The importance of a solid, secure backup and recovery strategy cannot be understated, particularly when it comes to an attack on your network from one of your own employees.
This chapter excerpt from The CERT® Guide to Insider Threats examines the issue from all sides, first looking at what your backup and recovery strategy should include as well as what happens if you aren’t adequately prepared for an insider attack. Read the excerpt below, and then download the entire chapter to learn how a sound backup and recovery strategy is one of the best practices to protect against insider threats.
Implement secure backup and recovery processes
Despite all of the precautions you take, it is still possible that an insider will successfully attack. Therefore, it is important that you prepare for that possibility and enhance your resiliency by implementing secure backup and recovery processes that are tested periodically.
What can you do?
Prevention of insider attacks is the first line of defense. However, experience has taught us that there will always be avenues for determined insiders to successfully compromise a system. Effective backup and recovery processes need to be in place and operational so that if compromises do occur business operations can be sustained with minimal interruption. Our research has shown that effective backup and recovery mechanisms affected the outcomes in actual cases, and can mean the difference between:
- Several hours of downtime to restore systems from backups
- Weeks of manual data entry when current backups are not available
- Months or years to reconstruct information for which no backup copies existed
Backup and recovery strategies should consider the following:
- Controlled access to the facility where the backups are stored
- Controlled access to the physical media (e.g., no one individual should have access to both online data and the physical backup media)
- Separation of duties and the two-person rule when changes are made to the backup process
In addition, accountability and full disclosure should be legally and contractually required of any third-party vendors responsible for providing backup services, including off-site storage of backup media. It should be clearly stated in service level agreements the required recovery period, who has access to physical media while it is being transported off-site, as well as who has access to the media in storage. Furthermore, case examples throughout this book have demonstrated the threat presented by employees of trusted partners; the mitigation strategies presented for those threats should also be applied to backup service providers.
Learn more about secure backup and recovery strategies
Formulate a remote office data backup and recovery plan
Data backup security strategies: A tutorial on cloud security, encryption and data destruction
Pet supplies firm tapes Axxana Phoenix for disaster backup, recovery
When possible, multiple copies of backups should exist, with redundant copies stored off-site in a secure facility. Different people should be responsible for the safekeeping of each copy so that it would require the cooperation of multiple individuals to fully compromise the means to recovery. An additional level of protection for the backups can include encryption, particularly when the redundant copies are managed by a third-party vendor at the off-site secure facility. Encryption provides an additional level of protection, but it does come with additional risk. The two-person rule should always be followed when managing the encryption keys so that you are always in control of the decryption process in the event the employees responsible for backing up your information leave your organization.
You should ensure that the physical media on which backups are stored are also protected from insider corruption or destruction. Insider cases in our research have involved attackers who did the following:
- Deleted backups
- Stole backup media (including off-site backups in one case)
- Performed actions that could not be undone due to faulty backup systems
Some system administrators neglected to perform backups in the first place, while others sabotaged established backup mechanisms. Such actions can amplify the negative impact of an attack on an organization by eliminating the only means of recovery. To guard against insider attack, you should:
- Perform and periodically test backups
- Protect media and content from modification, theft, or destruction
- Apply separation of duties and configuration-management procedures to backup systems just as you do for other system modifications
- Apply the two-person rule for protecting the backup process and physical media so that one person cannot take action without the knowledge and approval of another employee
Make sure you account for pockets of development systems, or production systems that are maintained independently instead of being managed as part of your IT enterprise. These systems can be just as critical to you as your enterprise systems are, and they are not necessarily managed using the same rigor as your centrally maintained IT systems.
Unfortunately, some attacks against networks could interfere with common methods of communication, thereby increasing uncertainty and disruption in organizational activities, including recovery from the attack. This is especially true of insider attacks, since insiders are quite familiar with your communication methods and, during an attack, may interfere with communications essential to your data-recovery process. You can mitigate this effect by maintaining trusted communication paths outside of the network with sufficient capacity to ensure critical operations in the event of a network outage. This kind of protection would have two benefits: The cost of strikes against the network would be mitigated, and insiders would be less likely to strike against connectivity because of the reduced impact.
Case studies: What could happen if I don’t do it?
An organization was responsible for running the 911 phone-number-to-address lookup system for emergency services. An insider deleted the entire database and software from three servers in the organization’s network operations center (NOC) by gaining physical access using a contractor’s badge. The NOC, which was left unattended, was solely protected via physical security; all machines in the room were left logged in with system administrator access. Although the NOC system administrators were immediately notified of the system failure via an automatic paging system, there were no automated failover mechanisms. The organization’s recovery plan relied solely on backup tapes, which were also stored in the NOC. Unfortunately, the insider, realizing that the systems could be easily recovered, took all of the backup tapes with him when he left the facility. In addition, the same contractor’s badge was authorized for access to the off-site backup storage facility, from which he next stole more than 50 off-site backup tapes.
This case illustrates the risk of storing your backups in the same physical location as your critical systems. In addition, there was no layered defense to protect the backups—they were accessible by anyone who had physical access to the NOC. As a result, this very critical system and its backups were totally vulnerable to an insider IT sabotage attack.
An insider was terminated because of his employer’s reorganization. The company followed proper procedure by escorting him to his office to collect his belongings and then out of the building. The IT staff also followed the company’s security policy by disabling the insider’s remote access and changing passwords. However, they overlooked one password that was known to three people in the organization. The terminated insider used that account to gain access to the system the night of his termination and to delete the programs he had created while working there. Some of these programs supported the company’s critical applications. Restoration of the deleted files from backup failed. Although the insider had been responsible for backups, company personnel believe that the backups were not maliciously corrupted. The backups had simply not been tested to ensure that they were properly recording the critical data. As a result, the organization’s operations in North and South America were shut down for two days, resulting in more than $80,000 in losses.
This case illustrates the delay that can be caused in recovery following an insider attack if backups are not tested periodically.
About the authors: Dawn M. Cappelli, CISSP, is Technical Manager of the Insider Threat Center and CERT's Enterprise Threat and Vulnerability Management team at Carnegie Mellon's Software Engineering Institute (SEI). She is adjunct professor at Heinz College of Public Policy and Management, and Vice-Chair of CERT's Computer Security Incident Handler Certification Advisory Board. Andrew P. Moore, Sr. Member of Technical Staff at CERT, researched high assurance system development for Naval Research Laboratory. Randall F. Trzeciak, Sr. Member of Technical Staff for SEI's Networked Systems Survivability (NSS) program, serves on a CERT team studying insider threats with the US Secret Service, DOD, and CMU's CyLab.
This was first published in March 2012