Preparing for a Cyberattack: Creating Contingency and Backup Plans
This article is featured in the magazine, Protecting Against Cyberattacks: A Guide for Public Safety Leaders. Download it now.
By Dr. Kenneth Williams, Executive Director, Center for Cyber Defense at American Military University
Organizational leaders are expected to conduct due diligence in order to protect valuable resources and assets within their information systems. While many leaders clearly understand this need and their responsibilities, very few have the expertise and technological background to make an informed decision about how to actually protect their systems from intruders.
The first thing leaders must understand is that an organization’s networked systems can never be 100 percent protected from attackers. No matter how many detection systems or proactive measures are installed to protect a network, there is no guarantee against intrusion.
The best way for an organization to protect itself is to prepare as if the network is going to be attacked. Then, the organization can take measures to mitigate the risk by developing strong contingency plans and instituting comprehensive backup and restoration measures to minimize data loss.
Creating Business Continuity Plans
Business continuity planning is the implementation of a comprehensive strategy to maintain business operations during a catastrophic event like a data breach or ransomware invasion. By creating contingency plans, an organization mitigates its risk and minimizes the loss of critical assets if an attack were to happen.
A continuity strategy should be planned and developed at the highest echelons of the organization and implemented throughout the organization. To begin, leaders must ask themselves some important questions, including:
- What are the critical interconnection points among people, processes, technologies, suppliers, and customers? What systems are vital for the operation? This could include phone systems, VPN networks, digital radio systems, and email, all of which are critical for operation.
- Assess all these current technologies and create a contingency plan to safeguard data within those systems, including backup, disaster recovery, vaulting, snapshots, and replication.
- If these critical systems were to go down, how could the organization maintain operations using alternative systems? Ideally, these alternative systems should be located far enough away not to be jeopardized during an attack.
- Who will be part of the incident response team? How will those people be notified? How will they notify others in the organization about the attack and changes to operational procedures?
- What are the recovery objectives and what is the organization’s recovery time profile?
In addition to developing detailed contingency plans that address those questions, it is vital for an organization to regularly review and practice these plans. Organizations should:
- Monitor the organization’s data flow processes.
- Refine contingency plans to address changes in personnel and infrastructure and/or changes in organizational strategy.
- Initiate a robust testing plan that documents and measures the results of all successes and failures. Execute such tests at least once per year using various scenarios.
- Schedule regular reviews and updates to business continuity plans to accommodate the changing nature of technology and any changes in the organization’s strategy.
- Repeat the entire process continuously.
Organizational System Backup Considerations
While a contingency plan defines how the organization will operate during an attack, the organization must also take steps to minimize potential loss of data and other information after an attack. The organization must have an effective backup plan in place to rapidly restore service following a cyberattack.
An organization’s backup strategy will depend on its operational priorities, as well as on its size and specific operational environment. For example, small organizations with limited networks can use digital devices such as thumb drives or DVDs to store important files, while larger organizations should consider online resources such as redundant arrays of independent disks (RAID), automatic failover, server clustering, or mirrored systems.
Organizational leaders should talk to their IT department about its backup strategy and ask questions such as:
- Are systems fully redundant and load-balanced?
- Is data mirrored so that if something happens, the system can be restored? One technique to consider that protects against data loss is the concept of Stripe and Mirror Everything (SAME). This assures robust flexibility through mirroring technologies at the database file level rather than the entire disk level. Mirroring at the file level is duplicating data in individual files instead of the entire hard drive; this saves space on the hard drive and increases speed.
- Are files spread across all available storage and not located in a single storage location?
- Does the organization have Service Level Agreements (SLAs) with commercial entities? SLAs are similar to a service contract with a telephone company or car dealer. It provides technical expertise to repair IT equipment, similar to a mechanic for a car.
- Is data backed up on different devices? This could include anything from magnetic disks, tape or optical disks, and thumb drives. It depends on the organization’s choice for backup, which could include electronic vaulting, network storage, or tape libraries.
- Does the department use automatic failover and server clustering? Automatic failover is when a hard drive fails and a backup hard drive automatically takes over the function without delay or interruption in service. Server clustering is when more than one server is used to increase the service to the user. This is similar to having a main server with multiple backup servers that will take over if the main server fails.
