Phone Data Back up anyone

This weekend I learned a lesson about working on my phone that I’m not likely to forget. My screen broke. The folks at Verizon swear I dropped it. But I know that unless someone came into my house while I was sleeping and swiped my phone off my night stand, dropped it on a concrete floor and put it back… it wasn’t dropped. But that’s irrelevant. I had no phone!

Sophos on a Rollercoaster

It appears that Sophos pushed out an update that has caused it to see software updaters (including its own) as malware infections.  This could be a wild ride – as thousands of computers world-wide are popping up warnings that they are infected and sending users into a panic. Network administrators are busy answering phones and trying to calm down users, while not able to get a line IN to Sophos, as all their lines are swamped.

Eleven Years Later - 9/11/01

I began my journey into the IT world in 1999. From the beginning I had my sights set on Information Security. In 2000 I was working for an IT services company and found myself encouraging my employer and our customers to consider information security and business continuity initiatives.

The Case For Putting Eggs in Multiple Baskets

Today hundreds of small businesses experienced web site outages. Go Daddy, the most popular domain registrar/web hosting company, saw its DNS servers attacked after 10AM Pacific time. The alleged attacker claimed to be working alone, to have taken down the entire Go Daddy DNS array and that he wanted to test the cyber security. DNS servers on the web are what translate the name of a web site (such as www.godaddy.com) to the numerical address assigned to it. Find a more detailed explanation of DNS here

You’ve Been Hacked?

Yes, it can happen. It’s almost inevitable. So what can you do to prepare for the discovery that your systems have been successfully compromised? What plans should you have in place for communicating with law enforcement? Do you collect financial information from your customers? If you do, you must have a plan in place for notifying them of a breach.

What The Heck is That?

So you decided to do an internet search on Business Continuity – and the sites you came across spoke a language you’ve never heard! As in any industry, the BC/DR community has its own jargon. Here’s a breakdown of a few terms used in the early planning stages.

Business Impact Analysis (BIA) is a term that is tossed around a whole bunch in reference to business continuity planning. The BIA is generally done at the beginning of the planning process and the plan is based around its information.  During the information gathering phase of the planning process, the Business Impact Analysis determines the processes, resources and assets that are necessary to the health of the business, how they depend on each other, and the criticality of each.

Recovery Time Objective (RTO) is determined for each process – how soon do we need this process up and running, and how soon do we need it at full capacity after an incident. In some cases, the RTO can be a staged process that might include temporary workarounds until all of the resources needed for the full process are restored. Perhaps your organization has a sales process that utilizes a rather large database. The database has an ordering system built into it so sales personnel can track what a customer purchases, how often the purchases are made, the quantities, and other information that assists them in the sales process. The IT department needs to know from the sales department how quickly their database needs to be back up if the servers hosting the database go down – and the sales department needs to know from the IT department how quickly it can be done. The gap between the two times then requires a plan to provide minimum service to the customers while the database is being brought back to full capacity.

Recovery Point Objective (RPO) is determined for data – how much data can we afford to lose? Is it one hour – or one week? The determination depends on how quickly your organization can rebuild the data that is lost. If you have a process that only gathers data once a week, then it will have a longer RPO than a process that has thousands of lines of data entered every day. For example – though your payroll process is important to getting the employees paid, it might only need to be run twice a month, and doesn’t change often in between. However, your sales staff communicates with 200 customers in a day, and places orders. The reconstruction of the sales database would require calling all of those customers in order to get their orders back. So a day’s data would set the sales department back a lot more than it would the payroll department, depending on when the failure occurred. Backups for the sales data would need to be done daily or more often, where backups for payroll would only have to be done as new data was entered.

An Incident is any unplanned interruption that has the potential to affect any business process. This can include anything from a major disaster to just a failed backup. Even though the backup might not be needed at that precise moment, there is still the possibility that it could affect a process.

