CSS 211 - Introduction to Network Security
Lesson 8: Chapter 13, Business Continuity
This lesson covers chapter 13 in the text. It discusses business continuity planning and activities. Objectives important to this lesson:
- Environmental controls
- Redundancy planning
- Disaster recovery procedures
- Incident response procedures
begins with some remarks that relate to business continuity, which
means that we keep running the business even though we have had a problem, a setback, or a disaster. We should consider the author's remarks about the effects of a business disruption that might be reduced by detailed planning and action based on such planning.
Some definitions from the text may be helpful in understanding the point of the chapter.
- business continuity - continuation of operations and services despite a disruptive event
- continuity of operation - same as business continuity
- risk assessment - analyzing risks, their effects, and what we can do to reduce the probability of their occurrence and of their effects
- planning and testing - identification of risks and threats, creating plans to deal with them, and conducting tests of those plans
- business impact analysis - identifying mission critical business functions to prioritize our continuity plans
- IT contingency plan - a plan to continue to provide services in case a particular incident disrupts normal service; a separate plan will be needed for each type of incident that can occur
- disaster recovery plan - restoring services provided by the enterprise to their standard state; this is not just about IT services
text discusses document format and content which will vary greatly from
one enterprise to another. It also discusses disaster exercises, which
will vary as well, but will be more similar across organizations. In
different organizations, several different kinds of plans are made,
called by different
names that relate to the circumstances of the event and the scope of
Impact Analysis - The green highlight on this bullet is to
show that this step should be done when times are good and we can
examine our systems performing normally.
Before you can plan for what to
do, you have to figure out what is normal for your business, what can
go wrong, and what can be done to minimize the impact of incidents and
problems/disasters (see the bullets below).
- What are the business's critical functions? Can we construct a prioritized list of them?
- What are the resources (IT and other types as well) that support those functions?
- What would be the effect of a successful attack on each resource?
- What controls should be put in place to minimize the effects of an incident or
disaster? (Controls are
proactive measures to prevent or minimize threat exposure.)
- Incident Response Planning -
The red highlight on this
bullet is to acknowledge that the plans made in this step are used when
there is an emergency for one or more users. (Shields up, red alert?
Why were the shields down?)
The text is consistent with the ITIL guidelines that call a single occurrence of a negative event an incident.
An incident response plan is a procedure that would
be followed when a single instance is called in, found, or detected.
For example, a user calls a help desk to report a failure of a monitor
that is under warranty. (Note that this is an example of an IT incident, not an IT security incident. What further details might make this part of a
security incident?) There should be a common plan to follow that will
repair or replace the monitor. Incident Response Plans (Procedures) may
be used on a daily basis.
- Business Continuity Planning -
The orange highlight is meant
to indicate that these plans are not concerned with "fighting the fire",
but with conducting business while the fire is being put out.
means keeping the business running, typically while the effects of a disaster are still being felt. If we have no power, we
run generators. If we cannot run generators (or our generators fail),
we go where there is power and we set up an alternate business site.
Or, if the scope of the event is small (one or two users out of many)
maybe we pursue incident management for those users and business
continuity is not a problem.
- Disaster Recovery Planning -
The yellow highlight here is
to indicate that the crisis should be over and we are cleaning up the
crime scene with these plans.
Determining that a disaster has even occurred requires that we judge
its scope. One person having a desk full of paper ruined by spilled
water is not a disaster. (For perspective, consider the legend about Isaac Newton,
who reportedly handled a worse circumstance with more grace.) A
disaster requires widespread effects that must be overcome. A disaster
might be most
easily understood if you think of a hurricane, consequent loss of
power, flooding that follows, and the rotting of the workplace along
with the ruined computers and associated equipment. A disaster
plan is what we do to restore the business to operational status after the disaster is over. There may be specific plans to follow for
disasters under the two bullets above, but the disaster recovery plan
is used after the crisis, unless this term is applied differently in your working environment. Multiple incidents can become a disaster, or
may lead us to realize that there is one, especially if there is no
plan to overcome them.
- By the way, in ITIL terms, a series of incidents may lead us to
discover what ITIL calls a problem,
something that is inherently wrong in a system that might affect all of its users. Some books
call this a disaster. The
organization you work for may use all three terms, or any two of them
to mean different scopes of
trouble. You need to know the vocabulary to use in the setting where
you work, and you need to call events by the names they use.
