Disaster Planning: Preparation for Recovery After an Attack

Disaster planning should be a key part of your security strategy. The old saying "Hope for the best, and prepare for the worst" certainly applies to network security. Murphy's law predicts that if you don't have a way to recover from a network or security disaster, you'll soon need one. If you're prepared, you can recover quickly and may even be able to learn something useful from the experience. Here are some suggestions to help you prepare for the worst:

• Make permanent, archived "baseline" backups of exposed computers before they're connected to the Internet and anytime system software is changed

• Make frequent backups once online

• Prepare written, thorough, and tested computer restore procedures

• Write and maintain documentation of your software and network configuration

• Prepare an incident plan

A little planning now will go a long way toward helping you through this situation. The key is having a good backup of all critical software. Each of the points discussed in the preceding list is covered in more detail in the following sections.

Make a Baseline Backup Before You Go Online

You should make a permanent "baseline" backup of your computer before you connect with the Internet for the first time, so you know it doesn't have any virus infections. This backup should be kept permanently. You can use it as a starting point for recovery if your system is compromised.

To learn more about making backups, p. 1142.

Make Frequent Backups When You're Online

I hate to sound like a broken record on this point, but you should have a backup plan and stick to it. Make backups at some sensible interval and always after a session of extensive or significant changes (for example, after installing new software or adding users). In a business setting, you might want to have your backup program schedule a backup every day automatically. (You do have to remember to change the backup media, even if the backups are automatic, however!) In a business setting, backup media should be rotated off-site to prevent against loss due to theft or fire.

Write and Test Server Restore Procedures

I can tell you from personal experience that the only feeling more sickening than losing your system is finding out that the backups you've been diligently making are unreadable. Whatever your backup scheme is, be sure it works!

This step is really difficult to take, but I really urge you to try to completely rebuild a system after an imaginary break-in or disk failure. Use a sacrificial computer, of course, not your main computer, and allow yourself a whole day for this exercise. Go through all the steps: Reformat hard disks, reinstall Windows or use the Automated System Recovery feature, reinstall tape software (if necessary), and restore the most recent backups. You will find this a very enlightening experience, well worth the cost in time and effort. Finding the problem with your system before you need the backups is much better than finding it afterward!

Also, be sure to document the whole restoration process so that you can repeat it later. After a disaster, you'll be under considerable stress, so you might forget a step or make a mistake.

Having a clear, written, tested procedure goes a long way toward making the recovery process easier and more likely to succeed.

Write and Maintain Documentation

It's in your own best interest to maintain a log of all software installed on your computers, along with software settings, hardware types and settings, configuration choices, network number information, and so on. (Do you vaguely remember some sort of ordeal with a DMA conflict when you installed the tape software last year? How did you resolve that problem, anyway?)

In businesses, this information is often part of the "oral tradition," but a written record is an important insurance policy against loss due to memory lapses or personnel changes. Record all installation and configuration details.

TIP

Windows has no utilities to print out the configuration settings for software and network systems. I use Alt+PrntScrn to record the configurations for each program and network component and then paste the images into WordPad or Microsoft Word.

Then, print out a copy of this documentation, so you'll be able to refer to it if your computer crashes.

Make a library of CD-ROMs, repair disks, startup disks, utility disks, backup CDs, ZIP disks, tapes, manuals, and notebooks that record your configurations and observations. Keep them together in one place and locked up if possible.

Prepare an Incident Plan

A system crash or intrusion is a highly stressful event. A written plan of action made now will help you keep a clear head when things go wrong. The actual event probably won't go as you imagined, but at least you'll have some good first steps to follow while you get your wits about you.

If you know a break-in has been successful, you must take immediate action. First, disconnect your network from the Internet. Then find out what happened.

Unless you have an exact understanding of what happened and can fix the problem, you should clean out your system entirely. This means that you should reformat your hard drive, install Windows and all applications from CDs or pristine disks, and make a clean start. Then you can look at recent backups to see whether you have any you know aren't compromised, restore them, and then go on.

But most off all, have a plan. The following are some steps to include in your incident plan:

• Write down exactly how to properly shut down computers and servers.
  
  
• Make a list of people to notify, including company officials, your computer support staff, your ISP, an incident response team, your therapist, and anyone else who will be involved in dealing with the aftermath.
  
  
• Check www.first.org to see whether you are eligible for assistance from one of the many FIRST response teams around the world. FIRST (the Forum of Incident Response and Security Teams) can tell you which agencies might best be able to help you in the event of a security incident; call 1-301-975-3359.
  
  
• The CERT-CC (the Computer Emergency Response Team Coordination Center) may also be able to help you, or at least get information from your break-in to help protect others. Check www.cert.org. In an emergency, call 1-412-268-7090.
  
  You can find a great deal of general information on effective incident response planning at www.cert.org. CERT offers training seminars, libraries, security (bug) advisories, and technical tips as well.