Disaster Planning

Part of 22C:169, Computer Security Notes
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

Disaster

Suppose your security system fails and an attacker gets through. Suppose a tornado destroys your file server. Suppose you spill coffee on your laptop computer and your disk drive is unable to handle the caffene rush. No system of firewalls, capability based access control mechanisms, and access control policy can deal with these. In these cases, the protection mechanisms you have in place have failed. This changes the question from how do we prevent an attack to how do we recover.

It is impossible to prevent disaster. Hurricane Katrina flooded many computer centers in New Orleans. There were many corporate and government computer centers in and near the World Trade Center that were destroyed or shut down by the attack of September 11. Many congressional computer systems were shut down when anthrax-laced letters were delivered to various Senate offices, forcing evacuation of one of the Senate office buildings.

Continuity Planning

Continuity planning involves putting measures in place before a disaster in order to assure that essential services will continue to be available after the disaster. Continuity planning is difficult because you cannot determine what the disaster will be, but it is simplified by the fact that measures put in place to help survive one type of disaster will frequently have value if other disasters occur.

The big problem: Upper management is frequently not interested in investing in continuity planning! Continuity planning is inconvenient and can cost money, while uppor management tends to focus on achieving business goals and sometimes is psychologically unprepared to contemplate potential negatives.

Sometimes, nothing happens until management is scared. The widespread fear of the Y2K glitch forced many organizations to put business continuity plans in place. The attacks of September 11, 2001 forced other organizations to confront these issues.

But there is a problem. If continuity planning is good enough, upper management may never notice the disaster! They may take the survival of their organization for granted, failing to notice that survival was only possible because of the investment made earlier on continuity planning.

A good continuity plan requires input from all of the stakeholders.

Hardware support
System administrators
System programmers
Application programmers
Data entry personnel
Physical security personnel
"The users"

Typical elements of a continuity plan include:

Needs assessment: You must know what you rely on, and you must know, for each thing you rely on, how central or essential it is to your operation.
Vulnerability assessment: You must assess how vulnerable each of your needs is -- that is, how likely is each to be interrupted or shut down by disaster.
Option assessment: You must assess what your options are. What alternatives exist in the face of each potential failure.
Alternate suppliers of essential services, in the event that disaster strikes a supplier. This includes backup suppliers for services normally obtained in-house, such as from a corprate server.
Access to key information and databases despite destruction of the primary storage media.
A chain of command. Who takes charge, what do they do, and what resources do they work with?

An Example -- Anthras in the US Senate

On October 16, 2001, someone mailed letters laced with anthrax to several US senators, leading to the forced evacuation of one of the Senate office buildings. This building included the office of the Secretary of the Senate.

The Secretary of the Senate office was responsible for the Senate payroll and for many of the day-to-day aspects of senate operation. A shutdown of the office of Secretary of the Senate would have shut down the Senate in a very short time, with no paychecks to senate staff.

The Y2K scare drove the Secretary of the Senate office to plan for disaster. The threat was that some essential part of their computer system would fail because of the date rollover from 1999 to 2000, but their plan was fairly general.

Key elements of the plan included go packs maintained in the office. A go pack is a package, maintained near the entrance to an office or home, that contains all or most of the essentials for disaster recovery. The idea is that, in the event of an evacuation, a designated person grabs the go pack on the way out the door. The go pack should contain, for each critical computer system, the most recent backup.

They also agreed with the office of the Sergent at Arms to serve as a backup site for that office, and for that office to serve as a backup site for the Secretary of the Senate. Therefore, they planned their computer systems to be compatible. It is important that the Sergent at Arms office was in a different building!

After evacuation and decontamination, the Secretary of the Senate office was set up on tables in the hallway outside the Sergent at Arms office. Within a short time, they had installed their backup files on the computer systems there, and they were able to meet all essential deadlines in order to keep the Senate running, despite being locked out of their offices.

References

Congressional Continuity of Operations.