself the following questions
• What would you do if your employees couldnt get
  to work?
• What would happen if your customers couldnt
  reach you for a few hours, days or even weeks?
• How would you deal with the loss of critical
  business data?
• Does your location frequently experience flash
  flooding, hurricanes, or tornadoes?

4
Business Continuity

• The key phrase in business continuity is "reduce
  risk"meaning to prepare for any event that
  could jeopardize your business
  ability to operate.
• If disaster strikes, companies have everything
  to losecritical data, profits,
  and information, all of which are critical assets
  in any company.
• A solid business continuity plan will ensure that
  your business can carry on as usual.

5
1 Priority

• The number-one priority of all business
  continuity and disaster planning is always this
  people first. While we talk about preservation
  of capital, resumption of normal business
  processing activities, and other business
  continuity issues, the main overriding concern of
  all plans is to get the personnel out of harms
  way. If there is at any time a conflict between
  preserving hardware or data and the threat of
  physical danger to personnel, the protection of
  the people always comes first. Personnel
  evacuation and safety must be the first element
  of a disaster response plan.

6
Prime Elements of BCP Process

• Scope and Plan Initiation
• This phase marks the beginning of the BCP
  process.
• It entails creating the scope and the other
  elements needed to define the parameters of the
  plan.
• Business Impact Assessment
• A BIA is a process used to help business units
  understand the impact of a disruptive event.
• This phase includes the execution of a
  vulnerability assessment.

7
Prime Elements of BCP Process

• Business Continuity Plan Development
• Refers to the information collected in the BIA to
  develop the actual business continuity plan.
• Includes the areas of plan implementation, plan
  testing, and ongoing plan maintenance.
• Plan Approval and Implementation
• Involves getting the final senior management
  sign-off, creating enterprise-wide awareness of
  the plan, and implementing a maintenance
  procedure for updating the plan as needed.

8
Business Impact Assessment

• The purpose of the BIA is to create a document to
  be used to help understand what impact a
  disruptive event would have on the business.
• A criticality survey is a standardized
  questionnaire or survey methodology, such as the
  INFOSEC Assessment Method (IAM). Its purpose is
  to help identify the most critical business
  functions by gathering input from management
  personnel in the various business units.

9
Determining whats critical

• One important task is to determine what assets
  are critical.
• Many texts have sample questionnaires that can be
  used to help an organization determine what is
  critical
• How long can the organization survive without the
  asset?
• What would be the loss to the organization should
  the asset be lost
• For 1 day? For 3 days? For a week? For a
  month?
• Loss in terms of lost revenue, clients, sales,
  fines/penalties, and/or additional expenses
• What other negative impacts might occur?

10
NSA INFOSEC Assessment Methodology

• The IAM is conducted in 3 phases
• Pre-assessment phase The team defines the
  customers needs and begins to identify the
  system, its boundaries, and the criticality of
  the information and begins to write the
  assessment plan. This phase normally takes about
  2 to 4 weeks.
• On-site phase Explore and confirm the
  conclusions made during phase I, gather data and
  documentation, conduct interviews, and provide an
  initial analysis. This phase takes about 1 to 2
  weeks.
• Post-assessment phase Finalize the analysis and
  prepare and distribute the report and
  recommendations. This phase can take from 2 to 8
  weeks.
• The heart of the IAM is the creation of the
  Organizational Criticality Matrix. In this
  chart, all relevant automated systems are
  assigned impact attributes (high, med, low) based
  on their estimated effect on Confidentiality,
  Integrity, and Availability, and criticality to
  the organization.

11
Business Continuity

• The survival of most organizations in todays
  environment is dependent on the continuity and
  preservation of essential requirements
• Disruption or impairment of certain necessities
  can affect the health of the enterprise.
• Lengthy disruptions can undermine the continuity
  of the business.
• Planning for disruption requires the
  establishment of strategies to minimize its
  effects and ensure timely resumption of business
  operations.

12
Continuity Strategy

• The BCP strategy should include several elements
  including consideration of
• Computing A strategy needs to be defined to
  preserve the elements of hardware, software,
  communication media, applications, and data.
• Facilities The strategy needs to address the
  use of the main buildings or campus and any
  remote facilities.
• People Operators, management, and technical
  support personnel will have defined roles in
  implementing the continuity strategy.
• Supplies and equipment Paper, forms, HVAC, or
  specialized security equipment must be defined as
  they apply to the continuity plan.

13
Disaster Recovery Planning

• A comprehensive statement of consistent actions
  to be taken before, during, and after a
  disruptive event that causes a significant loss
  of information systems resources.
• Disaster Recovery Plans are the procedures for
  responding to an emergency, providing extended
  backup operations during the interruption, and
  managing recovery and salvage processes
  afterwards, should an organization experience a
  substantial loss of processing capability.

14
BCP vs DRP

• Obviously, these two concepts are so close as to
  allow combining them into one domain.
• There are some differences, however. Basically
• BCP is the process of making the plans that will
  ensure that critical business functions can
  withstand a variety of emergencies.
• DRP involves making preparations for a disaster,
  but also addresses the procedures to be followed
  during and after a loss.
• Think focus,
• BCP What do I need to do to keep the business
  going?
• DRP What do we need to do in case of ltthisgt
  disaster?
• The answer to both questions MAY be the same.

15
Backup vs- Contingency Planning

• Backup strategies focus on alternatives for
  short-term and component failures.
• Contingency (continuity) Planning describes a
  more formal methodology for longer-term outages
  and disasters.

