Disaster Recovery

advertisement
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Disaster Recovery, Business Continuity,
and Organizational Policies
Chapter 19
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Objectives
• Describe the various ways backups are
conducted and stored.
• Explain different strategies for alternative site
processing.
• Describe the various components of a business
continuity plan.
• Explain how policies and procedures play a daily
role in addressing the security needs of an
organization.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Key Terms
•
•
•
•
•
•
•
© 2010
Acceptable use policy (AUP)
Business continuity plan (BCP)
Business impact assessment (BIA)
Cold site
Delta backup
Differential backup
Disaster recovery plan (DRP)
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Key Terms (continued)
•
•
•
•
•
•
•
•
© 2010
Due care
Due diligence
Fault tolerance
Full backup
High availability
Hot site
Incident response policy
Incremental backup
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Key Terms (continued)
•
•
•
•
•
•
•
•
© 2010
Least privilege
Mutual aid agreement
Policies
Procedures
Separation of duties
Service level agreement (SLA)
Standards
Warm site
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Disaster Recovery
• Organizations face a variety of disaster
scenarios.
• Disasters can be caused by nature or manmade
events.
• Disaster recovery plans consider all types of
organizational disruption.
• Different disruptions will require different
recovery strategies.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Disaster Recovery Plans (DRP) / Process
• DRPs intended to minimize disaster impact.
– Defines the data, resources, and necessary
steps to restore critical organizational
processes.
• Planning process, initial phase:
– Consider needed resources to perform the company’s
mission.
– Identify critical functions.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Disaster Recovery Plans / Process
(continued)
• Initial phase yields the business impact
assessment (BIA).
• Continued planning includes:
– Outline of processes and procedures to restore an
organizations critical operations
– Prioritized according to criticality for restoral
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Category
Level of the Function’s Need
Critical
Absolutely essential for operations.
The function is needed immediately. The
Without the function, the basic mission organization cannot function without it.
of the organization cannot occur.
Necessary
for normal
processing
Required for normal processing, but
the organization can live without it for
a short period of time.
Can live without it for at most 30 days
before your organization is severely
impacted.
Desirable
Not needed for normal processing but
enhances the organization’s ability to
conduct its mission efficiently.
Can live without the function for more
than 30 days, but it is a function that will
eventually need to be accomplished when
normal operations are restored.
Optional
Nice to have but does not affect the
operation of the organization.
Not essential, and no subsequent
processing will be required to restore this
function.
Consider
eliminating
No discernable purpose for the
function.
No impact to the organization; the
function is not needed for any
organizational purpose.
© 2010
How Long Can the Organization
Last Without the Function
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Business Continuity Plan (BCP)
• Focuses on continued operation of a business in
extenuating circumstances.
• Stronger emphasis placed on critical systems.
• Will describe the functions that are most critical, based
on a previously conducted BIA.
• Will describe the order in which functions should be
returned to operation.
• Describes what is needed for the business to continue
to operate.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Backups
• Critical part of BCP and BRP
• Provides valid, uncorrupted data for restoration
• Good backups include all needed files
– Applications, operations systems, and utilities
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
What Needs to Be Backed Up?
•
•
•
•
•
Data
Application programs
Operating systems
Utilities for the hardware platform
Personnel, equipment, and electrical power must
also be part of the plan.
• Backup plan should back up the files that
change more often than the files that do not
chance much.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Backup Strategy
• Backup considerations
– Size of the resulting backup
– Media used for the backup
– How long backups will be stored
• Four types of backups
– Full, differential, incremental, delta
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Backup Types
• Full backup
– All files copied onto the storage media
• Differential backup
– Files that have changed since last full backup
• Incremental backup
– Files since last for full or incremental backup
• Delta backup
– Portions of files changed since last backup
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Characteristics of Different Backup Types
© 2010
Full
Differential
Incremental
Delta
Amount of Space
Large
Medium
Medium
Small
Restoration
Simple
Simple
Involved
Complex
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Backup Frequency / Retention
• Base frequency on time organization can survive
without current data.
• Base retention on operational environment and
frequency of backups.
• Retention strategy should avoid putting all backups
in one location.
– Ideally an offsite location will also be used.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Alternative Sites
• Should be considered in BCP / DRP
• Three types of sites:
– Hot site: Fully configured environment that
can be operational immediately
– Warm site: Partially configured, lacks more
expensive computing components
– Cold site: Basic environmental controls but
few computing components
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Utilities
• Power failures may disrupt operations
– UPSs provide enough power to allow systems
to be shutdown gracefully.
