Prevention

1) Verify all security settings for systems – access and administration at all level, software including operating systems and applications, networks, and other management/monitoring tools. A plan for auditing and regular updating of security settings should be developed and followed.  This should be exercised according governance practices but at least monthly.

2) Tools used to detect attempts to penetrate the environment should be implemented and tested periodically. These tools continue to evolve and will require continual updating and transitioning to improved tools.

Detection

Detection of an attack in progress is done through a limited number of means:

• – Log analysis software collects logs from software and hardware systems and performs analysis to determine if suspect activity is occurring. This software will do alerting, notification to systems/software that could be used to freeze activity, and report on detailed activity that could be used to identify the point in time of an attack.
• – Software that interacts with data such as backup software that monitors access to the protected data and can determine if anomalous activity is occurring. The actions to be taken upon detection can vary and are usually configurable.
• – Some storage systems that are used for data protection (backup targets) can monitor for anomalous activity, similar to backup software. These systems report on the activity and may also take action based on control settings.

Recovery

There is great variance in what the recovery processes are considering the environment – systems and software.  There are some general considerations to be undertaken but detailed understanding of recovery requires efforts with technical staff who understand the environment and the organization requirements.

1) The first step is to understand what potentially is required to be done in the case of a recovery due to a cyber-attack. The starting point for this, from an expediency standpoint, is to begin with an existing Disaster Recovery plan.  Using that will serve as an outline where the reasons for recovery with an understanding of the potential for altered/infected data and those implications can the introduced.

2) The recovery sequence from a cyber attack is what will be developed first. With the DR recovery sequence as an outline (without a DR recovery plan that includes a detailed sequence of actions, the effort becomes much greater).

1. 1. 1) The first consideration is to add steps to validate the information before proceeding. ‘Was the data protected (before the problem/infection occurred?’ is the first question assuming the time of the first indication of an attack is known. This is where the identification of the different recovery copies and the understanding of recovery points becomes critical and the expertise of the staff and their data protection strategy is important.  Some primary storage systems provide capabilities to make copies of data as ‘logical air gaps’ that can be used to reduce the recovery point and recovery time.  These storage systems need to be factored into the recovery strategy if they are available.
   2. 2) Dependencies such recovering identity access management credentials and authentication systems must be addressed first as these have been seen major target to compromise in attacks.
   3. 3) The sequence to recover will be very dependent on the expertise of staff, knowing the relationship of data and applications and the status of the protected copies.

3) Use of existing DR plans is an expedient outline after understanding what data could be infected/altered and the systems that could be compromised. Examination of the DR plan with a focus on where recovery changes for cyber attack would need to be made will lead first to additional investigation that may need to be done and then insertion of additional steps for this type of recovery.  Adding the steps for identification of ‘known good copy’ of data and validation of data are the first consideration.  Another is the ‘sandbox.’  Propagation of an infection/alteration during recovery is a major concern during recovery.  To address this, recovering data to a trial area, termed a ‘sandbox’ where tests can be done to prove the validity of the data recovered is an additional, time-consuming step that needs to be taken.

4) Exercising the recovery from a cyber attack must be added to the regular process for IT operations.

Author Information

Randy Kerns

Randy has written numerous industry articles and papers as an educator and presenter, and he is the author of two books: Planning a Storage Strategy and Information Archiving – Economics and Compliance. The latter is the first book of its kind to explore information archiving in depth. Randy regularly teaches classes on Information Management technologies in the U.S. and Europe.