- Is there a condition for a blue
highlight? We might pretend there can be,
but it is unlikely that the IT Security staff would ever feel that safe
The text discusses redundancy and fault tolerance. Normally, we consider redundancy something that we should reduce in a computer system. For the purpose of business continuity, redundancy has virtues. If we only have one of anything that is critical to our business, we will have a hard time continuing to operate without it. This is what the text means by a system having a single point of failure. It is not the only place we can have a failure, but it puts us out of business if it fails.
The text presents a table of up times (time the system is running) expressed as a percentage of a year (Table 13-2), and as the equivalent time the system would be down if it were off line that often in a week or a month. This is interesting, but you should realize that system outages measured as annual amounts may be clustered around only a few events, not
spread evenly throughout each month, week, or day of the year. You
should be aware of the notation regarding the number of nines in each
example, since it is commonly used:
|Percentage of Uptime
that we are not really under an hour of downtime for the year until we
reach five nines, which is more reliability than the average customer
would think to ask for until they see a chart like this. Do you think
an hour isn't much? What if it happens all at once? What if your cable
system was out for an hour a year? How about your phone? How about the
911 service in your area? How about the power to a hospital or to an
air traffic control system? For some systems, failure is not an option.
To achieve a system with no failure rate, we must analyze the system, determine its mean time to recovery (MTTR), and find what we must do to reduce that number to zero. The obvious answer in many cases is to have redundant components that provide the same service. The text discusses adding redundancy in several areas.
- servers - servers can be installed in clusters, in which multiple devices provide the same services in case one or more go down
- asymmetric cluster - one server is designated as the standby (replacement) for another; the standby server does nothing unless the first server fails
- symmetric cluster - each server in the cluster provides services at all times; if one fails, its services are provided by the remaining servers
- storage - The text discusses RAID,
which has been defined several ways. Eventually, all hard drives fail,
and RAID allows a system to continue in most cases. One common meaning
is Redundant Array of Independent Drives. The word
"independent" seems unnecessary, and is in fact misleading. Hard drives
set up in a RAID array perform functions that relate to each other.
Several kinds of RAID exist to provide for redundant storage of data or
to provide for a means to recover lost data. The text discusses four
types. Follow the link below to a nice summary of RAID level features
not listed in these notes, as well as helpful animations to show how
they work. Note that RAID 0 does not provide fault tolerance, the ability to survive a device failure. It only improves read-write speed.
RAID levels and features:
- RAID 0: Disk striping - writes to multiple disks, does not provide fault tolerance.
Performance is increased, because each successive block of data in a stream is
written to the next device in the array. Failure of one device will
affect all data. This will provide a performance enhancement by striping
data across multiple disks. This will not improve fault tolerance, it
will in fact decrease fault tolerance.
- RAID 1: Mirroring and Duplexing - provides fault tolerance by writing the same data to two drives. Two mirrored drives use the same controller
card. Two duplexed
drives each have their own controller card. Aside from that difference,
mirroring and duplexing are the same: Two drives are set up so that
each is a copy of the other. If one fails, the other is available.
- RAID 5: Parity saved separately from data - Provides fault tolerance by a different method. Data is striped across several drives, but parity data for each stripe is
saved on a drive that does not hold data for that stripe. Workstations
cannot use this method. It is only supported by server operating systems.
- RAID 0+1: Striping and Mirroring - uses a striped array like RAID 0, but mirrors the striped array onto another array, kind of like RAID 1
- The text mentions that some entities neeed redundant connections to
and through networks. It does not give specific details about this
- power - Power can be supplied to a computer system through an Uninterruptible Power Supply (UPS) that is essentially a smart battery that kicks in when the main power is lost. The text describes two kinds of UPS:
- off-line (also called standby) - keeps a charge on a battery
which it uses to supply power in case of a total loss
- on-line (also called inline) - also has a battery, but it constantly provides power from it, while continuously charging it from the standard electrical power
The off-line (standby)
model has a short lag time in the event of a power loss before the battery
circuit starts working. The on-line (inline) model does not
have this lag time. A typical UPS works with software that detects a
power loss and alerts administrators when it occurs. Depending on the
capacity of the UPS and the load placed on it, it may allow operation
for hours, for minutes, or only long enough to perform a shut down of
the system it is protecting.
