behaviour based IPS / IDS might be ablte to detect this abnormality
Backups
Fault Tolerance
internal SLA’s
provide as high availability as possible
we use a high degree of redundancy and resiliency as makes sense
requires a plan!
Full Backup
Backup all
clears all archive bits
Incremental
Backup all, since the last (full/incremental) backup
clears all archive bits
Differantial
Backup only the changed data, since last full backup
doesn’t clear the archive bit
Copy Backup
like full backup / on demand
RAID
Disk Mirroring
- write the same data across multiple disk
- slower
- needs > 2 Disk
Disk Striping
writing the data simultanuasly accross disk
higher speed
without parity > 2 disks
with parity > 3 disks
Continuity of Operations
Redundancy
DISK -> RAID
Power -> USP / multiple PSU
Network -> port teaming
Load Balancing
multiple servers
System Redundancy
Database shadowing
e-vaulting
backups are send off-site
BCP - Business Continuity Plan
written ahead of time and continually improved
long-term strategic business plan, policies, procedures for continued operation after a disruptive event
contains
COOP - Continuity of Operations Plan
Crisis Communication Plan
how do we communicate external?
call-trees
starts buttom-up and then top-down
pref. automated
Critical Infrastructure Protection Plan
Cyber Incident Response Plan
Disaster Recovery Plan
short-term plans
ISCP - Information System Contingency Plan
Occupant Emergency Plan
Evac Plan
Disaster Categories
Natural
caused by nature
very devastating but not often
Human
caused by humans
intentional / unintentional
For Example
errors and omissions / warfare / terror / sabotage / state, cause or religious hacking, financially motivated attackers
most common reason for disruptive events are internal employees
minor impact
easy to mitigate
Environmental
Electrical or Power problems
Heat
Pressure
Humidity
DRP Basics
What is the objective and purpose
Who will be the people or teams who will be responsible in case any disruption happen
What will these people do when the disaster hits
stateDiagram-v2
s1: Education, Plans, Processes, Training
s1 –> Preparation
Preparation –> Response
note left of Response: DR / BCP / EOP
Response –> Recovery
note left of Recovery: post-disaster recovery plan
Recovery –> Mitigation
note left of Mitigation: pre-disaster mitigation plan
Mitigation –> Preparation
Response
How we react / response?
We assess the incident
we notify
Recovery
reestablish basic functionality
all key stakeholders should be involved
we act on our assesment plan
Develop our BCP and DCP
Project Initiation
Scope the project
Business Impact Analysis
Identify Preventive Controls
Recovery Strategy
Plan Design and Development
Implementation, Training and Testing
BCP / DRP Maintenance
Senior Management needs to be on board!
at least at the initiation and final approval
they are responsible
we need top-down IT security
in serious disasters also legal team
BCP Team
Rescue Team (activation / notification)
Recovery Team (failover)
Salvage Team (failback)
BIA - Business Impact Analysis
identifies critical and non-critical
critical is where disruption is not acceptable
for each critical system two values are assigned
RPO
Amount of data which is “OK” to lost
MTD
MTD >= RTO + WRT
maximum tolerable downtime
RTO
recovery time objective
the amount of time to restore the system (hardware)
WRT
work recovery time
how long does it take to re-configure a recovered system
MTBF - Meantime between failures
MTTR - Meantime to repair
MOR - minimum operating requirements
Supply and Infrastructure Redundancy
If an earthquake hits, are the supplies able to deliver?
How long can we be without water?
Disaster recovery sites
Redundant site
complete identical, has staff on site
Hot Site
houses any critical applications and systems
Warm Site
often restore with backups
manually fail traffic over
Cold Site
just the datacenter without hardware
Reciprocal aggreement Site
Organization has a contract with another organization that they will give you space in their datacenter
promised space / cloud / mobile site
Employee redundancy
Offsite copies and plans
EOC (Emergency Operation Center) - temporary
MOU / MOA - Memorandum of Understandig / Agreement
we need a plan if the key employee is not available
we need a high degree of skilled employee redundandcy just like we have on our critical hardware
can be mitigated with trainign and job rotation
Testing the plans
Simulated Tests
DRP review
done by team members which are involved by the DRP
read-through (checklist)
checklist components
walk/talk-through
manager / critical personnel
Simulation test
Physical Tests
Parallel Processing
Parallel Interruption
Full Interruption
Plans need to be continually updated it is an iterative process
If a mayor change is in the organization, we update the plans
old plans are archived but not deleted
Testing
to ensure the plan is accurate, complete and effective
Drills
walkthroughs of the plan, focus to train staff
Auditing
A 3rd party ensures that the plan is understood, followed, in-plan and effective
After a disruption
common mistakes to avoid
lack of senior leadership support
lack of involvement from business units
lack of critical staff priotization
to narrow scope
inadequate telecommunication and supply chain management
lack of testing
lack of training and awareness
not keeping the BCP / DRP up to date, or no paper versioning controls