Step six: Good housekeeping
In the sixth in this series of articles Stewart Twynham of Bawden Quinn looks at good housekeeping, backup and recovery, and business continuity planning.
A word about security policy
A good security policy based upon the actual level of risk is at the heart of any secure business. All too often businesses either do nothing, or go out and spend lots of money on equipment such as firewalls and anti-virus in the belief that this alone will carry the day. In actual fact, only a well rounded security policy will ensure comprehensive protection for your business ' and regular housekeeping is a critical component of any security policy.
Patching and updating
Updating software is now a critical part of good housekeeping on any computer system. New vulnerabilities are found all the time in commercial software ' around 7 for every day of 2002. Almost all required the relevant software company to release a patch or update to the software, or provide some form of advice about best usage.
Yes, it can be a nuisance, it can be disruptive, but unfortunately it is a fact of life. With every step forward in technology, new opportunities arise which didn't exist before ' not only for legitimate users, but for criminals as well. Take the modern car ' almost every car these days comes complete with remote controlled central locking. Early implementations were incredibly insecure ' giving anyone with a fairly basic understanding of electronics the ability to unlock your car ' so manufacturers designed better, more sophisticated versions that were almost impenetrable. Yet, even now, anyone who steals the keys from your coat pocket or handbag can walk through the car park and easily find and steal your car just by pressing the remote control button a few times. No messing around trying the key in every car door.
This is very similar to software. Sometimes, through bad design or an oversight, software can have insecurities 'built in', making it easy to exploit. Yet, even if the software itself is secure, there will often exist extrinsic exploits or vulnerabilities that leverage the convenience of these new features, much like the thief that runs off with your car keys.
MYTH: Open source is secure
Every day, new vulnerabilities are discovered, and during September two very serious exploits affecting almost every Unix platform in some way were identified. The first affected SSH (the secure shell used in Unix, Linux, BSD, and many derivative platforms such as Nokia's IPSO which is based on FreeBSD). It is believed that hackers have been exploiting this particular vulnerability for some months ' only possible because free access to the source code allows gives hackers an advantage when trying to find new exploits. The other affects Sendmail ' the application used to send around two-thirds of the world's email.
This should be a timely reminder to everyone that precisely NO software is secure ' and that the greatest enemy of security is complacency.
Some simple steps to make patching as painless as possible:
- Patches for the Windows operating system can be downloaded from http://windowsupdate.microsoft.com
- Most other software companies have similar 'microsites' dedicated to security ' bookmark them.
- Your PC can be set to automatically download new patches as they arrive but'
- 'ideally, patches and updates should then be checked on a test machine PRIOR to deployment ' rather than installing across your entire network, then discovering that your entire accounts system fails to function!
- Remain vigilant ' Microsoft users can check the Microsoft security site for the latest Microsoft updates and advisories.
Backing up your data
It seems simple enough, and in fact almost all clients we meet claim that they backup their data. Okay, they might not backup regularly enough, they might not backup all the right files, they might not use the best media, they might not keep their backups particularly secure, and they might not have a disaster recovery plan in place, but they will at least backup something at some point.
There is, however, one thing that no client we have ever met has ever actually done except in anger. No-one, it seems, has ever actually tried to completely restore their data! The most a client does is try to restore a file or a directory from the same tape drive that was used to back the data up ' hardly a recipe for confidence!
The principle is this. What simpler way to 100% test your backup than to have a spare machine, kept off-site, to restore all your data to perhaps once a month? Here's the rationale ' if you do this, you will be testing:
- That the backup media you are using is working
- That the media can be read by a different tape drive
- That there is actually data on the media
- That the data on the media isn't corrupted
- That the data on the media is complete
- That the system will restore completely and without a hitch
Operating systems, databases, email systems, and even PCs themselves are extremely complex these days ' why wait until everything has gone up in smoke (when time isn't exactly on your side) to discover whether or not you are able to recover anything, or how long a full recovery might take, or that you have some bizarre hardware or driver problem which is preventing a reliable restoration?
In addition, by doing this process once a month, you will always have a spare system located off-site which you can be certain is never more than a month out of date ' useful if your database has just failed and you urgently need an important phone number.
Checklist for a successful backup:
- Perform backups regularly ' a weekly backup could result in losing up to a week's work, so consider a daily backup if at all possible.
- Verify each backup, and check logs regularly to ensure backups were successful
- Make certain you back up everything you need (preferably the complete PC or server).
- Accounts software, databases, email systems, etc can present difficulties for some backup software, so if in doubt don't just rely on the logs, but try restoring to a 'clean' PC.
- Use the right media ' hard disks are growing faster than backup media, best to backup to one tape than across several (where a single tape failure could render the whole backup set useless).
- Rotate your media ' keep at least some tapes off-site at all times, never use the same tape on consecutive nights.
- Create an archive ' a single tape pulled out once a month, as an archive copy for that month.
- Replace tapes each year. They have a finite life, and the data on them is far more valuable than the cost of the tape.
- Store tapes securely when on site. Fire / flood can destroy tapes, be aware that many fire safes are rated for paper not backup media. Remember that it takes just a second to steal backup media left on a reception desk ' a nice prize for one of your competitors'
- Securely destroy or erase tapes no longer needed ' don't just throw into the nearest bin!
- Test backups ' completely, as discussed above ' preferably on a separate machine, kept off-site.
- Build a disaster recovery plan (more next)
Business Continuity Planning
Disasters happen ' and 85% of businesses that suffer a serious disaster aren't trading 18 months down the line. NOW is the time to plan for a disaster, not when it happens ' that's when it's too late. The subject of business continuity planning is too big to cover here in its own right, these are however the elements you must consider:
- The conditions for activating the plan ' what qualifies for a 'disaster'
- Emergency procedures ' what to do at the point of disaster
- Fallback procedures ' bringing business processes back on-line in an agreed timeframe
- Resumption procedures ' how to shift back to normal operation
- A maintenance schedule ' which updates and tests the plan
- Awareness and Education ' to ensure that staff are aware of the plans
- Responsibility and Accountability ' of individuals key to the plan
In our experience, one of the key elements that is often overlooked in business continuity planning is time. Take something as simple as a hard drive failure where you need to restore data from a tape drive. By the time the fault has been found and the broken hard drive has been repaired, the tape backup restored and the system tested, one or two days may have passed before the 'resumption' phase can commence. This excludes merging all new data that was entered onto the fallback system in the mean time.
Remember, in the words of Eisenhower ' 'Planning is everything, the plan is nothing'. The fact that you have at least considered the logistics issues that can present themselves following a disaster may well save your bacon when one happens. Some examples:
- Do you have access to hardware on which to restore / run your systems / access your data?
- Do you have access to backup copies of the software you use? Waiting a week for a set of CDs to be posted to you is unlikely to be much fun'
- Do you have copies of all important licence numbers / keys / usernames and passwords, or are they likely to have been lost in the fire / flood / theft?
- Can you get access to your email / web site / phone and fax lines following a disaster?
- What does your insurance policy cover? Is there anything it doesn't cover?
Next week: Training, Acceptable Use Policies and Legislation. Users are often the weakest link when it comes to information security, yet if employers are not careful, they can find themselves in a legal minefield.
Further reading: Information security series
- Step 1 - Identify your assets
- Step 2 - Understanding the threats and vulnerabilities
- Step 3: Things that turn threats and potential loss into risk
- Step 4: The firewall
- Step 5: Tackling viruses and spam
- Step 6: Good housekeeping
- Step 7: Training, acceptable use policies and legislation
- Step 8: Domain name purchase and protection