Data Recovery

It has often been said that you can lose no more information than that which has been created or changed since your last backup. This is true. However, destruction of data is only one of many goals that the hacker might have. The hacker may want to make copies of your information. Having the information compromised may be more costly to the company than the loss of that information. If the system has information that is confidential, then it should be transmitted and stored in an encrypted form. This gives you that one additional layer of security to protect the information from prying eyes. Or the hacker may just want to use the resources that the system has to offer. It may be very annoying to have a hacker using your system, but it may be less costly than having a hacker who takes or destroys your information.

Generally , the data on a system are the most valuable assets in the data center. Restoring the data on a system that has been compromised is usually of prime importance. However, it may be more important to secure the system first, which will require determining the cause and repairing the problem, so that when the data are restored, there will be some level of confidence that the restored data will be able to maintain their integrity.

The restoration of data may take any of a number of forms based on the type of attack and the business decisions on how to restore data. It may be enough to validate the integrity of the online data, or it may be more appropriate to restore the system from a backup ” a known good backup ” or the data may have to be re-created from processing. The level of system compromise may have to be evaluated before a determination of restoration process begins. If compromised data are not discovered and remain on the system after you have closed the security incident and have returned to business as usual, that data could affect business decisions, production processes, and people's lives for a very long time.

• Availability ” Restoring the availability of data is usually the first step in a recovery scenario. The data must be restored to a known good state, generally from a known good backup, or the data may have to be recreated from processing. If there are changes to be made to make the data current, they must be applied. The data must be restored before services can be made available to the users.

• Integrity ” It may be enough to validate the integrity of the online data, or it may be more appropriate to restore the system from a backupbackup. If the data have been changed or altered but not destroyed , it may be very difficult to identify the compromised data. The process of verifying the integrity of the data can be a lengthy one, as every data item has to be checked by comparison to a known good copy or by cryptographic checksum.

• Confidentiality ” When an information system has been compromised, one must assume that the confidentiality of the information has also been compromised. Once the confidentiality of data has been compromised, it cannot be restored; only the scope of the damage can be controlled. Stopping the spread of the data is the prime concern. If the intruder can be caught, it might be possible to limit the compromise to the intruder. If the spread of the information cannot be stopped , then reactive measures must be implemented to limit the impact of the compromise.

You must test your recovery process beforehand to make sure you can fully recover data in the event of an emergency.

Never recover in place any critical files such as /etc/passwd , or those in /tcb/files . Instead, restore the file to a temporary directory (do not use /tmp ) and give this directory permissions "drwx------," preventing anyone else from using it. Compare the restored files with those to be replaced . Make any necessary changes.

Backup Strategy

The old backup theory of doing full backups weekly and incremental backups daily took nothing into account except efficiency of tape rotation. A backup strategy should be based on the needs of the data which are being protected. Different types of data have different requirements. Some data are very transient and have little shelf life, so there is no need for long- term storage of this data, while other information, such as security logs, needs to be kept for a long time since it is not known when it will be needed.

The timing of backups should take into account the flow of the information. Backups should be scheduled directly after significant changes to the data have taken place, if possible. Backups should minimize losses and make recovery as efficient as possible.

Media retention schedules should be determined by the retention requirements of the data they contain. Data with similar retention needs and security requirements can be grouped on common media for convenience. Keep archives for a minimum of six months, then recycle the media.

Backup media deserve the highest level of security since they contain all of the system's data. Label backup tapes and store them securely. Off-site storage provides maximum security. Access to the media should be allowed only with proven need.

Examine the log file of the latest backups to identify problems occurring during backup. The backup log file should have restrictive permissions set.

Linux

One of the most used and most useful backup systems is the Advanced Maryland Automatic Network Disk Archiver, Amanda. It is a sophisticated network backup system that can back up all the systems on a network to a backup device on a single server. It supports many different type of systems.

Amanda is not actually a backup program; rather, it is a wrapper that manages other backup programs.

It has strong tape management services which help maintain a large repository of networked backups. It keeps track of which backups are on which tapes and can print out labels and directories.

HP-UX

The prescribed backup and recovery software for HP-UX is fbackup and frecover . These are the only utilities which can back up and recover files selectively and retain access control lists ( ACLs).

Frecover maintains the permissions which the file had when it was backed up. An index of a backup tape can be previewed with frecover using the "-I" option, but frecover prevents you from reading the file if the permissions on the file forbid it. Frecover allows you to overwrite a file. However, the file retains the permissions and ACLs set when the file was backed up.

Fbackup is integrated into the menu-based administration interface, SAM, which allows delegation of privileges. Backup operators can be given restricted SAM access to perform backup and recovery procedures without being given full root access.