Best Practices for Prevention and Recovery
- Published on November 19, 2007
Partitioning can help
Partitioning your hard disk can help organizations reduce the amount of data needed for backup stores. By creating separate partitions for data and for applications, IT can quickly back up mission-critical data after a virus attack without utilizing valuable storage space on applications.
Partitioning can also improve organization and simplify the back-up and recovery process. By assigning a set of files represented by its own drive letter, IT can easily keep track of which partitions must be backed up in accordance with the disaster recovery method you select.
Creating backups may seem an obvious necessity to most, but often the problem is not so much that companies are not creating backups, but that they are not verifying their recoverability.
This often results in “false backups” when organizations think their data is secure, only to find after a virus attack that the backups failed and data has been lost. Test recoveries should be scheduled regularly in order to ensure that backup procedures are working properly.
Back-up policy and procedure
Specific procedures for creating backups and a plan of action for recovery are essential to any modern business. Organizations should tailor their backup and recovery procedures to their specific needs. For example, backups on a financial system should be done as often as possible, while backup of word processing documents can probably be done just once a day. Also, to safeguard against data loss from a catastrophic event (such as a fire or earthquake), keep duplicates of your server backups in a different location from the physical servers.
In the wake of a virus attack, the first step in planning for recovery is the assessment of your environment. When assessing what to include in a disaster recovery plan, companies should keep in mind the following:
- What network resources are most important?
- What is the value of those resources, monetary or otherwise?
- What possible threats do these resources face?
- What is the likelihood of those threats being realized?
- What would be the impact of those threats on the business, employees, or customers, if those threats were realized?
- Which resources do you need to bring online first?
- What is the amount of time each one of these resources can be down?
- Set an allowable downtime for each resource.
- Set decontamination process for viruses and worms.
Disk-based vs. tape-based solutions
Organizations can utilize both tape-based and disk-based solutions for back-up and these solutions can often complement each other. Many organizations are combining the strengths of each of these technologies to create one comprehensive solution, which utilizes tape as a direct backup and disk as a day-to-day backup. This way, companies will not lose their tape investment and enhance it with the additional benefits and convenience of disk. Since disk backups can be accessed immediately, without having to shut down servers and take a company offline, it is best to use disk backups on an everyday basis. Then IT can convert these disk backups to tape where they can be kept for long-term storage.
Organizations deploying an effective storage and recovery strategy are well on their way to protecting mission-critical data, but a more complete “ounce of prevention” will include virus prevention. Lately it seems that more and more prevention and protection is required. Recent virus threats such as Sasser, Blaster, and MyDoom have crippled networks and left some corporations with no choice but to shut down mail servers and start painstakingly, time-consuming clean-up procedures. Today’s virus attacks are becoming increasingly sophisticated and often combine several types of threats to maximize impact against organizations.
The only way to make sure companies are protected as much as possible before an attack is to integrate security technology and policies with regular and effective backups of their systems and important data. While organizations can’t always prevent disasters such as fires and hurricanes, they can usually prevent virus attacks.
The first known computer virus appeared in 1981, a relatively tame outbreak by today’s standard that required users to physically transport an infected disk to another computer for the virus to spread. Today, however, viruses have developed into much more.
These new threats combine to create a modern type of advanced computer security threat that experts are calling “blended threats.” As the term blended threats denotes, these threats combine, or blend, a number of dangers together into one destructive force. Recent virus threats have employed new tactics to cause damage to systems.
Multiple methods of propagation
The very nature of a virus is that it is self-replicating – once released, it propagates on its own. A blended threat is a security threat that uses multiple methods to attack. Propagation methods range from being embedded into HTML files of an infected server, to infecting any visitors to a particular Web site, to even sending e-mails with a worm attachment. Multiple methods of propagation can make containment of a threat an even greater challenge.
Multiple points of attack
Blended threats attack on multiple levels, while simple viruses spread by attaching a copy of itself to some part of a program file or record. By striking on several levels, it makes these threats extremely difficult to detect as well as makes cleanup especially difficult.
Spread without human intervention
Blended threats are automated, continuing to spread without human intervention. As a result, they are always scanning the Internet for vulnerable servers to strike. This increases the danger, as they are automated, and makes them much more challenging to halt.