Backup generators are typical in large installations, such as data centers that support a large population or enterprise.
- In the case of a disaster that makes a wwork site unusable, such as a
fire or flood, it becomes necessary to have a plan for alternate means
of continuing business. The text lists three types of off site
operation plans, and a more recent addition regarding "the cloud":
- cold site - a basic site with
office space, but without computers or other devices that you would
have to supply, without established connectivity, without a data copy
unless you can supply it
- warm site -
has office space, hardware, and may have connectivity; may have a
recent backup of your data, but it will have to be loaded on computers
that may also have to be configured
site - a functional duplicate of the site that has gone down, including
office space, computers, connectivity to the Internet, telephone
service, and the capacity to either load a backup of your data that is
stored there, or to use a copy of your data that is already in place
site - use cloud storage or cloud computing in conjunction with your
site strategy; this may mean that you restore from cloud storage, or
that you use virtual cloud computing, or both
definitions of hot, warm, and cold sites vary between sources, but the
basic idea is always the same. The three types of sites provide
different levels of service and different time frames in which you
would be ready to resume business. Obviously, the hot site is best but it requires the most money and effort to maintain. The cold site is cheapest, but it has additional costs that will be added as soon as you need to use it.
Having introduced the idea of backups, the text discusses three common methods used to create them. First some terms:
- Target - the device, volume, folder, or group of files being backed up
- Archive bit - a bit in a file that is turned ON when the file is changed; it is used to flag files that have changed since the last backup: most backup programs look for files
whose archive bits are set to ON, copy those files, then reset the archive bits (turn them OFF)
on the target files
- Full - a backup of all files in the target; sets the
archive bit of each file to OFF once the backup is made
- Incremental - a backup of target files that are new or changed since the last backup; depends on the fact
that programs that change files typically set the archive bit to ON when a change is made; sets archive bit to OFF for all files it copies
- Differential - a backup of all files new or changed since the last Full backup; copies all files whose archive bit
is set to ON; does not change the archive bit of files it copies
because they will be copied again in the next differential backup
- Copy - like a Full backup, but it does not change the archive
bits of files it copies. This is typically not part of a standard backup
strategy, but an option to work around the system.
This needs more explanation. Assume we use a tape drive (more on other options in a minute) to make backups.
In a Full backup strategy, the entire target is backed up to tape
every time we make a backup tape. This strategy consumes the most time and the most tapes to carry out a backup. To restore, we
simply restore the most recent tape(s). This is the least time consuming strategy for restoring, but the most time consuming for creating backups.
The second method, Incremental backup, means that we start with
a Full backup of the target, and then each successive backup tape
we create only backs up the elements that are new or changed since the last backup was created. This means that successive backups will
not always be the same length. Therefore, this is the least time consuming
backup, but the most time consuming restore. To restore,
we must first restore the last Full backup made, and then restore EVERY tape made since then, to ensure getting all changes.
The third strategy, Differential backup, also starts with a Full backup tape. Then each successive tape made will contain all the files
changed since the last Full backup was made. This means that we
will have to restore only one or two tapes in a restore operation.
If the last tape made was a Full tape, we restore only that one. If the
last tape made was a Differential tape, we restore the last Full tape,
then the last Differential tape.
The fourth strategy, Copy, is not mentioned in
this text, but it is no different from Full in terms of backup or
restore time. In both Incremental and Differential backup strategies,
you will typically use a rotation schedule. For example, you could have a one week
cycle. Once a week, you make a Full backup, then every day after that
you make the other kind you have chosen to use: Incremental or Differential.
To keep them straight in your mind, remember these facts:
||What does it back up?
||What does it do to the archive bit?
||Resets all archive
bits in the target set.
||everything different from the
||Resets the archive bits of the target files it copies.
||copies everything "different from Full"
(Different from the last Full backup.)
| Does not reset any archive bits.
||makes a Full backup
||Does not reset any archive
The time required to create backups should be considered
along with the time to restore a backup. When you consider the
two concepts as two sides of the answer to a question (What method should
I use?), the answer may be the most common choice: Differential.
It is the best compromise in terms of backup time versus restore time.
