Disaster Recovery Journal- Volume 18, Issue 2 - Spring 2005 Issue

Return to the
Spring 2005 Index

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

EXECUTIVE PUBLISHER
Richard L. Arnold, CBCP
richard@drj.com

EDITOR-IN-CHIEF
Jon Seals
jon@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

ASSOCIATE EDITOR
Ed Pearce, CBCP
ed@drj.com

ASSISTANT EDITOR
Pamela Clifton
pamelaclifton@hotmail.com

COPY EDITORS
Jim Hammill, CBCP
Richard Sandhofer
richards@drj.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Mike Croy, Forsythe
Jeff Dato, MBCP, KPMG
John Jackson, IBM
Edward S. Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting Inc.
Pat McAnally, SunGard Availability Services
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk
Japan: Shinji Hosotsubo
Crisis Management and Preparedness Organization
Phone: 03-3519-6270
fax: 03-3519-6255
hosotsubo@cmpo.org
Brazil: José Carlos Ferreira
Disaster Recovery Mercosul
Phone and fax: 011-3666-9506
jocaff@uol.com.br

Click Here for a Printable Version

Best Practices for Prevention, Recovery

By L.D. WELLER

Everyone has heard the old adage that an ounce of prevention is worth a pound of cure. In order to protect themselves on all sides, organizations should employ a security plan that covers prevention and recovery. A multi-pronged approach will create a defensive barrier comprised of antivirus, firewall, content filtering, vulnerability management, and intrusion detection in order to prevent an attack, while employing a backup and disaster recovery plan that will help them recover in the event of a successful attack.

Why Backup?
By using a back-up and disaster recovery solution, IT can quickly recover from a server failure caused by a virus or worm and get back to “original state” more quickly. The business costs associated with network downtime and data loss following a virus make secure backup and recovery an economic necessity. Organizations creating backups should keep a few things in mind.
Remember servers and desktops
IT managers don’t always remember desktops when considering disaster recovery, but anyone who’s had a laptop die on them understands what a headache it can be to retrieve information that was stored on the hard drive. A good back-up solution will create compressed images of a server’s volumes, including its operating system, server settings, and preferences, which will enable complete restoration of system and data volumes or individual files and folders in a matter of minutes. A system with five to eight GHz of data can be recovered in just 10-15 minutes.
Partitioning can help
Partitioning your hard disk can help organizations reduce the amount of data needed for backup stores. By creating separate partitions for data and for applications, IT can quickly back up mission-critical data after a virus attack without utilizing valuable storage space on applications.
Partitioning can also improve organization and simplify the back-up and recovery process. By assigning a set of files represented by its own drive letter, IT can easily keep track of which partitions must be backed up in accordance with the disaster recovery method you select.
Verification
Creating backups may seem an obvious necessity to most, but often the problem is not so much that companies are not creating backups, but that they are not verifying their recoverability. This often results in “false backups” when organizations think their data is secure, only to find after a virus attack that the backups failed and data has been lost. Test recoveries should be scheduled regularly in order to ensure that backup procedures are working properly.
Back-up policy and procedure
Specific procedures for creating backups and a plan of action for recovery are essential to any modern business. Organizations should tailor their backup and recovery procedures to their specific needs. For example, backups on a financial system should be done as often as possible, while backup of word processing documents can probably be done just once a day. Also, to safeguard against data loss from a catastrophic event (such as a fire or earthquake), keep duplicates of your server backups in a different location from the physical servers.
In the wake of a virus attack, the first step in planning for recovery is the assessment of your environment. When assessing what to include in a disaster recovery plan, companies should keep in mind the following:

What network resources are most important?
What is the value of those resources, monetary or otherwise?
What possible threats do these resources face?
What is the likelihood of those threats being realized?
What would be the impact of those threats on the business, employees, or customers, if those threats were realized?
Which resources do you need to bring online first?
What is the amount of time each one of these resources can be down?
Set an allowable downtime for each resource.
Set decontamination process for viruses and worms.

Disk-based vs. tape-based solutions
Organizations can utilize both tape-based and disk-based solutions for back-up and these solutions can often complement each other. Many organizations are combining the strengths of each of these technologies to create one comprehensive solution, which utilizes tape as a direct backup and disk as a day-to-day backup. This way, companies will not lose their tape investment and enhance it with the additional benefits and convenience of disk. Since disk backups can be accessed immediately, without having to shut down servers and take a company offline, it is best to use disk backups on an everyday basis. Then IT can convert these disk backups to tape where they can be kept for long-term storage.

Covering Prevention
Organizations deploying an effective storage and recovery strategy are well on their way to protecting mission-critical data, but a more complete “ounce of prevention” will include virus prevention. Lately it seems that more and more prevention and protection is required. Recent virus threats such as Sasser, Blaster, and MyDoom have crippled networks and left some corporations with no choice but to shut down mail servers and start painstakingly, time-consuming clean-up procedures. Today’s virus attacks are becoming increasingly sophisticated and often combine several types of threats to maximize impact against organizations.
The only way to make sure companies are protected as much as possible before an attack is to integrate security technology and policies with regular and effective backups of their systems and important data. While organizations can’t always prevent disasters such as fires and hurricanes, they can usually prevent virus attacks.
The first known computer virus appeared in 1981, a relatively tame outbreak by today’s standard that required users to physically transport an infected disk to another computer for the virus to spread. Today, however, viruses have developed into much more.
These new threats combine to create a modern type of advanced computer security threat that experts are calling “blended threats.” As the term blended threats denotes, these threats combine, or blend, a number of dangers together into one destructive force. Recent virus threats have employed new tactics to cause damage to systems.