These definitions will help sort out some of the information found on the web, and perhaps in the event you decide to hire a consultant, help you to begin to understand their explanation of their services.

The Living Plan

So you’ve put together a plan. Really. It’s that binder sitting on the shelf above your credenza. If anybody asks if you have one, you can point at it and say “yes, we have a plan!”

Day Two, IVNUA

I spent the morning of the second IVNUA day in Loyal Moses’ sessions learning what he had to say about situational awareness.  Having situational awareness in Information Security is about being aware of the network, the users, the threats and the tools. Loyal warns us to use caution to avoid information overload, overkill or over-focus. All of those things reduce our situational awareness. Using automated tools can help avoid overload, overkill and over-focus.

I attended 2 of 3 sessions presented by Loyal Moses

During a break, I asked Loyal what he thought about Suricata, and he replied that Aanval is already written to work with Suricata, and that most applications that are built around Snort can work with Suricata with just a few tweaks.

My first afternoon session was a session on iBook publishing. The instructor was Jerry Johansen, from the Rock Island Regional Office of Education. Yeah – this isn’t an information security session… but I am working on a book, and exploring possibilities for publishing. I’m thinking iBook is not suited to my book. For teachers who have students using iPads in the classroom, the iBook can be useful. But the books can only be read on Apple products, and unless the book is to be distributed for free, it has to be sold through the iTunes store. My audience should be able to view the book on any product, and I would like to be able to sell it both as an ebook and as a hard copy. But the session was informative – and I can see how iBooks can really open new avenues in education.

The final session of the day was Kevin Remde’s “How I built my Private, Private Cloud”.

Kevin gave a good (if not fast) run through of setting up a virtual network using Windows server and Hyper-V. In fact, the entire private cloud was built using available free evaluation software, and he used older hardware for his builds. Of course, there are some minimum requirements for virtualization, so the hardware can’t be super old… but it is possible to build a virtual network for evaluation purposes from available free software, on available hardware that is virtualization-capable.

This year’s IVNUA Spring conference was a huge success. The sessions were amazing – I know I had a hard time deciding which to take there were so many good choices. There were so many great presenters all under one roof. The vendor hall was brimming with great information. Keynotes at mealtimes rocked! The food and the casino night were stellar! I arrived home with a head full of ideas, a computer full of notes and an exhausted body.  

Let’s do it all again in October!

The Day the Lights Went Out...

What happens when the power goes out at an IT conference? We kick it old school!

Taking the Show on the Road

I’ll be in Utica, Illinois this week for the Illinois Valley Network Users Conference. Although this is a general IT conference, this year things definitely have an Information Security ring to them, as power hitting Information Security presenters Laura Chappell and Loyal Moses will both be in attendance. 

How Changes in Environment Change Your Plan

A while back, the local newspaper ran an article about a new, longer runway at a local airport. It was intended to make the airport more accessible to larger jets. I didn’t think much about it except that it would bring more business to the small airstrip.

Continuity Simplified for the Small Business - Crisis Communication

When disaster strikes, the small business owner not only has the crisis at hand to deal with, but people clamoring for information. Depending on the type of crisis, there could be emergency responders and media both looking for answers – employees to direct, and customers or vendors to notify. Although each situation will have different players, those are the four main categories of communication needs during a disaster.

Emergency Responders

In the midst of the crisis, these people will always need your attention first and foremost. In the case of fire, explosions, violence and other situations that require possible evacuations and entry of first responders, count on preparing a center of operations. This allows emergency responders to get pertinent information in order to do their work safely and efficiently. Assign someone in your disaster plan that is knowledgeable about the building and its contents to be the contact person for emergency personnel. Get to know your local emergency response teams: police, fire, sheriff, and county or city emergency planning people, anyone who could be involved in a crisis situation. Developing a working relationship with emergency responder organizations before disaster strikes can ease communications during disasters.

