1. Data Protection Chapter 9 Copyright Pearson Prentice Hall 2013

2.  Explain the necessity for backup.  Describe backup scope and methods.  Describe the different RAID levels.  Explain the need for data storage policies.  Explain database protections.  Explain the need for database access controls, auditing, and encryption.  Describe the difference between data leakage and data theft.  Explain data deletion, destruction, and disposal.  Explain digital rights management (DRM) and how it can prevent data loss. 2 Copyright Pearson Prentice Hall 2013

3. 3

4.  In prior chapters we focused on ◦ Protecting data as it passed over networks (Chapter 3) ◦ Hardening hosts that store data (Chapter 7) ◦ Securing applications that process data (Chapter 8)  This chapter will emphasize the protection of stored data 4 Copyright Pearson Prentice Hall 2013

5. 9.1 Introduction 9.2 Data Protection: Backup 9.3 Backup Media and RAID 9.4 Data Storage Policies 9.5 Database Security 9.6 Data Loss Prevention 5 Copyright Pearson Prentice Hall 2013

6.  This chapter will primarily focus on securing data while it is being stored  More specifically: ◦ How backup can prevent accidental data loss ◦ How to securely store data in a database ◦ How to prevent data from being taken out of the corporation ◦ How to securely dispose of data 6 Copyright Pearson Prentice Hall 2013

7. 9.1 Introduction 9.2 Data Protection: Backup 9.3 Backup Media and RAID 9.4 Data Storage Policies 9.5 Database Security 9.6 Data Loss Prevention 7 Copyright Pearson Prentice Hall 2013

8.  Importance ◦ In an incident, you may lose all data that is not backed up  Threats That Are Addressed by Backup ◦ Mechanical hard drive failure or damage in a fire or flood ◦ Data on lost or stolen computers is not available to the organization ◦ Malware can reformat the hard drive or do other data destruction 8 Copyright Pearson Prentice Hall 2013

9.  Scope of Backup ◦ Fraction of information on the hard drive that is backed up  File/Directory Data Backup ◦ Select data files and directories to be backed up  (Do not forget items on the desktop!) ◦ Not good for programs 9 Copyright Pearson Prentice Hall 2013

10.  Image Backup (SuperDuper)SuperDuper ◦ Everything, including programs and settings ◦ Image backup is very slow ◦ Data files change the most rapidly, so doing several file/directory data backups for each image backup may be appropriate  Shadowing (TimeMachine)TimeMachine ◦ A backup copy of each file being worked on is written every few minutes to the hard drive, or to another location 10 Copyright Pearson Prentice Hall 2013

11. 11 Local backup on individual PCs difficult to enforce. Centralized backup provides backup labor and enforcement. Local backup on individual PCs difficult to enforce. Centralized backup provides backup labor and enforcement. Copyright Pearson Prentice Hall 2013

12.  Continuous Data Protection (CDP) ◦ Used when a firm has two server locations ◦ Each location backs up the other in real time ◦ Other site can take over very quickly in case of a disaster, with little data loss ◦ Requires expensive high–speed transmission link between the sites 12 Copyright Pearson Prentice Hall 2013

13. 9.1 Introduction 9.2 Data Protection: Backup 9.3 Backup Media and RAID 9.4 Data Storage Policies 9.5 Database Security 9.6 Data Loss Prevention 13 Copyright Pearson Prentice Hall 2013

14.  Servers Normally Use Magnetic Tape ◦ Slow but inexpensive per bit stored  Second hard drive on computer ◦ Very fast backup ◦ But lost if computer is stolen or burns in a fire ◦ Backup up on tape occasionally for archival (long- term storage) 14 Copyright Pearson Prentice Hall 2013

15.  Clients Normally Use Optical disks (DVDs) ◦ Attraction is that almost all users have optical disk burners ◦ Dual-layer DVDs offer about 8 GB of capacity  This often is not enough  User may have to insert additional disks to do backup ◦ Backup up to a second client PC hard drive; then occasionally back up onto optical disks ◦ The life of information on optical disks is unknown 15 Copyright Pearson Prentice Hall 2013