One of the most dangerous aspects of a blended threat is that it can exploit vulnerabilities. Typically, blended threats abuse known vulnerabilities such as buffer overflows, HTTP input validation vulnerabilities, known default passwords, and others. A buffer overflow occurs when a program attempts to store data into a buffer, where the data is larger than the size of the buffer. The ability to exploit a buffer allows one to possibly insert extra code into the execution route. They find the holes within your system and hit you where you least expect it.
Unlike some worms and viruses, blended threats are built to be destructive in nature. Some attacks have been known to launch a denial of service attack at a target IP address, to deface Web servers, and to leave Trojan horses behind for later destruction.
By combining these characteristics, blended threats have the potential to be more harmful and deliver more damage than the typical virus or worm. Security exploits are being combined into intricate computer viruses resulting in a very complex attack – a blended threat – that in some cases goes beyond the general scope of antivirus software. Alone, a single security technology is not sufficient to defend against these blended threats.
Such complex threats have given rise to equally intelligent security devices. Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.
Constructing a Cure
The complex, destructive nature of these threats illustrates how the primitive strategy of “one threat, one cure” approach is out of date. Consistent, widespread security solutions that provide several layers of defense are required for protection against blended threats.
Enlisting a comprehensive approach, creating a defensive barrier comprised of antivirus, firewall, content filtering, vulnerability management and intrusion detection measures will make systems extremely difficult and costly for intruders to compromise. All parts of the network must be protected and there must be a response in place to provide security at all levels – the gateway, server, and desktop. Working in combination, these layers of protection will help ensure the confidentiality and security of an organization’s data.
The most important step in combating malicious threats is to install antivirus software. This software will scan for and detect viruses as well as repair any damage resulting from a virus. Your antivirus software and content security solutions are generally used to identify and remove threats.
An effective firewall is your first line of defense against hackers. Firewalls establish guarded gateways that are designed to keep the information on the inside safe from anyone on the outside. They inspect incoming information and block those that do not meet specified criteria. Firewall software can help to fight against inbound and outbound attacks by blocking threats from entering your network.
Content filtering tools applied at Internet gateways can also help the enterprise to proactively identify potential threats. These filtering tools stop harmful viruses and malicious code at the network gateways before they even have a chance to penetrate your computer. They are provided through establishing content policies and corresponding rules including subject line, content, and spam rules.
Vulnerability assessment tools help ensure that patches are applied, unneeded services are removed, and passwords are strong, according to best practices. Vulnerability management solutions allow IT administrators and IT security managers to create, manage, and install customized security policies across their networks.
Intrusion detection systems offer significant detection and prevention capabilities against attacks. These systems are used to monitor the network and hosts for improper activity and assist in forensic analysis. They are aimed at finding the networks weak points.
Security technologies need to be instituted on all levels and for all users. These tools and systems need to be continuously updated in order to protect against the most recent and complex threats.
Technology alone does not address all security issues. IT should not let oversights and negligence leave a system vulnerable to intruders and viruses. IT should take time to implement and execute various security standards internally. Establishing firm policies and procedures can help plug any undetected holes in a system. Removing unneeded services, implementing strong passwords, keeping patches up to date, data forensics, and other critical strategies can help enhance overall protection.
The combined defense of advanced security technology and effective end-user policies will provide the strongest weapon against the spread of malicious blended threats.
Combating the Unknown
As virus threats quickly evolve and increase in complexity, managing these threats becomes a great challenge. As defending against simultaneous, multiple Internet threats become imperative to enterprise security, IT managers will likely be looking to software vendors to provide a total security and backup solution and ongoing support. The latest blended threats are propagating at an ever increasing rate, forcing security companies to reevaluate their strategies and technologies.
IT professionals in today’s world of blended threats have their work cut out for them. It is imperative for organizations to implement security technology, as well as a storage and disaster recovery solution. Both technologies should be accompanied by internal policies and procedures that emphasize caution. A multi-faceted approach to enterprise computing will ensure the best possible defense against virus attacks. There’s no doubt that virus authors will continue to design new viruses, using new technologies, creating new problems. Who knows what they’ll think of next – but preparation is the key.
L.D. Weller is senior product manager at Symantec Corporation where he manages the company’s LiveState Recovery line of backup and recovery products.