Media 

 Designate a media communications contact within the organization. Larger organizations usually have some sort of marketing professional, but in the small business this isn’t always feasible. If possible, the media contact should be someone who can be the public face of the organization in all situations. Once the contact is chosen, find some emergency communication training to prepare for situations beyond press releases. For folks in Iowa, Safeguard Iowa lists publicly available training. FEMA and CERT occasionally have training available as well. Once a media contact is established, it should be policy that no one speaks to the media in crisis situations except for the media contact. The media will be hungry for information – and should be fed regularly, but only by the media contact. By channeling all contact through this one person, your organization can have some control over what information goes out to the public. By the same token, feeding the media as often as possible reduces the need to seek out information from other sources that might provide misinformation. And like emergency responders, developing a relationship with the media will enable smoother communications.

Employees

Ensure employee safety first. The next step is to keep employees informed about the work environment and decisions regarding the future of the organization. They will need to know where to report for work and when. If employees have been involved in the recovery planning process, they will need to know what part of the plan is being implemented so they will be able to refer to the plan and begin the process of recovery. In any case, at the least, they will need to know what is expected of them in the short term – during the crisis and immediately following the crisis situation.

There should be plans for reaching employees who are not onsite at the time of an emergency. For smaller organizations, this might be something as simple as a call tree. If your web presence is not affected, an internal company web site can provide detailed information – as long as it is accessible. If you have a number of employees scattered over a larger region, SMS communications might be used. There are also emergency communication services available, depending on your budget.

Customers and Vendors

Customers need assurance the organization will be there for them, even through the crisis situation. This assurance must be made directly, and reinforced through the media contact. In situations where the media is involved, your customers are going to see news reports and know something has happened. This is one area where the single media contact is important. While giving necessary details to the media, the contact is also giving information for your customers, telling them this crisis is not the end of the organization and what contingency plans are in place that will benefit customers, and how customers will be reached.

Vendors can become your partners in recovery efforts. Notify them as soon as possible of your needs and any changes in delivery locations or billing/payment methods. Keep a back-up hard copy or database of vendor and customer contact information that can easily be accessed if your computer systems are unreachable or down. Assign employees to notification tasks as part of your continuity plan.

Successful emergency communications rely on getting the correct information to the correct people as efficiently as possible, avoiding situations that can result in misinformation. Put a plan into place; assign tasks in that plan and train those who will need to provide that information.

People Come First

Before data, before communications, before power… people are the first responsibility of preparedness. I recommend to every business, from the smallest to the enterprise, emergency plans should first focus on the people involved. Every business should have plans for fire evacuation, severe weather sheltering and workplace violence, at the very minimum.

Planning for Power

You’re at your computer, hard at work on a spreadsheet or deeply engrossed in web-based research with a dozen websites open in tabs. Suddenly – the power goes out! Does your computer shut down instantly, leaving you wondering about that document or how you will find those sites again? If you have a laptop with a battery, chances are your battery will have enough charge to stay afloat. But if you’re like thousands of small businesses, your computer is a tower, and its source of power is the electrical outlet on the wall. Or maybe you have a surge protector – that’s a good thing, but doesn’t help you in an outage. Yes, we’re discussing battery back ups and alternative power.

By now, many businesses are already using battery back ups as an alternative to having the computer instantly shut down in an outage. The back up is designed to give a few minutes of power to allow the computer user time to save and close whatever work is in process and shut down the computer safely. This is a good tool for assisting in protecting data.

The battery back up provides other services as well. What most people don’t know is that building power can fluctuate. Those little spikes, surges, sags and brownouts can wreak havoc on the sensitive inner workings of your computer. While they might not cause sudden devastation, they can shorten the life of power supplies and system boards, causing costly repairs or early computer replacements. Running a computer on a battery back up can reduce the stress caused by power fluctuations. Because of this, even laptops benefit from the use of an external battery back up.

If your small business has servers, they should be running on server-level battery back ups. Not only do these provide more power in times of outage, but generally they can be installed with software that will properly shut down the server after a set amount of battery is used up. This way, the server will be shut down automatically without data loss.