16.  DNA!  Harvard cracks DNA storage, crams 700 terabytes of data into a single gram Harvard cracks DNA storage, crams 700 terabytes of data into a single gram Copyright Pearson Prentice-Hall 2010 16

17.  RAID—Redundant Array of Independent Disks ◦ Multiple hard drives within a single system  Increased reliability and performance ◦ A single hard drive failure won’t necessarily precipitate data loss ◦ Multiple disks can be written to simultaneously  RAID Levels—ways of configuring multi-disk arrays 17 Copyright Pearson Prentice Hall 2013

18. 18 Copyright Pearson Prentice Hall 2013

19. 19 Shipping BoxesStoring Data Copyright Pearson Prentice Hall 2013

20.  Striping—writing data simultaneously across multiple disks ◦ Very fast, but no reliability ◦ One disk failure will cause complete data loss  Mirroring—creating an exact copy of a disk at the same time ◦ Data transfer speeds remain nominal ◦ Virtually no data loss, but more costly to buy additional hard drives 20 Copyright Pearson Prentice Hall 2013

21. 21 Copyright Pearson Prentice Hall 2013

22. 22 Copyright Pearson Prentice Hall 2013

23. 23 Copyright Pearson Prentice Hall 2013

24. 24 Copyright Pearson Prentice Hall 2013

25. 25 Copyright Pearson Prentice Hall 2013

26. 9.1 Introduction 9.2 Data Protection: Backup 9.3 Backup Media and RAID 9.4 Data Storage Policies 9.5 Database Security 9.6 Data Loss Prevention 26 Copyright Pearson Prentice Hall 2013

27.  Spreadsheet Security ◦ Spreadsheets are widely used and the subject of many compliance regulations ◦ Need for security testing ◦ Spreadsheet vault server to implement controls 27 Copyright Pearson Prentice Hall 2013

28. 28 1. The vault server stores spreadsheets and strongly controls access to them. Authentication Authorizations Auditing 1. The vault server stores spreadsheets and strongly controls access to them. Authentication Authorizations Auditing 2. Spreadsheets record each change for auditing purposes 2. Spreadsheets record each change for auditing purposes Copyright Pearson Prentice Hall 2013

29. 29 3. Cryptographic Protections for Transmissions 3. Cryptographic Protections for Transmissions 4. Strong Client Security 4. Strong Client Security Copyright Pearson Prentice Hall 2013

30. 9.1 Introduction 9.2 Data Protection: Backup 9.3 Backup Media and RAID 9.4 Data Storage Policies 9.5 Database Security 9.6 Data Loss Prevention 30 Copyright Pearson Prentice Hall 2013

31.  Data Loss Prevention (DLP) ◦ A set of policies, procedures, and systems designed to prevent sensitive data from being released to unauthorized persons  Data Collection ◦ Most companies collect more data than they can adequately protect 31 Copyright Pearson Prentice Hall 2013

32.  Personally Identifiable Information (PII) ◦ Private employee or customer information that can be used to uniquely identify a person ◦ PII includes: names (full name), personal identification numbers (SSN), addresses (street or e-mail), personal characteristics (photo), and linking information (date of birth)  Data Masking ◦ Obscuring data such that it cannot identify a specific person, but remains practically useful 32 Copyright Pearson Prentice Hall 2013

33.  Spiders (crawlers)— navigate the Web gathering, organizing, and indexing web content  Web scraper— tool that extracts predefined data from specified web pages  Can aggregate extracted data from multiple websites  Mashup— combining data from various sites or applications 33 Copyright Pearson Prentice Hall 2013

34.  Document Restrictions ◦ Attempt to restrict what users can do to documents, in order to reduce security threats ◦ Embryonic  Digital Rights Management (DRM) ◦ Prevent unauthorized copying, printing, etc.  e.g. Print thisPrint this ◦ May not be able to see parts of documents 34 Copyright Pearson Prentice Hall 2013