Note also, that all standard methods require a full backup on a
regular cycle. The recommendation is usually to run a Full backup
discussion above assumes that your backups are being written to tape,
which has been the most common method for many years. The text
discusses three other methods, each requiring different hardware.
- Disk to disk - Copying
to other drives is faster, but only if connected by a fast channel,
such as being in the same computer. This leads to a problem of removing
the copy from the same location as the original. Copying to a disk in
another data center is possible, and fast if they are connected by
fiber, but costly in terms of setup.
- Disk to disk to tape - Copying to another disk, then backing up that disk to removable storage reduces the time that your live server disk needs to be offline.
- Continuous data protection - Copies all data to a backup device in real time, possibly by using disk mirroring.
The text moves on with some observations about fire protection, electrical shielding, and problems concerning Heating, Ventilation, and Air Conditioning (HVAC).
The first threat considered is
fire. Some statistics are given and the author presents a list of four
elements that must be present for a fire to exist. His fourth element
is the fire itself, so it does not belong on the list. The other three
are those we discussed in class earlier in the term.
For a fire to exist, three factors are needed:
If you can eliminate any one of these factors, the fire will go out. This is why Carbon Dioxide extinguishers work: the CO2 replaces the oxygen in the immediate vicinity of a fire, and the fire stops. Smothering a campfire works about the same way.
A fire break is an example of fighting a fire by depriving it of fuel.
Forest fires can be fought this way. Somewhat similarly, I once walked
into a rest room in an office and found that someone had placed a roll
of toilet paper on top of the light fixture over the sink. I noticed it
because it was on fire. I grabbed the roll of paper and tossed it into
the sink. This established a fire break between the fire and the rest
of the building. I then put out the fire on the roll of paper with
water (depriving it of oxygen).
Keeping your computer system cool, so that a fire will not ignite, is your most effective form of firefighting: don't let it start.
Fire Extinguishers - American fire extinguishers are classed by the kind of fire they are able to
put out. The links below will take you to sites with more information
about fire classes and extinguishers. In surveying several sites, I
found that there are currently at least four classes of fires,
and that the symbols for them have been updated to use pictures instead of letters. Some sites list a Class K for cooking oils (Kitchen
fires), but this does not seem to be universal. The chart below
contains American symbols:
The table below is from a Wikipedia article on fire classes. It shows that the same kind of fire is called by a
different name in different places:
Comparison of fire classes
||Cooking oil or fat
In most cases, a multiclass extinguisher is preferred. On
extinguishers I examined at my workplace, multiple picture symbols were
used, showing the pictures for classes A, B, and C.
The text discusses some fire extinguishing systems. Common types are sprinkler systems, foam systems, and gas
- Sprinklers typically spray streams of water or water mist. The test in the video behind this link seems to point out a limitation of automatic mist.
dispersant systems used to use Halon,
can, but they are restricted to existing Halon supplies. Carbon dioxide
is an alternative, but both solutions tend to be dangerous to
air-breathing life forms in the immediate area.
- Another system uses foam as a suppressant, and the
this system seem to be enjoying it greatly.
- The text also mentions dry chemical systems which spray a fine powder over the fire. This is similar to using baking soda to fight a small kitchen fire.
The text discusses the fact that all kinds of electrical equipment
radiate electrons to one degree or another. In this section it is
important to know a few facts.
- Faraday cage - a metal enclosure that prohibits an
electromagnetic field from crossing it; a metal PC case is a Faraday
cage that keeps emissions from leaving the immediate area; A Faraday
Cage is named for Michael
- TEMPEST - a standard developed by the NSA, TEMPEST
may not actually be an acronym, it is a set of standards to reduce and
shield emissions with the purpose of reducing the risk of eavesdropping.
The text discusses some ideas about heating, ventilation, and air
conditioning, which include some concerns about humidity. Why do we
care about humidity? Higher humidity (50% or higher) inhibits ESD (Electrostatic Discharge).
Static electricity - ESD, or Electrostatic Discharge, can be a serious cause of problems. Some numbers from a previous text may help you understand the situation:
- A human can't feel a static discharge unless it is 3,000 volts or more.
- Normal motion, like moving a chair or a foot can generate 1,000 volts.