What can be done in times of extended outage? This requires some advance planning. It is up to the business owner to decide how long the business can be “offline” before a financial hardship is incurred. If the outage is in one location and the business has multiple locations, it might be possible to utilize those other locations. If the financial hardship would be considerable, it might be wise to look into datacenter power generation. The cost of owning and maintaining a generator needs to be weighed against the possible loss and the probability of extended outages.

Power alternatives are an integral part of the data portion of any business continuity plan.

Where is Your Laptop Data?

In the previous installments of this series, questions were presented that the small business owner should ask himself/herself when thinking about busines continuity planning. And some suggestions have been offered about how to answer those questions. But the big question everyone asks is "what about my data?"

I know some of you would rather talk about what you’re going to do about your data, mostly because that’s what you think about when you think disaster recovery or business continuity. I’ll give in – just a little bit. But there is a whole lot more to continuing your business than backing up your information. Unless your entire business is information, of course.

What is done about backing up data depends greatly on what type of data it is, how it is used, and how it is stored. Is the business web-based? If it is, do you host your own site on servers at your location, or is it hosted elsewhere?

Another consideration is your type of IT support. As a small business, are you large enough to have IT support on site? Or do you use a technical services company? Do you have servers at your location, or is your organization small enough that you are doing all of your work either: a) on a laptop or: b) in the cloud (think Google docs)? If you’re doing it all on a laptop you carry with you, you don’t have regular IT support, and you’re not already backing up your data, you’re asking for trouble!

That laptop is going to be the topic of today’s discussion. Laptop security is a topic that merits an entire book of its own. If you have a laptop, chances are you’re carrying it with you everywhere you go. Due to its portability, a laptop is often the ideal computer for a small business owner. Unfortunately, that portability can also be a laptop’s downfall.

So many things can happen to a laptop, some being exclusive to laptops. Spilling a drink in your keyboard on a workstation only gets the keyboard wet. Spilling a drink on the keyboard of your laptop can fry the laptop. Drop the laptop, and any number of things can happen, from a broken screen to a damaged hard drive (although that happens less now with newer technologies).  A laptop can be easily stolen, and are more often in places where they are accessible to thieves. Taking your laptop on a flight somewhere? Today’s TSA inspections can damage computers or erase data…or the inspectors can confiscate your computer at will. Do you use public wifi at coffee shops, restaurants or other locations? Your data could be at a higher risk due to hacking or infection at those locations.  The list of risks is exhaustive. But the portability of that laptop is why you have it, right? Well then, what about that data?

Data back ups for laptops are a requirement, given the multitude of risks listed above. Laptop data can be handled in several ways. There are online back up services that can store copies of your data. Some, like Mozy, offer you the ability to automate back ups, so your computer does the work without your input. Data storage is cloud-based (meaning it is uploaded through the internet to servers somewhere else), so when looking at these sorts of solutions, make sure to check into how they secure your upload/download process. Also consider their options for restoring data back onto a computer from the web. How simple is the process, and how fast.  Costs vary, depending on the amount of data you need to store.

Perhaps you have another computer in your office or you want to store back up files on a portable hard drive. This can be done as well, and avoids cloud storage. Some people would rather not trust web-based storage. That’s perfectly acceptable. Backing up data to your own server, a separate computer or portable hard drive requires a little more technical know-how, depending on what operating system you are using, but it can be done. Windows 7 pro can even schedule automated backups to a portable hard drive, with just a little input from the user. Or – if you have IT support, ask them for assistance.

If you’re traveling often, remember issues can arise with airport security. Cloud storage can be useful for the small business owner in these situations. Some solutions are designed so the storage is more like file synchronization. A copy of the data is made on the computer, put in a folder, and the folder automatically synchronizes with a server when it is connected to the internet. Other solutions (think Google Docs) are totally web-based, so none of your data is actually stored on the computer. In both cases, having an internet connection where ever you intend to work is required in order for them to work properly. But, your data is accessible anywhere you work, and from any computer, as long as you have an internet connection.

