Amir Roknifard
Amir Roknifard is a cyber security professional with years of professional experience and proven track record in cyber security management and risk consulting, helping boards to better manage their cyber risk and transform their cyber security practices. He is the founder of Academician Journal that aims to close the gap between academy and InfoSec industry. He also has authored and reviewed books, published articles, and developed a master's degree program in cyber security.

Hack Recovery

What do we do if everything blows up? How can we still make things go on? Shall we add hack to our planning?

Business continuity (BC) / Disaster recovery (DR)

Basically a disaster recovery plan is carried out when everything is still in emergency mode and everyone is  scrambling to get all critical systems backonline, while a business continuity plan takes a broader approach to the
problem. This includes getting critical systems to another environment while repair of the original facilities is taking place, getting the right people to the right places, and performing business in a different mode until regular conditions are back in place. In a simple word, disaster recovery deals with, “Oh my goodness, the sky is falling” and business continuity planning deals with “Okay, the sky fell. Now how to we stay in business until someone can put the sky back where it belongs?”1

Why BC/DR plan?

Nowadays the Internet probably seems like the Wild West! Hackers are everywhere and have been attacking and successfully taking down web sites of all types. Government and corporate, public and private, anybody seems, can be a target for these attacks. While their reasons for attacking a site range from political statement to simply for the fun of it, hacktivists and black hat troublemakers alike, the end result is that hacking is now a real cause of downtime. Besides businesses, which will lose profit during a downtime, however, not all organizations are businesses that exist to make profits. Government agencies, military units, nonprofit organizations, and the like exist to provide some type of protection or service to a nation or society.

A typical scenario

As you can see in the Figure 1, it shows the cost of a website outage for just a couple hours. Whether you run an eBusiness website or not, the revenue and reputation damages of an outage can be astronomical.

Figure1 : the cost of a website outage

When dealing with disaster recovery, most common causes of downtime are power outages, infrastructure failures, human error, and natural disasters. But suffering a denial of service attack (DoS) is generally not in the forefront
of leaders’ minds. Whether it’s an unintentional denial of service, or a distributed denial of service attack by hackers, the difficulty is predicting the occurrence of, and protecting yourself against downtime.2

Disaster types

A disaster is a sudden, calamitous event that seriously disrupts the functioning of a community or society and causes human, material, and economic or environmental losses that exceed the community’s or society’s ability to cope  using its own resources. Though often caused by nature, disasters can have human origins. A disaster occurs when a hazard impacts on vulnerable people, places or services.3
In another word, a disaster takes place when following three conditions occur at the same time:
  • when people live in hazardous places or demand for critical or vital services,
  • when a hazardous phenomenon occurs, be it natural orhuman-made,
  • when the phenomenon also causes a lot of damage, especially where no preventive measures have been taken.4
For sure there would be many classification systems for disaster levels, but according to a British military  classification system for threat levels in battle situations, we can classify disaster levels as:5
  • Level 1 – Threat of disaster without evidence,
  • Level 2 – Actual attack without data loss,
  • Level 3 – Minor data/system loss,
  • Level 4 – Major data/system loss,
  • Level 5 – Total Loss.

Disaster recovery plan

An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan. Priorities and recovery time objectives for information technology should be developed during the business impact analysis. Technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery. Businesses large and small create and manage large volumes of electronic information or data. Much of that data is important. Some data is vital to the survival and continued operation of the business. The impact of data loss or corruption from hardware failure, human error, hacking or malware could be significant. A plan for data backup and restoration of electronic information is essential. Of course, there are many different steps involving in a disaster recovery plan, but here we just discuss the most important ones which should be available in all disaster recovery plans.

IT Recovery Strategies

Recovery strategies should be developed for Information technology (IT) systems, applications and data. This includes networks, servers, desktops, laptops, wireless devices, data and connectivity. Priorities for IT recovery
should be consistent with the priorities for recovery of business functions and processes that were developed during the business impact (BIA). Information technology systems require hardware, software, data and connectivity. Without one component of the “system,” the system may not run. Therefore, recovery strategies should be developed to anticipate the loss of one or more of the system components such as, computer room environment, hardware, connectivity to a service provider, software applications, data and restoration. Some business applications cannot tolerate any downtime. They utilize dual data centers capable of handling all data processing needs, which run in
parallel with data mirrored or synchronized between the two centers. Businesses should develop an IT disaster recovery plan. It begins by compiling an inventory of hardware for example servers, desktops, laptops and wireless devices, software applications and data. The plan should include a strategy to ensure that all critical information is backed up.

Alternate process sites

One of the most important elements of the disaster recovery plan is the selection of alternate processing sites to be used when the primary sites are unavailable. Many options are available when considering recovery facilities, limited only by the creative minds of disaster recovery planners and service providers. Several types of sites are commonly used in disaster recovery planning: cold sites, warm sites, hot sites, mobile sites, service bureaus, and multiple sites.

Emergency response

A disaster recovery plan should contain simple yet comprehensive instructions for essential personnel to follow immediately upon recognizing that a disaster is in progress or is imminent. These instructions will vary widely depending on the nature of the disaster, the type of personnel responding to the incident, and the time available before facilities need to be evacuated and/or equipment shut down.
Emergency-response plans are often put together in the form of checklists provided to responders. When designing such checklists, keep one essential design principle in mind: Arrange the checklist tasks in order of priority, with
the most important task first! Besides, it is good to have a small team as a CSIRT in the organization to handle all kind of crisis to give a proper response to all security issues.