35.  Data Extrusion Management ◦ Attempts to prevent restricted data files from leaving the firm without permission ◦ Watermark with invisible restriction indicators  Can be notified if sent via e-mail attachments or FTP  If each document is given a different watermark, can forensically identify the source of a document leak ◦ Traffic analysis to look for unusually large numbers of outgoing files sent by a user 35 Copyright Pearson Prentice Hall 2013

36. 36 Copyright Pearson Prentice Hall 2013

37.  Removable Media Controls ◦ Forbid the attachment of USB RAM drives and other portable media ◦ Reduces user abilities to make copies  Perspective ◦ Proven difficult to enforce ◦ Often reduces functionality in uncomfortable ways ◦ Companies have been reluctant to use them 37 Copyright Pearson Prentice Hall 2013

38.  Social Networking ◦ Do not discuss work on personal blogs  Don’t talk about new marketing campaigns  Don’t post negative comments about products ◦ Be cautious about information posted on professional networks  Competitors can use employee lists to hire away key employees 38 Copyright Pearson Prentice Hall 2013

39.  Data Destruction Is Necessary ◦ Backup media are not needed beyond their retention dates  If a computer is to be discarded  If the computer is to be sold or given to another user ◦ Drive-wiping software for hard drives  Reformatting the hard drive is not enough ◦ Shredding for CDs and DVDs 39 Copyright Pearson Prentice Hall 2013

40. 40 Copyright Pearson Prentice Hall 2013

41. Chapter 10 Copyright Pearson Prentice Hall 2013

42.  Explain the basics of disaster response.  Describe the incident response process for major incidents.  Describe legal considerations.  Explain the necessity of backup.  Describe the functions and types of intrusion detection systems (IDSs).  Explain the importance of education, certification, and awareness.  Describe business continuity planning.  List the advantages of data centers.  Know the IT disaster recovery process. 42 Copyright Pearson Prentice Hall 2013

43. 43 Copyright Pearson Prentice Hall 2013

44.  In previous chapters, we have looked at threats, planning, and protections  In Chapter 10, we complete the discussion of the plan-protect-respond cycle  Response planning is necessary because defenses can never stop all attacks. Companies must respond appropriately when attacks happen or natural disasters occur 44 Copyright Pearson Prentice Hall 2013

45. 10.1 Introduction 10.2 Incident Response Process 10.3 Intrusion Detection Systems 10.4 Business Continuity Planning 10.5 IT Disaster Recovery 45 Copyright Pearson Prentice Hall 2013

46.  The Situation ◦ Hurricane Katrina devastated New Orleans in 2005  Followed shortly by Hurricane Rita ◦ The U.S. Federal Emergency Management Administration (FEMA) botched the relief effort 46 Copyright Pearson Prentice Hall 2013

47.  Walmart Is the Largest Retailer in the United States ◦ Supplied $20 million in cash ◦ Supplied 100,000 free meals ◦ 1,900 truckloads full of diapers, toothbrushes, other emergency supplies  45 trucks were rolling before the hurricane hit land ◦ Provided police and relief workers with flashlights, batteries, ammunition, protective gear, and meals 47 Copyright Pearson Prentice Hall 2013

48.  What Was Walmart’s Process?  Walmart Business Continuity Center ◦ A permanent department with a small core staff ◦ Activated two days before Katrina hit ◦ Soon, 50 managers and specialists were at work in the center 48 Copyright Pearson Prentice Hall 2013

49.  Walmart Business Continuity Center ◦ Before computer network went down, sent detailed orders to its distribution center in Mississippi ◦ Recovery merchandise for stores: bleach and mops, etc. ◦ 40 power generators to supply stores with backup power ◦ Sent loss-prevention employees to secure stores 49 Copyright Pearson Prentice Hall 2013

50.  Communication ◦ Network communication failed ◦ Relied on telephone to contact its stores and other key constituencies  Response ◦ Stores came back to business within days ◦ Engaged local law enforcement to preserve order in lines to get into stores 50 Copyright Pearson Prentice Hall 2013