These are just a few solutions for recovering data for the laptop user. If you’re planning for business continuity/disaster recovery and your business is run mostly from laptops, laptop data back up will be an integral part of your plan.

Planning, Part Deux (Two)

There’s a lot more to be said about continuity planning. By now, hopefully you’ve taken a look at your surroundings and made a list of business interruption events – along with some avoidance or recovery thoughts. Don’t worry that you don’t have all the answers – or that you haven’t thought of every possible issue that could arise. This list isn’t set in stone. It is very flexible and can have information added at any time.

This is important to remember about continuity planning. Never expect your plan to be permanent. As your business changes, as your environment changes, so will your plan. Expect to revisit your plan every time you make a major change, and at least once a year to catch the changes you might have missed.

So you have your list of business interruption events. You have maybe even come up with some thoughts about how to avoid the events or what to do to recover from them. Great! If you have blank spaces for event recovery or avoidance, now is the time to talk to someone in the know about those particular types of events and find out what can be done.

Not sure about where your employees will work if the building is unavailable? Do you have more than one location? Some operations could be temporarily moved to another location within the company. If not, check with vendors or customers and see about reciprocal agreements. A reciprocal agreement is sometimes used between two companies to allow sharing of facilities in case one or the other experiences a facilities loss. Although competitors sometimes offer space in times of great need, this is more often seen between vendors and customers, or two unlike businesses that have similar needs. There are also companies whose sole business is to provide work space. This comes at a cost, of course.

What if the event is a power outage? Do you shut down and go home? Or do you wait it out? Is it just your building or area-wide? Do your servers and workstations have battery back up? Remember, the batteries are only meant to keep computers running long enough to save current work and shut down safely. Also consider your phone system. IP phones and their powered switches will also be affected by a power outage.  How about a water main break? If the water company calls and says they have to shut off the water to your building, how long can you stay open? Is there an alternative to closing?

Has anyone noticed I haven’t mentioned backing up data yet?  That’s because data is just a small part of your plan. Your people and processes should be among your first thoughts in a recovery situation. Without people, your business cannot run (unless you’re a business of one). Next up - Data.

Planning

Do you have a small business? What are you doing to ensure your business will be able to continue after a major (or minor) disaster event? How many days can your business be down and still recover?

How sensitive is your business to the loss of location? How about a power outage that would last several days? Is your business highly computerized – is it sensitive to hacking or virus attacks? Do you back up your data monthly, weekly, or daily? Where are those back ups stored?

Is your business web based? Where is your website hosted? Do you have a back up plan in place if your host goes down?

These are all important questions to ask. We all know about the big events – 9/11, Katrina, the Midwestern floods of 2008 to name a few. Some small business owners have taken these big disasters into consideration. We hear every day about fires all around the country that destroy businesses. It happens. Web servers are hacked – bank accounts are attacked.

Being “in the business” of continuity, I sometimes forget that not everyone is as aware of what can damage their business as I am. When I watch the news or read an article online – I see the potential for a business interruption. And then I start thinking about what can be done to reduce or eliminate the interruption from that cause.

Having a plan in place is like having an insurance policy. You buy the policy with the hope that you will never need to use it, but knowing it is there gives you a little bit of security.

Like that insurance policy, once the plan is created it needs an occasional review and update. Testing is as important as planning. Updating to cover changes in the business and new threats is as important as testing.

If you don’t have any plan at all – start small. Get some basics in place. Make sure your computers/servers/websites are backed up. Assure those back ups are being stored offsite. If you’re not technical, build a relationship with a business that can help you.

Look around your business (inside and out) and determine what sort of events could threaten your business. Put it on paper. Create a simple table – put the threats you discover in one column, and what you could do to avoid those threats or recover from incidents in another column.

And just like that, you’ve begun to plan.