- Simply walking across a carpeted area can generate 1,500 to 35,000 volts.
- Handling a plastic envelope can generate 600 to 7,000 volts.
- Picking up a plastic bag can generate 1,200 to 20,000 volts.
- Damage can be done to computer parts with 20 to 30 volts.
The damage from low voltage may not cause immediate failure so you
may never know the cause of the failure that eventually happens.
Incident Response Procedures
An incident can be an event of any sort, but some texts, ours included, call an incident an event caused by an attack. The remainder of the chapter concerns the actions that should be taken when an incident has been detected.
A forensic investigation is typically one that concerns a crime. This section is about computer
forensics, investigations into crimes that involve computers and other
information system equipment. The text discusses four aspects of an
- secure the scene
- The team mentioned in the text may be caalled an Incident Response
Team or a Forensics Response Team, or another title that means the same
thing. They are responsible for taking possession of devices that might
hold any data that might contain evidence of the crime being
investigated. In addition, they should photograph the scene, document
their observations, and record interviews with witnesses.
- preserve and collect the evidence
- This aspect is closely related to the fiirst, in that the response
team may have to take images of data in RAM that would be lost if not
recorded before the power is turned off. Note the Order of Volatility (Table 13-9), which indicates the order in which to capture data from a running system:
- Register, cache, and peripheral memory first
- Random Access Memory (RAM) second
- Network state third
- Running processes fourth
- establish (and maintain) the chain of custody
- There must be a continuous documentationn of who has had access to
seized devices and data, who has done what with it, and who it is
turned over to at each change in custody.
- examine for legal evidence
- Although the other discussions have usedd the word "evidence" several
times, this one brings up the point that not everything you find is
actually legal evidence. Only things that indicate or prove a crime was
committed can be considered as evidence that will be presented in court.
The text elaborates on memory and storage locations that should be examined for meaningful data. What you can expect to find there may surprise you:
- Windows page file - This is a hidden
file, typically on the boot drive, that Windows uses to store "memory
pages" that it thinks you are not using presently, like memory devoted
to an application that is minimized. The file is probably in the root
of the drive, and is probably called pagefile.sys.
You should expect to see pieces of anything that the computer was used
to work on, especially if it was minimized while the user worked on
- RAM slack - This will take a minute. When Windows saves files, it saves to sectors (track sectors) on a drive. Sectors are logically arranged in clusters,
which are the smallest storage area a file system can use. The number
of sectors in a cluster varies by the way a drive was formatted. When a
file is saved, it will take a certain number of clusters to hold it,
but the file itself may not actually fill the last sector used in the
last cluster used to store it. When this happens, older versions of Windows (before NT) did something you may never have heard about. They filled the last sector used for the file with data pulled randomly from RAM. This data is called RAM slack, a copy of a piece of RAM that has been stored in the slack space
at the end of a sector. Why did it do this? Windows just worked that
way: it had to fill the rest of the sector. You never knew what you'd
find in it. Since NT, the RAM slack space has been filled with zeros,
so this is less of a problem as time goes by, except for stand-alone,
legacy systems that use older versions of Windows.
In the simplified illustration below a file has been saved to two
four-sector clusters, but only fills six and a half sectors. The
cluster marked in cyan is full: all four sectors have been used by the file. The second cluster is not full. The second half of the seventh sector (item F) is filled with RAM slack. The eighth sector has not been used at all, but we will cover that in a minute.
Note: for many years, a track sector has held a standard 512 bytes regardless of what device it was on. As of January 2011, this was no longer true. A device using Advanced Format on a system that understands it may use sectors that hold 4096 (4K) bytes.
This leads to lots more room in a RAM slack situation. If a computer
using such a device is running an older OS, the 512 byte limit for
sectors still applies.
- Drive slack - So, if the cluster holds a specific number of sectors, what if the file only used some
of those sectors when it was saved? Does Windows fill the rest of those
sectors, too? No, but something else interesting happens. If anything
was ever written to those sectors before, it remains there undisturbed until there is a need to write to them. This means that some sectors at the end of a cluster may hold old data that the user thought was deleted. The data held in those sectors is called Drive slack. You never know what might be in it.
In the illustration below, the last sector of the second cluster (item G) is Drive slack. The new file has not overwritten whatever was in that sector already.