- Is the organization prepared for a loss of power during an attack? Organizations should consider implementing Uninterruptible Power Supply (UPS) to prevent data loss due to an unexpected power outage. UPS is designed to store enough energy in its internal battery to allow for active response time by users and for the safe shutdown of all systems.
When Are Backups Conducted?
It’s also important to clarify how and when backups of the network will take place. Regular backups of company data should be conducted either once a day or once a week, and usually during hours when the data and network are not in use, such as around 1:00 a.m. on Sunday morning.
Selecting a time when the system is not in use will lessen the chance that it will cause interruptions to regular business processes. There are three common methods for conducting backups:
- Full backup: This captures all files on the disks and occurs on a single medium. The time required for a full backup is greater than that of incremental or differential backup, but ensures a greater level of accuracy. Due to the associated time and cost, a full backup is usually performed during the initial phases or following a data restoration.
- Incremental backup: This captures files created or changed since the last backup and requires less time and cost to run than a full backup. One issue with this technique is the need to use different devices during recovery. For example, if differential backups are captured on different devices such as a tape and a USB drive, recovering the data will require access to each media separately.
- Differential backup: This type of backup is the storage of data since the last full backup, which occurs following a full backup, and is faster and less costly than a full backup. This type is considered slower than an incremental backup, but offers a faster recovery time. During recovery, a differential backup only requires the use of the full backup device and the differential backup.
Best Practices for Hardening a Network against a Cyberattack
Organizational leaders should also verify that their IT department is following best practices when it comes to hardening a network. Leaders should confirm the following recommendations are being followed:
- Select, purchase, and install all hardware, software, and licenses for the system.
- Verify the installation of antivirus software on all computers and turn on automatic updates.
- Configure all computers to use junk e-mail filtering and install spam filtering on the mail server.
- Turn on automatic software updates for all computers.
- Locate the server in a locked room with controlled access.
- Institute backup and restoration procedures across the entire organization. Implement daily backups with a full backup conducted weekly. Store the backed-up data in a location outside of the organization’s geographical area.
- Configure services on the server to enforce strong passwords of at least 10 characters with at least two uppercase characters, two lowercase characters, two numerals, and two special characters.
- Configure individual computers to log users out after a five-minute period of idleness, so that those users are required to log back on.
Data Breach Considerations
All organizations should operate under the assumption that a data breach will happen and create a plan to respond to an intrusion. Here are questions to ask your IT department about its breach response policies:
- What’s our breach containment procedure? Upon detection of a breach, the organization should immediately
- How will you notify affected individuals? The incident response team should be notified first, followed by affected managers and personnel. activate its designated incident response team. These initial steps will help the organization contain the spread of the virus to other networked systems and limit additional loss of data.
- How will you evaluate the risk of the breach? Upon detecting a breach, an organization needs to immediately and thoroughly evaluate the risks associated with the breach, including who was affected and what harm was done.
- How will you conduct a review of the incident to help you prepare for future breaches? After the incident has been addressed and remedied, it is important for IT staff to have policies in place to learn from the situation. They need to evaluate how the organization responded to the incident and work to refine and further prepare for future breaches.
User Education Considerations
Organizations should also plan for robust user awareness training. The importance of training should not be ignored as it is common knowledge that human error is considered the greatest threat to organizations’ information systems.
All users should receive training in critical areas, including incident handling, disaster recovery, securing data at rest, phishing, and safe home computing. This training will educate users on the importance of security, the proper handling of passwords, laptop security, virus prevention, safe internet browsing, and consequences for unsafe and illegal actions.
About the Author: Kenneth Williams, Ph.D., is the Executive Director of the Center for Cyber Defense at American Military University. He holds a doctoral degree in cybersecurity and a master’s degree in information security/ assurance from Capella University.
In addition, Kenneth is a Certified Information Systems Security Professional (CISSP) and holds Security+ and CompTIA certifications. In the past, he has also held positions such as president/chief information officer for Thelka Professional Associates; adjunct professor for Northern Virginia Community College, DeVry University, and Sullivan University; IT specialist/cybersecurity compliance auditor for the U.S. Army Inspector General; information system security/VOIP engineer and contract lead for the U.S. Army’s CECOM; and information system security engineer and technical manager/chief information officer for Onyma, Inc. He is an Army veteran with more than 24 years of active service. To contact the author, email IPSauthor@apus.edu. For more articles featuring insight from industry experts, subscribe to In Public Safety’s bi-monthly newsletter.