Reasons for making backups

Every company makes backups. However, I have seen several occasions where backups were not working as expected.

There are three reasons for making backups:

• In case of a technical failure or a user-error, files are accidentally deleted. These files need to be restored;
• After a physical disaster a recovery must be performed on another site;
• Some data must be kept available for long time: also called archiving.

I will discuss all three reasons below.

Deleted or damaged files

In case of a user-error (for instance, someone deletes an important email of a Word document), it can be necessary to restore a file. Also after a virus outbreak data recovery can be needed.

Therefore, backups of these files need to be made at a regular basis (usually daily). It is recommended to have the backups available during the day for easy recovery if a user makes a mistake, so the backups should not be stored at a far-distant site.

Remark: Storing data on synchonized disks on another site will not work in this case! When one deletes a file, or a file is contaminated with a virus, the file on the synchronized disk is also not usable anymore.

There will always be a period in time where a file can be lost and no backup is available. For instance, if someone is deleting a newly created Word document before a backup is made of it, the file is lost. There are technical solutions for this, like always keeping an online copy of all files, but these solutions are too expensive and too complex for normal situations.

Disaster recovery

In case of a catastrophe, like a fire, flooding, terrorist attacks, collapsing buildings of explosions, physical media are no longer available. Backups must be available to restore the original situation (on another site).

Therefore it is important to have backups of not only the data, but also copies of the operating systems, and of the (paper) procedures to buildup a new system. A good backup-up site is also recommended, as well as the possibility to have new hardware available as fast as possible.

Back-ups for disaster recovery need to be stored in a safe place, outside of the building, so they will not be destroyed in case of a disaster. Experience has learned that there must be a distance of at least 5km between the main site and the backup-site.

It is crucial to test the restore procedure at least every year, including building up new hardware!

Archiving

Backups for archiving must be stored for the time-period specified by law and by the company's internal procedures. Obviously the backup media must be stored at a safe place, under good climate conditions (temperature, humidity, etc). Here is my article about archiving.

Backup and business demands

There is no reason to backup data that cannot be restored. I have seen several cases of this in practice.

One example was a UNIX server with a very complicated file structure. The server could be back-upped, but restoring all data to a new machine would takes weeks to complete. This was obviously unacceptable for the business, so they stopped backing-up the data on tapes and created another solution for safeguarding data.

A second example was a Public-sector company that was part of a supply-chain. The company could restore it's data, but this was only feasible if all other companies in the supply-chain also would restore their data. This would take the whole chain a few days back in time, which was of course unacceptable.

A very interesting article about backups is "The TAO of Back-up". Click on the arrows for the complete story.

The 10 domains of Security

The International Information Systems Security Certification Consortium, also known as the (ISC)2 is the organisation that develops and takes the CISSP exam. CISSP stands for Certified Information Systems Security Professional.

The (ISC)2 created a so-called Common Body of Knowledge (CBK), which every CISSP has to have knowledge and a deep understanding of. The CBK consists of the following 10 domains:

1. Security Management Practices
2. Access Control Systems
3. Telecommunications and Networking Security
4. Cryptography
5. Security Architecture and Models
6. Operations Security
7. Application and Systems Development Security
8. Business Continuity Planning and Disaster Recovery Planning
9. Law, Investigation, and Ethics
10. Physical Security

As you can see, IT security consists of much more than just Cisco Access-lists or PKI infrastructures. These are security issues, of course (domain 2 and 4 respectively), but the field of knowledge is much wider.

In later articles I will describe all 10 domains in detail.

Log analysis - Use your logging information

For a client I am implementing a Log analyses solution. All logging of all servers, network components and appliances are sent to one system. From this system, reports can be generated with log information and the logging can be used for analysis.

There are two reasons for using logdata:

1. Reports can be generated about (security) trends;
2. Logs can be used to investigate incidents. They could be used for evidence in forensic analysis, when someone broke company rules or the law.

Log analysis solutions are regularly used for compliancy reasons, like SOX, COBIT or BASEL-II demands, or to prove to auditors that the company is compliant to the ISO/IEC 17799:2005 Code of practice for Information Security Management.

While most log analysis solutions can be used for alerting in real-time, for instance when something suspicious happens, or when a threshold is reached, I think log analysis is something fundamentally different than monitoring. Both have different goals.

Monitoring systems, like IDS systems or SNMP based systems are real-time systems. As soon as something happens, an alarm goes off.

Log systems are meant for analyzing events afterwards.

Log analysis solutions are part of SIEM (Security Information and Event Management) solutions. Roughly the market is split into two parts: software running on servers and hardware appliances. Net Report is an example of a software solution, Loglogic is an appliance. Snare Server can deliver both.

Usually log systems deal with large amounts of data (having gigabytes of logging per day is not unusual for a large environment). This means the solutions have to be designed for storage, bandwidth and fast searching in large amounts of data.

Reports

Log reports can be used to give a quick overview of events. Some examples are:

• The amount of port scans a firewall experienced over a given period of time;
• Which stations performed more than 5 un-successful login attempts;
• What is the top-10 websites that are visited during work-hours;
• The amount of emails sent (internally and externally) during a typical business day;
• What is the account of which the password is changed the most often.

Based on these reports incident investigations can be started.

The reports are made from data in a database, which contains aggregated logdata. Net Report has some examples of generated reports online, check the Report and Dashboard Samples.

Investigating incidents 

Because all logging of all systems are stored centrally, it is easy to get a complete view of all logging events for a certain moment in time.

Log solutions usually contains all raw logs on a large harddisk. Storing this data must be done in a way that gives enough assurance that the data is not altered and original. This way, the logdata can be used for forensic investigations and can be used in court as evidence.

Usually the data is encrypted and hashed, so it has a digital signature.