51.  Preparation ◦ Full-time director of business continuity ◦ Detailed business continuity plans ◦ Clear lines of responsibility  Multitasking ◦ During all of this, were monitoring a hurricane off Japan 51 Copyright Pearson Prentice Hall 2013

52.  Incidents Happen ◦ Protections inevitably break down occasionally ◦ Successful attacks are called security incidents, breaches, or compromises  Incident Severity ◦ False alarms  Apparent compromises are not real compromises  Also called false positives  Handled by the on-duty staff  Waste time and may dull vigilance 52 Copyright Pearson Prentice Hall 2013

53.  Incident Severity ◦ Minor incidents  Breaches that on-duty staff can handle  Little to no management or policy issues ◦ Major incidents  Beyond the capabilities of the on-duty staff  Must convene a Computer Security Incident Response Team (CSIRT)  CSIRT needs participation beyond IT security 53 Copyright Pearson Prentice Hall 2013

54.  Organization of the CSIRT ◦ Should be led by a senior manager ◦ Should have members from affected line operations ◦ The IT security staff may manage the CSIRT’s operation on a day-to-day basis ◦ Might need to communicate with the media; only do so via public relations ◦ The corporate legal counsel must be involved to address legal issues ◦ Human resources is necessary, especially if there are to be sanctions against employees 54 Copyright Pearson Prentice Hall 2013

55.  Incident Severity ◦ Disasters  Fires, floods, hurricanes, major terrorist attacks  Must assure business continuity  Maintaining the day-to-day operations of the firm  Need a business continuity group headed by a senior manager  Core permanent staff will facilitate activities  IT disaster response is restoring IT services  May be a subset of business continuity  May be a stand-alone IT disaster 55 Copyright Pearson Prentice Hall 2013

56.  Speed and Accuracy Are of the Essence ◦ Speed of response can reduce damage  Attacker will have less time to do damage  The attacker cannot burrow as deeply into the system and become very difficult to detect  Speed is also necessary in recovery 56 Copyright Pearson Prentice Hall 2013

57.  Speed and Accuracy Are of the Essence ◦ Accuracy is equally important  Common mistake is to act on incorrect assumptions  If misdiagnose the problem or take the wrong approach, can make things much worse  Take your time quickly 57 Copyright Pearson Prentice Hall 2013

58.  Planning Before an Incident or Disaster ◦ Decide what to do ahead of time ◦ Have time to consider matters thoroughly and without the time pressure of a crisis ◦ (During an attack, human decision-making skills degrade) ◦ Incident response is reacting to incidents according to plan ◦ Within the plan, need to have flexibility to adapt ◦ Best to adapt within a plan than to improvise completely 58 Copyright Pearson Prentice Hall 2013

59.  Team Members Must Rehearse the Plan ◦ Rehearsals find mistakes in the plan ◦ Practice builds speed  Types of Rehearsals ◦ Walkthroughs (table-top exercises) ◦ Live tests (actually doing planned actions) can find subtle problems but are expensive 59 Copyright Pearson Prentice Hall 2013

60. 10.1 Introduction 10.2 Incident Response Process 10.3 Intrusion Detection Systems 10.4 Business Continuity Planning 10.5 IT Disaster Recovery 60 Copyright Pearson Prentice Hall 2013

61.  Process for Major Incidents  Detection, Analysis, and Escalation ◦ Must detect through technology or people  Need good intrusion detection technology  All employees must know how to report incidents ◦ Must analyze the incident enough to guide subsequent actions  Confirm that the incident is real  Determine its scope: who is attacking; what are they doing; how sophisticated they are, etc. 61 Copyright Pearson Prentice Hall 2013

62.  Detection, Analysis, and Escalation ◦ If deemed severe enough, escalate to a major incident  Pass to the CSIRT, the disaster response team, or the business continuity team 62 Copyright Pearson Prentice Hall 2013

63.  Containment ◦ Disconnection of the system from the site network or the site network from the Internet (damaging)  Harmful, so must be done only with proper authorization  This is a business decision, not a technical decision 63 Copyright Pearson Prentice Hall 2013