Data backup

Businesses generate large amounts of data and data files are changing throughout the workday. Data can be lost, corrupted, compromised or stolen through hardware failure, human error, hacking and malware. Loss or corruption of data could result in significant business disruption. Data backup and recovery should be an integral part of the business continuity plan and information technology disaster recovery plan. Developing a data backup strategy begins with identifying what data to backup, selecting and implementing hardware and software backup procedures, scheduling and conducting backups and periodically validating that data has been accurately backed up.
Data should be backed up as frequently as necessary to ensure that, if data is lost, it is not unacceptable to the business.6

A real done disaster recovery project

To explain how a typical disaster recover plan can come to the practice, a real project, which was done in an enterprise bank, would describe the reality. As you can see in the Figure 2, to prepare a disaster recovery plan to
be able to protect the business from loss, a three-layer structure is hired. On the first layer, all systems that should be covered under disaster recovery plan are placed. In case of any disruptions on services, the backup system will be performed as a predefined solution and after reconnecting the services, data will be transferred to the servers automatically. On the second layer, backup and deployment servers are located, which by their combination, the disaster recovery system for the different situation will be formed. To keep data on this layer, mass storage devices are utilized to perform this task in a high-speed procedure. By the use of this layer, restoring data can be done very fast in a predefined schedule. On the third layer, tape machines are working to keep the data on shelf, which are
suitable to keep data for a longer period of time. For the sake of the importance of data, several backup copies are kept on different places in 2 warm sites, which are located in a different geographical location.
hack-recovery-figure2

Figure2 : three-layer model disaster recovery plan for a bank

Figure 3 shows a comparison between different types of devices regarding to the relaiablity and recovery time.
hack-recovery-figure3

Figure3 : multilevel data protection and recovery comparison

The following flowchart shows the steps in backup plan, which is used for bank’s servers.

hack-recovery-figure4

Hacking recovery plan

It’s unlikely that your company will be hit by a Level Three or Level Four disaster during the year, but what about a hack attack? The threat of hackers breaching your company’s network and computer systems is a real and present danger, and an attack could cause serious problems for your IT infrastructure and, as a result, interfere with business operations. Therefore, a hacking recovery plan should be a part of any comprehensive disaster recovery plan. Here are some steps that should be included in your hacking recovery plan.7
1. Disconnect external lines,
If the attack came from the Internet, taking down external lines will make it harder for the hacker to further compromise any machines.
2. Check the wireless medias,
If you are using wireless infrastructure in your network, you should monitor all access points for any breaches and changing all security codes are essential.
3. Scan for affected machines,
Make sure you check every machine that could potentially be hacked for compromises. Also check whether root kits and other hacking tools are installed on the computer.
4. Disable suspicious user accounts,
If there is any suspicious user accounts that you think it might be a victim, disable it.
5. Change passwords,
This especially includes the Administrator account and accounts that are used to start services on the server. Consider complexity in your password policy.
6. Preserve the data,
If possible, buy replacement hard drives for the hacked computers, so that you can preserve the hacking activity on the compromised computer. After you’ve restored the network, you can review this information to gain more valuable information about the hack.
7. Identify and address the vulnerability,
Run a vulnerability assessment test to identify week points.
8. Rebuild the machine,
After a machine has been hacked, it’s almost impossible to completely clean it of all hacking tools. The only way to make sure the machine is clean is to format the hard drives and rebuild the computer from scratch.
9. Bring the network back up,
Make sure you’ve closed all holes on your network, to prevent the hacker from returning and carefully monitor the network.
10. Perform forensic analysis on the hard drives,
Document each hacking tool that you find on a computer. These are useful information, which you need them in your vulnerability assessment or in your penetration test practices.

Summary

As you can see, the disaster recovery plan should be a conjunction of business continuity plan. Both are just a part of the complete business continuity/disaster recovery plan and if one is missing, the plan will not work properly. While business continuity is very important, but since in disaster recovery phase, we are still facing the phenomenon, we can say disaster recovery is the vital part. Therefore we need to make sure that our disaster recovery plan is healthy and ready to work for us by keeping them up-to-date. Checking the disaster recovery time to time is advised which
mostly goes to the backup part of the plan that means checking the backup system and files should be a regular practice in an enterprise.

1 Harris, Shon. CISSP All-in-One Exam Guide. 3rd Edition. Osborne: McGraw Hill. 2005.
2 http://blogs.forrester.com/rachel_dines/12-02-16-its_time_to_add_hacking_into_your_disaster_recovery_plans_as_a_potential_risk_for_downtime
3 http://www.ifrc.org/en/what-we-do/disaster-management/about-disasters/what-is-a-disaster/
4 http://www.unisdr.org/2004/campaign/booklet-eng/Pagina5ing.pdf
5 http://www.techrepublic.com/article/classification-system-for-disaster-levels/
6 http://www.ready.gov/business/implementation/IT
7 http://windowsitpro.com/security/planning-hack-attack
Share