Whether you’re a small business with 300 word documents and a terabyte of your receptionists MP3’s, or a global internet security firm serving fortune 500 companies, you need to have backups.
Backups must never be stored on the same medium as your primary data. Backups must be stored in more than one place. Backups should ideally be kept on more than one medium. Backups should ideally collect everything on every machine and device in your network including the configurations of network switches, routers and SANs.
Sometimes due to the sheer number of PC’s on a network it is cost prohibitive to back up entire PC’s. In this situation compromises need to be made, perhaps only backing up core operating system files. There are quite a few backup platforms which can store identical operating system binaries very efficiently I would strongly urge you to investigate them if you are in this position.
If you have network based backups and are storing them onto a network attached storage, make sure you’ve got more than one storage subsystem and you can take one of them offline in the event of a compromise until the investigation is complete. Backup data is an invaluable source of forensic information for both you and the police in the event of a compromise, guard it with your life!
Test your backups regularly. Know how long it takes to restore 1Tb of data. Know how many Tb of critical data there is on your network. Do you have a plan for restoring onto different hardware in the event of your hardware failing or being seized by police?
Remember – Practice makes perfect. You need to drill this stuff frequently and know what your options are when your primary course of action fails.
I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.
This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.
I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.
If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!
Shoot me an email – email@example.com or grab me on Social Media for more information.