64.  Containment ◦ Black-holing the attacker (only works for a short time) ◦ Continue to collect data (allows harm to continue) to understand the situation  Especially necessary if prosecution is desired 64 Copyright Pearson Prentice Hall 2013

65.  Recovery ◦ Repair during continuing server operation  Avoids lack of availability  No loss of data  Possibility of a rootkit not having been removed, etc. 65 Copyright Pearson Prentice Hall 2013

66.  Recovery ◦ Data  Restoration from backup tapes  Loses data since last trusted backup 66 Copyright Pearson Prentice Hall 2013

67.  Recovery ◦ Software  Total software reinstallation of operating system and applications may be necessary for the system to be trustable  Manual reinstallation of software  Need installation media and product activation keys  Must have good configuration documentation before the incident  Reinstallation from a disk image  Can greatly reduce time and effort  Requires a recent disk image 67 Copyright Pearson Prentice Hall 2013

68.  Apology ◦ Acknowledge responsibility and harm without evasion or weasel words ◦ Explain potential inconvenience and harm in detail ◦ Explain what actions will be taken to compensate victims, if any 68 Copyright Pearson Prentice Hall 2013

69.  Punishment ◦ Punishing employees usually is fairly easy  Most employees are at-will employees  Companies usually have wide discretion in firing at-will employees  This varies internationally  Union agreements may limit sanctions or at least require more detailed processes 69 Copyright Pearson Prentice Hall 2013

70.  Punishment ◦ The decision to pursue criminal prosecution  Must consider cost and effort  Must consider probable success if pursue (often attackers are minors or foreign nationals)  Loss of reputation because the incident becomes public 70 Copyright Pearson Prentice Hall 2013

71.  Punishment ◦ Collecting and managing evidence  Forensics: courts have strict rules for admitting evidence in court  Call the authorities and a forensics expert for help 71 Copyright Pearson Prentice Hall 2013

72.  Punishment ◦ Collecting and managing evidence  Protecting evidence  Pull the plug on a server if possible  This is a business decision, not an IT decision  Document the chain of custody  Who held the evidence at all times  What they did to protect it  Document the chain of custody 72 Copyright Pearson Prentice Hall 2013

73.  Postmortem Evaluation ◦ What should we do differently next time? 73 Copyright Pearson Prentice Hall 2013

74.  18 U.S.C. § 1030 ◦ United States Code Title 18, Part I (Crimes) Section 1030 ◦ Actions prohibited  Hacking  Malware  Denial of service 74 Copyright Pearson Prentice Hall 2013

75.  18 U.S.C § 1030 ◦ Protected computers  Applicability is limited to protected computers  Include “government computers, financial institution computers, and any computer which is used in interstate or foreign commerce or communications” ◦ Often require damage threshold for prosecution  The FBI may require even higher damages to prosecute 75 Copyright Pearson Prentice Hall 2013

76.  18 U.S.C § 2511 ◦ Prohibits the interception of electronic messages, both en route and after the message is received and stored ◦ Allows e-mail service providers to read the content of mail  A company can read employee mail if it owns the mail system 76 Copyright Pearson Prentice Hall 2013

77.  Other Federal Laws ◦ Many traditional federal criminal laws may apply in individual cases ◦ For example, fraud, extortion, and the theft of trade secrets ◦ These laws often have far harsher consequences than cybercrime laws 77 Copyright Pearson Prentice Hall 2013

78. 10.1 Introduction 10.2 Incident Response Process 10.3 Intrusion Detection Systems 10.4 Business Continuity Planning 10.5 IT Disaster Recovery 78 Copyright Pearson Prentice Hall 2013

79.  Logging ◦ Captures discrete events time-stamped ◦ Stored in a sequential file  Automated Analysis ◦ Attack Signatures (see my Hack) ◦ Anomaly Detection  Deviations from past activity  Actions ◦ Alarm ◦ Log Summary Reports should be reviewed ◦ Support Interactive Log Analysis Tools Copyright Pearson Prentice-Hall 2010 79

