Critical Control 19: Data Recovery Capability

Posted by ecole on August 19, 2009 – 5:17 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 19 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 19: Data Recovery Capability

Data is one of the most important assets of most organizations.  If this is the case, then why is it most organizations don’t incorporate a good data recovery plan?  Without a good plan, “when it’s gone it’s gone” and there is no getting it back. If it’s a major event and the organization loses large amounts of data, then the same can be said for the organization: “When it’s gone it’s gone.”

When attackers compromise machines, they often make significant changes to configurations and software.  Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information.  When the attackers’ presence is discovered, organizations without a trustworthy data recovery capability can have extreme difficulty removing all aspects of the attacker’s presence on the machine.

Data recovery has been an ever increasing field as more companies rely on data. In their eyes, it’s irreplaceable.  Primary reasons, but not the only reasons for data recovery requirements, are:

  • Trace evidence of an incident
  • Lost files due to user error
  • Lost files or data due to system malfunction

Malicious activity has also become more of a challenge to find and identify the root cause.  Some malicious code starts a process and then deletes itself.  This then becomes a challenge to identify and to recover the deleted code.  With a good backup recovery procedure in place, an organization can recover, regardless if its hardware malfunction or malicious attacks.  The goal of data recovery is just that, recover the lost data. It may not be possible to recover all of the data but the majority is generally enough to resume operations.  That’s the goal, to resume operation with the minimum amount of disruption.

Back-up solutions are available in many different forms and different levels. You can choose from a software solution that also requires hardware such as tape drives, tapes, and interfaces to ensure that all of the equipment works together.  Tapes even come in a variety of sizes and storage capacities. Software must be used in conjunction with tape drives to properly back-up and/or restore the data when needed.

Hardware solutions include raid solutions that require controllers, hard drives, and the ability to configure them. Organizations must determine the best method to utilize raid for their needs. The biggest issue for most organizations is that all back-up methods require funding and an IT professional to maintain them.

Identifying the level that best meets the needs of the organization and the processes to run it is a challenge.   Depending on the need, an off-site back-up solution may be identified as the best choice. Once proper levels have been identified and established, the overall ability to recover after a significant disaster increases tremendously.   Current best practices identify that information should be stored encrypted. With this said, back-ups are often overlooked and not encrypted.  It’s easy to take back-up software out of the package, install it, and let it do its thing. The problem is that most back-up solutions do not encrypt the back-ups by default. This can be a significant security risk and should be a priority to ensure the back-ups are encrypted.

Ensure that the software or method being used to back-up the data has the ability to encrypt the data as it’s backed up. If not, then this should be addressed and an alternate back-up plan should be reviewed that includes the ability to encrypt the data.

Data storage media must be handled and stored to ensure security of the media. Once the data is saved it must be stored for future use if needed. The sensitivity of the data will directly effect the way the information is stored.  If the information is sensitive or classified, does the storage facility meet government regulations for the handling and storage of that type of data. Does it meet your policies?

When identifying the storage locations the last thing that may be necessary to consider is climate control and accessibility in the advent of an emergency. If the data is of high value and would be needed to recover operations of the organization, then the location must be in close proximity to the operation’s center to be recovered.

For additional details on the controls, please go to the 20 Critical Security Controls site.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Permalink|Comments RSS Feed - Post a comment|Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word