16
How extensive should the plans be?

• While it is incumbent upon management to plan
  for chance events, particularly where the events
  might seriously endanger the well-being of the
  enterprise, it must also be recognized that it is
  impossible to protect against all contingencies.
• At best, contingency planning should provide
  reasonable security within the economic
  constraints mandated by the nature of the
  processes performed.

17
Basic Elements of Contingency Plans

• Define Contingency (continuity) Planning Goals
• Identify and preserve vital records/data
• Develop (and test) emergency response guidelines
  and procedures

18
Transaction Redundancy

• Useful for more than just continuity planning.
• Electronic Vaulting the transfer of backup data
  to an off-site location. This is primarily a
  batch process of dumping the data through
  communications lines to a server at an alternate
  location.
• Remote journaling the parallel processing of
  transactions to an alternate site, as opposed to
  a batch dump process like electronic vaulting. A
  communications line is used to transmit live data
  as it occurs. This allows the alternate site to
  be fully operational at all times and introduces
  a very high level of fault tolerance.
• Database shadowing uses the live processing of
  remote journaling, but creates even more
  redundancy by duplicating the database sets to
  multiple servers.

19
Backup Requirements

• Hardware
• Hot sites fully configured and ready to operate
  within a few hours
• Warm sites partially configured (usually with
  peripherals but not the main computer or maybe
  with a smaller cpu). After installation of
  required computer the site will be ready to
  process within hours. Installation of computer
  can take days, however.
• Cold sites Basic environmental controls only.
  Ready to receive equipment but does not have any
  components on site in advance. Activation may
  take weeks.

20
Backup Requirements

• Software and Information Backup
• On-site local backup fire-resistant safe
  located on site with most recent backups.
• Off-site local backup fire-resistant vault
  located in another building but within a few
  miles. Used to store backup files changed on a
  weekly basis.
• Off-site remote backup fire-resistant vault
  located at least 5 miles from site. Used to
  retain remaining backup files in active use for
  more than a week.
• Archival storage underground, fire-resistant
  and earthquake-resistant storage facility located
  at least 50 miles from site. Used to house
  permanent records.

21
Some other considerations

• Multiple Centers (processing is spread over
  several operations centers, each capable of
  conducting the services by itself)
• Third-party (subscription services) hot, warm, or
  cold sites.
• Mobile Backup sites (computer-ready trailers that
  can be set up in a subscribers parking lot
  following a disaster)
• Mutual aid agreements
• RAID

22
RAID

• Redundant Array of Independent (Inexpensive)
  Disks
• Idea is to combine multiple inexpensive disk
  drives into an array of disk drives to obtain
  performance, capacity, and reliability that
  exceeds that of a single large drive

23

• Raid 0 striped disk drives without parity or
  data redundancy.
• Raid 1 Disk mirroring
• Raid 2 Sector-stripe with some drives assigned
  to store error correcting code information.
• No significant advantage over Raid 1 so usually
  not supported.
• Raid 3 Sector-stripe with one drive in the group
  dedicated to storing parity information
• Raid 4 Identical to Raid 3 but large stripes
  used. No real advantage over Raid 3.
• Raid 5 Rotating Parity Array, avoids write
  bottleneck caused by dedicating a single drive to
  parity checks.

24
(No Transcript)
25
Plan Testing

• Plans often become dated, they require periodic
  maintenance.
• Testing the plan is very important!!
• A tape backup system cannot be considered working
  until full restoration tests have been conducted
  otherwise, how do you know it will work?
• Test plan should be developed and conducted on a
  periodic and regular basis.

26
Risk Management
Risk Assessment
Risk Mitigation
Security Management
Security Auditing
Corrective Actions
27
Key questions at core of RM

• What could happen (threat event)?
• If it happened, how bad could it be (threat
  impact)?
• How often could it happen (threat frequency)?
• How certain are the answers to the first 3
  questions (recognition of uncertainty)?

28
What are security assessments

• Assessments are an examination of your current
  security posture
• Good mechanism to find and fix your holes before
  someone else finds them
• Keep in mind someone else is looking for your
  security holes even if you arent

29
What are security assessments

• Three common terms for security assessments
• Security Audit
• Risk Assessment
• Penetration Test

30
What are security assessments

• Security Audit
• More of a compliance check
• Checklists and standards
• Policies and procedures
• Backups
• Verification
• Are you doing what you are supposed to be doing
• BS 7799 (British Standards Institute Code of
  Practice for Information Security Management)
• Controls and practices

31
What are security assessments

• Risk Assessment
• Often more of an academic exercise
• Weighs likelihood against impact
• Weighs cost against benefit
• Much more business oriented

32
What are security assessments

• Penetration Test
• Looks for security vulnerabilities
• Unpatched operating system or application
• Known security holes
• Accounts with weak or no passwords
• Examines impact of discovered vulnerabilities
• Targets digital, physical, and personnel (social
  engineering) security
• Hands on test of your security
• More thorough and effective

33
Phases of a pen test

• Information gathering
• Open source (may include SE)
• Electronic (scans and probes)
• Goal is enumeration determining the systems,
  their OS and the services they are running
• Vulnerability research
• Attempted penetration
• If user level is obtained, attempt to escalate
• Documentation and Report generation

34
Vulnerability Assessment

• Another term you will hear, generally refers to
• An External penetration test
• An Internal test
• A review of the organizations policies,
  procedures, and training.
• Result is a report listing the vulnerabilities
  and, hopefully, the fixes for them.