80.  Event logging for suspicious events  Sometimes, send alarms  A detective control, not a preventative or restorative control 80 Copyright Pearson Prentice Hall 2013

81. 81 Copyright Pearson Prentice Hall 2013

82.  Multiple IDS allow a better overview of attack  Agents ◦ Each device collecting data/event  Manger program ◦ Integrates log files from all sources ◦ Batch transfers  Least expensive  Hacker disables event logging, if done between batches hack may go undetected  Real-Time  More expensive  Doesn’t suffer from hacking Copyright Pearson Prentice-Hall 2010 82

83. 83 Copyright Pearson Prentice Hall 2013

84.  Network IDSs (NIDSs) ◦ Stand-alone device or built into a switch or router ◦ NIDSs see and can filter all packets passing through them ◦ Switch or router NIDSs can collect data on all ports ◦ A NIDS collects data for only its portion of the network  Blind spots in network where no NIDS data is collected ◦ Cannot filter encrypted packets 84 Copyright Pearson Prentice Hall 2013

85.  Host IDSs (HIDSs) ◦ Attractions  Provide highly detailed information for the specific host ◦ Weaknesses of Host IDSs  Limited Viewpoint; Only one host  Host IDSs can be attacked and disabled 85 Copyright Pearson Prentice Hall 2013

86.  Host IDSs (HIDSs) ◦ Operating System Monitors  Collects data on operating system events  Multiple failed logins  Creating new accounts  Adding new executables (programs—may be attack programs) 86 Copyright Pearson Prentice Hall 2013

87.  Host IDSs (HIDSs) ◦ Operating System Monitors  Modifying executables (installing Trojan horses does this)  Adding registry keys (changes how system works)  Changing or deleting system logs and audit files  Changing system audit policies  User accessing critical system files  User accessing unusual files  Changing the OS monitor itself 87 Copyright Pearson Prentice Hall 2013

88.  Log Files ◦ Flat files of time-stamped events ◦ Individual logs for single NIDs or HIDs ◦ Integrated logs  Aggregation of event logs from multiple IDS agents  Difficult to create because of format incompatibilities  Time synchronization of IDS event logs is crucial (Network Time Protocol) 88 Copyright Pearson Prentice Hall 2013

89.  Event Correlation ◦ Suspicious patterns in a series of events across multiple devices ◦ Difficult because the relevant events exist in much larger event streams that are logged ◦ Usually requires many analysis of the integrated log file data 89 Copyright Pearson Prentice Hall 2013

90. Sample Log File (many irrelevant log entries not shown) 90 Copyright Pearson Prentice Hall 2013

91.  Tuning for Precision ◦ Too many false positives  False alarms  Can overwhelm administrators, dull vigilance ◦ False negatives allow attacks to precede unseen 91 Copyright Pearson Prentice Hall 2013

92.  Tuning for Precision ◦ Tuning for false positives turns off unnecessary rules; reduces alarm levels of unlikely rules  For instance, alarms for attacks against Solaris operating systems can be deleted if a firm has no Sun Microsystems servers  Tuning requires a great deal of expensive labor  Even after tuning, most alerts will be false positives 92 Copyright Pearson Prentice Hall 2013

93.  Updates ◦ Program, attack signatures must be updated frequently  Processing Performance ◦ If processing speed cannot keep up with network traffic, some packets will not be examined ◦ This can make some IDSs useless during attacks that increase the traffic load 93 Copyright Pearson Prentice Hall 2013

94.  Storage ◦ There will be limited disk storage for log files ◦ When log files reach storage limits, they must be archived ◦ Event correlation is difficult across multiple backup tapes ◦ Adding more disk capacity reduces the problem but never eliminates it 94 Copyright Pearson Prentice Hall 2013

95.  Honeypot Honeypot ◦ A fake server or entire network segment with multiple clients and servers ◦ Legitimate users should never try to reach resources on the honeypot ◦ Primarily used by researchers studying attacker behavior by recording everything a visitor does 95 Copyright Pearson Prentice Hall 2013

