Recipe for disaster

Disaster recovery is one of the most important aspects of a security officer’s work. It even has its own domain in the ISC2 CBK (Business Continuity and Disaster Recovery Planning). With recent disasters like the 8.9 magnitude earthquake in Japan, other aspects of disaster recovery come to mind.

The information security officer has plenty of tools for disaster recovery at his disposal. Backups, hot/cold sites, off-site storage are some of them. With sufficient budget and training, a company can live-through a disaster and resume work very rapidly, and this was demonstrated well during the Sep-11 events in NY City.

The other aspect of this is that while the operations and security teams are busy with trying to reestablish the company’s operations and IT, most companies forget that the disaster site, although dysfunctional, typically still has all of the company’s assets. In the case of the world trade center towers, everything was buried in tons of dust and rubble, but other disasters may leave sensitive equipment or data exposed. A building that has been overrun by water may be unusable, and the computers in it may be completely destroyed, but their hard drives may be intact. Backup tapes or optical media is also likely to withstand such an event, esp. if it is inside a fireproof vault. This could be a golden opportunity for infiltrators to come in and grab something.
Naturally, it may be hard or dangerous to try this sort of stunt, but the kind of financial gain someone can make has been known to drive certain people to take risks. You and I probably won’t, but it takes only one crazy bastard to compromise a lot of secure information.

In addition to the above, even companies that have nothing to do with the disaster, and haven’t been harmed at all (or very little) are at risk, as with any large scale disaster, the entire country can plunge into chaos. In Japan, many companies have not been harmed, but have been completely deserted, as the employees left to attend to their families and loved ones. This is perfectly understandable, but the result is low-hanging fruit for any cracker. The police are typically concerned with street-level looting going on, but we in information security need to think about data looting too.

Naturally, the physical security domain in the CBK deals with protecting the workplace from physical harm, though it usually deals mostly with day-to-day threats, like burglary, fire and flood. When something as large as an earthquake or missile bombing comes into play, many of these measures will collapse. With proper planning, at least some of these may be mitigated. For example, your sensitive servers are properly locked away in a server room, but that room may not be secure enough to withstand someone ramming it with a truck. Using secure cabinets instead of the simple glass-door ones may provide an additional level of security. Using hard-disk encryption on servers and storage arrays, even though slow, can protect your data in case all hell breaks loose. You can’t physically secure all desktops, but using thin-clients (or terminal services) for some or all employees can provide for additional protection.

In addition to these, you should encourage your employees to refrain from storing sensitive data in the offices. This means avoiding printing of sensitive info, and making sure printouts are shredded in-house. Sensitive documents like employee or customer lists should be stored in a secure room or vault. Backup tapes and other media should be stored in a vault. When using such a vault, remember it still needs to be secure, so don’t leave it unlocked or the key too easy to find (many companies open the vault in the morning, and leave it open throughout the workday…ah…..).

And lastly, when creating your disaster plan master policy, make sure to assign guards to the destroyed facility. You may find, in reality, that all your guards disappeared, but if you prepare well enough, even a single guard will be more effective than none…