– Backup generator may be necessary for
sustained power needs.
• Other utilities like telephone and Internet
should be considered.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Secure Recovery
• Provide power, communications, and
technical support.
• Offer a secure operating environment.
• Provide restoration of critical files and
data.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Cloud Computing
• Allows for the contracting of functions like
e-mail and file storage to third parties
• Can be more cost effective but also comes
with inherent risks
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
High Availability and Fault Tolerance
• High availability is the ability to maintain
availability during disruptive events.
• Fault tolerance is the mirrored system that takes
over if a fault occurs.
• Single point of failure is the point in a critical
operation that would cause the entire operation
to fail if it failed.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Increasing Reliability
• RAID can mitigate availability problems caused
by disk failures.
• Redundant systems and spare parts also serve
to decrease availability issues.
• RAIDs
– 0: no redundancy, improved performance
– 1: mirrored drives, expensive
– 5: spread across disks with parity, inexpensive
redundancy
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Spare Parts and Redundancy
• Common applications of redundancy
– Redundant servers
– Redundant connections
– Redundant ISPs
– Spare parts
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Computer Incident Response Teams
(CIRT)
• Investigate incidents, advise on how to proceed.
• CIRTs should consist of permanent and ad hoc
team members.
• Details of CIRT team should be finalized before
an incident occurs.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Test, Exercise, and Rehearse
• DRP should be practiced periodically.
– Reveals potential flaws in the plan
• Exercise to practice procedures.
• Test to grade performance.
• Evaluate performance and make
improvements as needed.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Policies and Procedures
• Policies are high-level, broad statements of what
an organization wants to accomplish.
• Procedures are generally step-by-step
instructions on how to implement policy.
• Standards are mandatory elements regarding the
implementation of policy.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Security Policies
• Security policies define high-level goals for
security for an organization.
• Other more specific policies include:
– Acceptable use policy
– Internet usage policy
– Email usage policy
– Due care and due diligence
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Additional Security Policies
• Prudent person principle
• Separation of duties
• Need to know and least privilege
• Password management
• Disposal and destruction
• Change management policy
• Classification of information
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Privacy
• Privacy policy should be completed
detailing how information is safeguarded.
• Privacy is enforced by law for some
organizations.
• Personally Identifiable Information (PII) is
becoming increasingly important to
safeguard.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Service Level Agreement
• Agreement between two entities that
specifies:
– Minimum levels of service
– Penalties for failing to meet specified service
levels
– May also define service providers’
responsibility in a BCP or DRP
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Human Resources Policies
• People are the weakest link in security.
• Specific policies should be developed regarding:
–
–
–
–
© 2010
New hire screening processes
Periodic review process for current employees
Employee termination process
Mandatory vacation to uncover wrongdoing
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Code of Ethics
• Describes expected behavior from a highlevel standpoint
• Sets tone for employee conduct
• Encourages integrity and high ethical
standards
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Incident Response Policies and
Procedures
• Several phases should be covered in an
incident response policy:
– Preparation
– Detection
– Containment and eradication
– Recovery
– Follow-up actions
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Incident Response: Preparation
• Preparation activities
– Determine points of contact.
– Train employees for understanding.
– Establish the incident response team.
– Acquire needed equipment.
– Complete and specialized training needed.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Incident Response: Detection, Containment,
and Eradication
• Detection activities
– Determine if an incident has occurred; work with network and
system administrators.
• Containment and eradication activities
–
–
–
–
© 2010
Contain the intruder; decide about prosecution.
Restore operations without destroying evidence.
Update antivirus and network peripherals as needed.
Take steps to prevent future incidents (patching, etc.).
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Incident Response: Recovery
• Recovery activities
– Assess the situation to determine what
actually occurred.
– Begin recovery based on assessment.
– May involve use of BCP to return business
back to normal operation.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Incident Response: Follow-Up Actions
• Follow-up activities
– Report on the incident to senior management.
– Report should address what happened and
how it was addressed.
– Give recommendation to prevent future
incidents.
© 2010
Principles of Computer Security:
CompTIA Security+® and Beyond, Second Edition
Chapter Summary
• Describe the various ways backups are
conducted and stored.
• Explain different strategies for alternative site
processing.
• Describe the various components of a business
continuity plan.
• Explain how policies and procedures play a daily
role in addressing the security needs of an
organization.
© 2010
Download