Multiple methods of propagation
The very nature of a virus is that it is self-replicating – once released, it propagates on its own. A blended threat is a security threat that uses multiple methods to attack. Propagation methods range from being embedded into HTML files of an infected server, to infecting any visitors to a particular Web site, to even sending e-mails with a worm attachment. Multiple methods of propagation can make containment of a threat an even greater challenge.

Multiple points of attack
Blended threats attack on multiple levels, while simple viruses spread by attaching a copy of itself to some part of a program file or record. By striking on several levels, it makes these threats extremely difficult to detect as well as makes cleanup especially difficult.
Spread without human intervention
Blended threats are automated, continuing to spread without human intervention. As a result, they are always scanning the Internet for vulnerable servers to strike. This increases the danger, as they are automated, and makes them much more challenging to halt.

Exploits vulnerabilities
One of the most dangerous aspects of a blended threat is that it can exploit vulnerabilities. Typically, blended threats abuse known vulnerabilities such as buffer overflows, HTTP input validation vulnerabilities, known default passwords, and others. A buffer overflow occurs when a program attempts to store data into a buffer, where the data is larger than the size of the buffer. The ability to exploit a buffer allows one to possibly insert extra code into the execution route. They find the holes within your system and hit you where you least expect it.

Causes harm
Unlike some worms and viruses, blended threats are built to be destructive in nature. Some attacks have been known to launch a denial of service attack at a target IP address, to deface Web servers, and to leave Trojan horses behind for later destruction.
By combining these characteristics, blended threats have the potential to be more harmful and deliver more damage than the typical virus or worm. Security exploits are being combined into intricate computer viruses resulting in a very complex attack – a blended threat – that in some cases goes beyond the general scope of antivirus software. Alone, a single security technology is not sufficient to defend against these blended threats.
Such complex threats have given rise to equally intelligent security devices. Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.

Constructing a Cure
The complex, destructive nature of these threats illustrates how the primitive strategy of “one threat, one cure” approach is out of date. Consistent, widespread security solutions that provide several layers of defense are required for protection against blended threats.
Enlisting a comprehensive approach, creating a defensive barrier comprised of antivirus, firewall, content filtering, vulnerability management and intrusion detection measures will make systems extremely difficult and costly for intruders to compromise. All parts of the network must be protected and there must be a response in place to provide security at all levels – the gateway, server, and desktop. Working in combination, these layers of protection will help ensure the confidentiality and security of an organization’s data.
The most important step in combating malicious threats is to install antivirus software. This software will scan for and detect viruses as well as repair any damage resulting from a virus. Your antivirus software and content security solutions are generally used to identify and remove threats.
An effective firewall is your first line of defense against hackers. Firewalls establish guarded gateways that are designed to keep the information on the inside safe from anyone on the outside. They inspect incoming information and block those that do not meet specified criteria. Firewall software can help to fight against inbound and outbound attacks by blocking threats from entering your network.
Content filtering tools applied at Internet gateways can also help the enterprise to proactively identify potential threats. These filtering tools stop harmful viruses and malicious code at the network gateways before they even have a chance to penetrate your computer. They are provided through establishing content policies and corresponding rules including subject line, content, and spam rules.
Vulnerability assessment tools help ensure that patches are applied, unneeded services are removed, and passwords are strong, according to best practices. Vulnerability management solutions allow IT administrators and IT security managers to create, manage, and install customized security policies across their networks.
Intrusion detection systems offer significant detection and prevention capabilities against attacks. These systems are used to monitor the network and hosts for improper activity and assist in forensic analysis. They are aimed at finding the networks weak points.
Security technologies need to be instituted on all levels and for all users. These tools and systems need to be continuously updated in order to protect against the most recent and complex threats.
Technology alone does not address all security issues. IT should not let oversights and negligence leave a system vulnerable to intruders and viruses. IT should take time to implement and execute various security standards internally. Establishing firm policies and procedures can help plug any undetected holes in a system. Removing unneeded services, implementing strong passwords, keeping patches up to date, data forensics, and other critical strategies can help enhance overall protection.
The combined defense of advanced security technology and effective end-user policies will provide the strongest weapon against the spread of malicious blended threats.

Combating the Unknown
As virus threats quickly evolve and increase in complexity, managing these threats becomes a great challenge. As defending against simultaneous, multiple Internet threats become imperative to enterprise security, IT managers will likely be looking to software vendors to provide a total security and backup solution and ongoing support. The latest blended threats are propagating at an ever increasing rate, forcing security companies to reevaluate their strategies and technologies.
IT professionals in today’s world of blended threats have their work cut out for them. It is imperative for organizations to implement security technology, as well as a storage and disaster recovery solution. Both technologies should be accompanied by internal policies and procedures that emphasize caution. A multi-faceted approach to enterprise computing will ensure the best possible defense against virus attacks. There’s no doubt that virus authors will continue to design new viruses, using new technologies, creating new problems. Who knows what they’ll think of next – but preparation is the key.

L.D. Weller is senior product manager at Symantec Corporation where he manages the company’s LiveState Recovery line of backup and recovery products.