After the events surrounding September 11th, 2001, many companies became aware that disaster recovery planning is of critical importance. Events such as natural disasters and terrorist activity can bypass even the most rigorous physical security measures, and common hardware failures and even accidental deletions may require some form of recovery capability. Backup and Recovery PlanningFundamental to any disaster recovery plan is the need to provide for regular backups of key information, including user file and email storage, database stores, event logs, and security principal details such as user logons , passwords, and group membership assignments. Without a regular backup process, loss of data through accidents or directed attack could severely impair business processes.
The form of backup in use may also affect what may be recovered following a disaster. Disaster recovery planning should include identification of the type and regularity of the backup process to be used. The following sections cover the different types of backups you can employ . Full BackupThis is a complete backup of all data and is the most time-intensive and resource- intensive form of backup, requiring the largest amount of data storage. Restoration from a complete backup will be faster than other methods in the event of a total loss of data. A full backup copies all selected files and resets the archive bit. This method allows you to restore using just one tape. In case of theft, this poses the most risk because all data is on one tape. Differential BackupA differential backup includes all data that has changed since the last full backup, regardless of if or when the last differential backup was made because it doesn't reset the archive bit. This form of backup is incomplete for full recovery without a valid full backup. For example, if the server dies on Thursday, two tapes will be neededthe full from Friday and the differential from Wednesday. Differential backups require a variable amount of storage, depending on the regularity of normal backups and the number of changes that occur during the period between full backups. Theft of a differential tape is more risky than an incremental tape because larger chunks of sequential data may be stored on the tape the further away it is from the last full backup. Incremental BackupAn incremental backup includes all data that has changed since the last incremental backup, and it resets the archive bit. An incremental backup is incomplete for full recovery without a valid full backup and all incremental backups since the last full backup. For example, if the server dies on Thursday, four tapes will be neededthe full from Friday and the incremental tapes from Monday, Tuesday, and Wednesday. Incremental backups require the smallest amount of data storage and require the least amount of backup time, but they can take the most time during restoration. If an incremental tape is stolen, it might not be of value to the offender, but it still represents risk to the company. Copy BackupA copy backup is very similar to a full backup in that it copies all selected files. However, it doesn't reset the archive bit. From a security perspective, the loss of a tape with a copy backup is the same as losing a tape with a full backup. Choosing a Backup StrategyWhen choosing a backup strategy, a company should look at the following factors:
After the backups are complete, they must be clearly marked or labeled so they can be properly safeguarded. In addition to these backup strategies, companies employ tape rotation and retention policies. The various methods of tape rotation include the grandfather, Tower of Hanoi, and 10-tape rotation schemes. One final note in this area: In some instances, it may be more beneficial to copy or image a hard drive for backup purposes. For example, in a development office, where there may be large amounts of data that changes constantly, instead of spending money on a complex backup system to back up all the developers' data, it may be less expensive and more efficient to buy another hard drive for each developer and have him back up his data that way. If the drive is imaged , it ensures that if a machine has a hard drive failure, a swift way of getting it back up and running again is available. Restoration ProceduresDisaster recovery planning should include detailed restoration procedures. This planning should explain any needed configuration details that may be required to restore access and network function. These may include items that can either be general or very specific. The policy for restoring a server hardware failure, for example, is as follows :
Also, a restoration plan should include contingency planning to recover systems and data even in the event of administration personnel loss or lack of availability. This plan should include procedures on what to do if a disgruntled employee changes an administrative password before leaving. Statistics show that more damage to a network comes from inside than outside. Therefore, any key root-level account passwords and critical procedures should be properly documented so another equally trained individual can manage the restoration process. Secure RecoveryRecovery planning documentation and backup media obviously contain many details that could be exploited by an attacker seeking access to an organization's network or data. As a result, planning documentation, backup scheduling, and backup media must include protections against unauthorized access or potential damage. The data should be protected by at least a password and possibly encryption. Once the backups are complete, they must be clearly marked or labeled so they can be properly safeguarded. Imagine having to perform a restore for an organization that stores its backup tapes in a plastic bin in the server room. The rotation is supposed to be on a two-week basis. When you go to get the needed tape, you discover that the tapes are not marked, nor are they in any particular order. How much time will be spent just trying to find the proper tape? Also, is it a good practice to keep backup tapes in the same room with the servers? What happens if there is a fire? How backup media is handled is just as important as how it is marked. You certainly don't want to store CDs in a place where they can easily be scratched or store tapes in an area that reaches 110 degrees during the day. Both documentation and media should be stored in an offsite location, protected from unauthorized access as well as fire, flood, and other forms of environmental hazard . It is also common in military environments to have removable storage media that is locked in a proper safe or container at the end of the day. During the process of recovery, attackers may also attempt to obtain details through packet sniffing of traffic between silo backup servers and deployed network servers. Therefore, planning should include protections against network exploit during the actual restoration. In Chapter 6, "Infrastructure Security," we covered the proper way to handle removable media when either the data should be overwritten or is no longer useful or pertinent to the company. Here's a quick review of the choices that apply to all removable media units:
Disaster Recovery PlanA detailed disaster recovery plan should be created to provide structure to the process of backup, data security, and recovery. Disaster recovery planning may involve many aspects, including the following:
Business Continuity PlanningBeyond backup and restoration of data, disaster recovery planning must also include a detailed analysis of underlying business practices and support requirements needed to ensure that business continuity can be maintained in the event of failure. Business continuity planning should include an analysis of any required services, such as network access and utility agreements, along with planning for automatic failover of critical services to redundant offsite systems. Some considerations that may be included in continuity planning include the following:
|