96. 10.1 Introduction 10.2 Incident Response Process 10.3 Intrusion Detection Systems 10.4 Business Continuity Planning 10.5 IT Disaster Recovery 96 Copyright Pearson Prentice Hall 2013

97.  Business Continuity Planning ◦ A business continuity plan specifies how a company plans to restore or maintain core business operations when disasters occur ◦ IT Disaster response is restoring IT services 97 Copyright Pearson Prentice Hall 2013

98. 98 Copyright Pearson Prentice Hall 2013

99.  Principles of Business Continuity Management ◦ Protect people first  Evacuation plans and drills  Never allow staff members back into unsafe environments  Must have a systematic way to account for all employees and notify loved ones  Counseling afterwards 99 Copyright Pearson Prentice Hall 2013

100.  Principles of Business Continuity Management ◦ People have reduced capacity in decision making during a crisis  Planning and rehearsal are critical ◦ Avoid rigidity  Unexpected situations will arise  Communication will break down and information will be unreliable  Decision makers must have the flexibility to act 100 Copyright Pearson Prentice Hall 2013

101.  Principles of Business Continuity Management ◦ Communication  Try to compensate for inevitable breakdowns  Have a backup communication system  Communicate constantly to keep everybody “in the loop” 101 Copyright Pearson Prentice Hall 2013

102.  Business Process Analysis ◦ Identification of business processes and their interrelationships ◦ Prioritization of business processes  Downtime tolerance (in the extreme, mean time to belly-up)  Importance to the firm  Required by higher-importance processes ◦ Resource needs (must be shifted during crises)  Cannot restore all business processes immediately 102 Copyright Pearson Prentice Hall 2013

103.  Testing the Plan ◦ Difficult because of the scope of disasters ◦ Difficult because of the number of people involved 103 Copyright Pearson Prentice Hall 2013

104.  Updating the Plan ◦ Must be updated frequently ◦ Business conditions change and businesses reorganize constantly ◦ People who must execute the plan also change jobs constantly ◦ Telephone numbers and other contact information must be updated far more frequently than the plan as a whole ◦ Should have a small permanent staff 104 Copyright Pearson Prentice Hall 2013

105. 10.1 Introduction 10.2 Incident Response Process 10.3 Intrusion Detection Systems 10.4 Business Continuity Planning 10.5 IT Disaster Recovery 105 Copyright Pearson Prentice Hall 2013

106.  IT Disaster Recovery ◦ IT disaster recovery looks specifically at the technical aspects of how a company can get its IT back into operation using backup facilities ◦ A subset of business continuity or for disasters the only affect IT ◦ All decisions are business decisions and should not be made by mere IT or IT security staffs 106 Copyright Pearson Prentice Hall 2013

107.  Types of Backup Facilities ◦ Hot sites  Ready to run (power, HVAC, computers): just add data  Considerations: rapid readiness at high cost  Must be careful to have the software at the hot site up-to-date in terms of configuration 107 Copyright Pearson Prentice Hall 2013

108.  Types of Backup Facilities ◦ Cold sites  Building facilities, power, HVAC, communication to outside world only  No computer equipment  Less expensive but usually take too long to get operating 108 Copyright Pearson Prentice Hall 2013

109.  Types of Backup Facilities ◦ Site sharing  Site sharing among a firm’s sites (problem of equipment compatibility and data synchronization)  Continuous data protection needed to allow rapid recovery 109 Copyright Pearson Prentice Hall 2013

110.  Office Computers ◦ Hold much of a corporation’s data and analysis capability ◦ Will need new computers if old computers are destroyed or unavailable  Will need new software  Well-synchronized data backup is critical ◦ People will need a place to work 110 Copyright Pearson Prentice Hall 2013

111.  Restoration of Data and Programs ◦ Restoration from backup tapes: need backup tapes at the remote recovery site ◦ May be impossible during a disaster  Testing the IT Disaster Recovery Plan ◦ Difficult and expensive ◦ Necessary 111 Copyright Pearson Prentice Hall 2013

112. Or, as we say in Hawaii, “All pau” 112

113. Copyright © 2013 Pearson Education, Inc. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall