Disaster and Business Continuity <ul><li>Tom Canavan </li></ul><ul><li>Chief Information Officer </li></ul><ul><li>eWomenN...
Disasters DO happen <ul><li>Disaster preparedness is what you do before,  not after, a disaster hits.  </li></ul><ul><li>C...
What do you consider a disaster? 4-19-1995 Murrah Bldg Okla City 9-11-2001 Ground Zero 8/28/2005 Hurricane Katrina
But what about <ul><li>One of my staff overwriting a  </li></ul><ul><li>critical directory </li></ul><ul><li>on one of my ...
I’ll take Disaster Recovery  Planning for $500.00 <ul><li>-QUIZ- </li></ul><ul><li>Who has a working DR Plan? </li></ul><u...
404: Page Not found <ul><li>A 1978 Study by the University of Minnesota showed that if a business could not recover their ...
Disaster Planning Life Cycle 1 2 3 4 Determine Risks Document Your  Business Build Your plan Test &  document
Worst Practices for DR/DP <ul><li>Failure to get management support </li></ul><ul><li>No risk assessment  </li></ul><ul><l...
Today’s agenda Planning Determine risks Fortify Test/Document The elements, issues and challenges with planning Hackers ar...
Determine Risks <ul><li>What ‘could’ go wrong? </li></ul><ul><ul><li>Hardware/Software Failure, DNS, Hackers </li></ul></u...
Determine Risks <ul><li>People </li></ul><ul><ul><li>Safety (of staff) </li></ul></ul><ul><ul><li>Where will they work? </...
Determine Risk <ul><li>Restoration costs BY host ($$$) </li></ul><ul><li>Backups, Yes but.. </li></ul><ul><ul><li>License ...
Affordability of a Risk <ul><li>Elements to consider  </li></ul><ul><ul><li>How much $$$ are you willing to spend </li></u...
Key Points <ul><li>Know your risks  </li></ul><ul><li>Know your what the costs are </li></ul><ul><ul><li>Cost of experienc...
Why do need a plan? <ul><li>Recognize that trouble  WILL  come </li></ul><ul><ul><li>Mr. Murphy on line one for you… </li>...
Preparing to Plan <ul><li>Recognize the following </li></ul><ul><ul><li>A hard to execute plan will likely fail </li></ul>...
Planning Elements <ul><li>RTO/RPO – what is yours? </li></ul><ul><ul><li>Recovery Time Objective </li></ul></ul><ul><ul><l...
Planning Elements <ul><li>Do you have a ‘fall-back’ </li></ul><ul><li>When will you ‘activate’ you plan? </li></ul><ul><li...
Key Points <ul><li>Keep your planning team small </li></ul><ul><li>Involve Sr. Mgmt, CAREFULLY </li></ul><ul><li>Keep stro...
Fortification <ul><li>Preparation of your site is key – check: </li></ul><ul><ul><li>Extensions, hosting, root kits, open ...
Fortify at risk code Can you find the problem?
Vulnerable Code <ul><li>It’s missing the critical code: </li></ul><ul><li>// no direct access </li></ul><ul><li>defined( '...
Fortify - .htaccess .htaccess – your first line of defense
Fortify - Permissions <ul><li>Permissions </li></ul><ul><ul><li>Very common problem </li></ul></ul><ul><ul><li>Check files...
Fortify – PHP.INI <ul><li>Safe Mode:  OFF   </li></ul><ul><li>Open basedir:    none  </li></ul><ul><li>Display Errors:  ON...
Fortify - Versions <ul><li>Using 1.0.xx </li></ul><ul><ul><li>Make sure you are at least at 1.0.15 </li></ul></ul><ul><li>...
Fortify – Common Trip Ups <ul><li>Common issues </li></ul><ul><ul><ul><li>Admin still named ADMIN </li></ul></ul></ul><ul>...
Fortify - Poor Host Security <ul><li>Example: Ports open that need not be </li></ul><ul><ul><li>Real case from JoomlaRescu...
Fortification Tools <ul><li>Tools to check host out: </li></ul><ul><ul><li>NMAP ( only with host’s permission ) </li></ul>...
Documentation <ul><li>Documentation is a product of your risk assessment, goals, planning and fortification. </li></ul><ul...
Documentation <ul><li>Documentation considerations </li></ul><ul><ul><ul><li>First recognize its not the Holy Bible </li><...
Maintaining your plan   <ul><li>Test your plan  </li></ul><ul><ul><ul><li>Accomplished through drills </li></ul></ul></ul>...
Drill for results <ul><li>Establish a ‘failure’ test </li></ul><ul><li>Purpose: </li></ul><ul><ul><li>To shake down your d...
Some things your plan should have <ul><li>Team member contact information </li></ul><ul><ul><li>Plan initiation instructio...
Documentation Example
A few words on drilling Conducting a live test helps increase your sites survivability by proving your plan works, and ens...
About your plan &quot;No plan survives first engagement with the enemy&quot;  Von Clausewitz.—Prussian Military Thinker
Key Points <ul><li>Your Plan/Docs is a living document </li></ul><ul><ul><li>Care and feed for it </li></ul></ul><ul><li>T...
Communications <ul><li>Understanding what crisis communication means </li></ul><ul><li>Preparing media communications in a...
Crisis Communication <ul><li>Internal with team </li></ul><ul><ul><ul><li>Coordinates efforts for recovery </li></ul></ul>...
Media Communications <ul><li>Media contact </li></ul><ul><ul><li>Baseline communication regarding the event. </li></ul></u...
Staff Communications <ul><li>Establish a communications tree </li></ul><ul><li>Assign a Communications person or team </li...
Tools for communication <ul><li>www.freeconferencecall.com </li></ul><ul><li>Establish a media checklist </li></ul><ul><li...
Key Points <ul><li>Be sure you have a plan to communicate </li></ul><ul><li>Keep in mind nothing is “off the record” </li>...
Dodging The Bullets - Book
A Rabbit? My men  are not afraid of a Rabbit!
Upcoming SlideShare
Loading in …5
×

Disaster And Business Continuity by Tom Canavan

812 views
743 views

Published on

Disaster And Business Continuity by Tom Canavan presentation given at CMS Expo in Denver, December 2008.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
812
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
75
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Disaster And Business Continuity by Tom Canavan

    1. 1. Disaster and Business Continuity <ul><li>Tom Canavan </li></ul><ul><li>Chief Information Officer </li></ul><ul><li>eWomenNetwork, Inc </li></ul>
    2. 2. Disasters DO happen <ul><li>Disaster preparedness is what you do before, not after, a disaster hits. </li></ul><ul><li>Crackers/hackers are only part of your concern. </li></ul><ul><li>Disaster—the meaning of the word has its root in early Italian, from the word disastro (Meaning away from star). </li></ul><ul><li>It was thought that an unfavorable position of a star or planet </li></ul><ul><li>was the cause of mishaps and calamities 1 </li></ul><ul><li>1 Robert K. Barnhart, “The Barnhart concise Dictionary of Etymology – The origins of American English words”, (New York: HarperCollins books, 1995) 208 </li></ul>
    3. 3. What do you consider a disaster? 4-19-1995 Murrah Bldg Okla City 9-11-2001 Ground Zero 8/28/2005 Hurricane Katrina
    4. 4. But what about <ul><li>One of my staff overwriting a </li></ul><ul><li>critical directory </li></ul><ul><li>on one of my servers while I was here </li></ul><ul><li>at CMS Expo? </li></ul><ul><li>Is that a disaster? </li></ul>
    5. 5. I’ll take Disaster Recovery Planning for $500.00 <ul><li>-QUIZ- </li></ul><ul><li>Who has a working DR Plan? </li></ul><ul><li>If your site was offline for 7 to 10 days, </li></ul><ul><li>would your company go bankrupt? </li></ul>
    6. 6. 404: Page Not found <ul><li>A 1978 Study by the University of Minnesota showed that if a business could not recover their systems within a week, </li></ul><ul><li>will be out of business in a year. </li></ul><ul><li>That’s only four to six days </li></ul><ul><li>of interruption of services in 1978 </li></ul>Aasgaard, D.O. et al., “An evaluation of Data processing ‘Machine room’ Loss and Selected Recovery Strategies,” MISRC Working Papers (Minneapolis, MN: University of Minnesota, 1978) 1 1-
    7. 7. Disaster Planning Life Cycle 1 2 3 4 Determine Risks Document Your Business Build Your plan Test & document
    8. 8. Worst Practices for DR/DP <ul><li>Failure to get management support </li></ul><ul><li>No risk assessment </li></ul><ul><li>No written plan </li></ul><ul><li>Lack up ‘good’ backup’s </li></ul><ul><li>You put the tapes where?? </li></ul><ul><li>NOT CONSIDERING the human element </li></ul><ul><li>NOT testing your plan </li></ul>
    9. 9. Today’s agenda Planning Determine risks Fortify Test/Document The elements, issues and challenges with planning Hackers are only one concern – there’s more Chances are GOOD you are exposed somewhere to attack Test and Documentation is vital to a healthy plan Communications Who needs to be informed, how to inform, Media/Press Ω
    10. 10. Determine Risks <ul><li>What ‘could’ go wrong? </li></ul><ul><ul><li>Hardware/Software Failure, DNS, Hackers </li></ul></ul><ul><li>What can you do to mitigate it? </li></ul><ul><ul><li>Hot site, backups, planned recovery </li></ul></ul>
    11. 11. Determine Risks <ul><li>People </li></ul><ul><ul><li>Safety (of staff) </li></ul></ul><ul><ul><li>Where will they work? </li></ul></ul><ul><ul><li>Do they KNOW procedures (fire drill much?) </li></ul></ul><ul><li>Telephones, Pagers, Cell Phones, Email </li></ul><ul><li>Hosting </li></ul><ul><ul><li>Co-Location (shared, dedicated, VPS) </li></ul></ul><ul><ul><li>Workstations </li></ul></ul>
    12. 12. Determine Risk <ul><li>Restoration costs BY host ($$$) </li></ul><ul><li>Backups, Yes but.. </li></ul><ul><ul><li>License keys </li></ul></ul><ul><ul><li>Copies of source/apps – do they exist? </li></ul></ul><ul><ul><li>Safe place to keep digital media </li></ul></ul><ul><li>Identify ‘stakeholders’ </li></ul><ul><li>Insurance – Do you have any? </li></ul><ul><li>Your own computers – virus free? </li></ul><ul><li>What about your ‘backup server’ itself? </li></ul>
    13. 13. Affordability of a Risk <ul><li>Elements to consider </li></ul><ul><ul><li>How much $$$ are you willing to spend </li></ul></ul><ul><ul><li>Does management buy into your plan? </li></ul></ul><ul><ul><li>Are they willing to commit to it financially? </li></ul></ul><ul><ul><li>Does your site “justify” a DR plan </li></ul></ul><ul><li>Determine if risks JUSTIFY cost </li></ul><ul><li>At the end of the day, if you have a blog site, </li></ul><ul><li>then perhaps its not worth it. If you have an </li></ul><ul><li>ecommerce site, then it WILL be. </li></ul>
    14. 14. Key Points <ul><li>Know your risks </li></ul><ul><li>Know your what the costs are </li></ul><ul><ul><li>Cost of experiencing the risk </li></ul></ul><ul><ul><li>Cost of restoration from downtime </li></ul></ul><ul><li>Have a plan to mitigate and recover </li></ul>
    15. 15. Why do need a plan? <ul><li>Recognize that trouble WILL come </li></ul><ul><ul><li>Mr. Murphy on line one for you… </li></ul></ul><ul><li>Your plan should be : SMART based </li></ul><ul><ul><ul><li>Specific, Measurable, Attainable, Realistic, and Time-sensitive </li></ul></ul></ul><ul><li>&quot; A good plan, violently executed now, is better than a perfect plan next week .“ </li></ul><ul><li>General George Patton </li></ul>
    16. 16. Preparing to Plan <ul><li>Recognize the following </li></ul><ul><ul><li>A hard to execute plan will likely fail </li></ul></ul><ul><ul><li>Avoid ‘confirming to multiple opinions </li></ul></ul><ul><ul><li>Staff members will fight the plan </li></ul></ul><ul><ul><li>A plan untested is no good </li></ul></ul><ul><ul><li>Plans take time to build </li></ul></ul><ul><ul><li>A solid “one-page” plan is better than none </li></ul></ul>
    17. 17. Planning Elements <ul><li>RTO/RPO – what is yours? </li></ul><ul><ul><li>Recovery Time Objective </li></ul></ul><ul><ul><li>Recovery Point Objective </li></ul></ul><ul><li>Who is in charge? </li></ul><ul><ul><li>Who else is in charge </li></ul></ul><ul><li>Moving parts of your plan </li></ul><ul><ul><ul><li>Where to store media, labeling, media type </li></ul></ul></ul>
    18. 18. Planning Elements <ul><li>Do you have a ‘fall-back’ </li></ul><ul><li>When will you ‘activate’ you plan? </li></ul><ul><li>Define a communications strategy </li></ul><ul><li>Which ‘systems’ have priority? </li></ul><ul><li>Develop a schedule to plan </li></ul><ul><li>Can you afford your plan? </li></ul>
    19. 19. Key Points <ul><li>Keep your planning team small </li></ul><ul><li>Involve Sr. Mgmt, CAREFULLY </li></ul><ul><li>Keep strong focus, for short bursts </li></ul><ul><ul><li>Planning takes ‘time’ – and comfort </li></ul></ul><ul><li>Your Plan WILL fail the first time you use it </li></ul><ul><li>Your staff will not buy in at first </li></ul><ul><li>Setup a start, middle and end for plan </li></ul>
    20. 20. Fortification <ul><li>Preparation of your site is key – check: </li></ul><ul><ul><li>Extensions, hosting, root kits, open ports </li></ul></ul><ul><li>Set permissions correctly </li></ul><ul><ul><li>Files and directories (644 / 755) </li></ul></ul><ul><li>Latest version of Joomla (1.x and 1.5) </li></ul><ul><li>Check your HOST’s setup </li></ul><ul><ul><li>Ports, Versions of apache, etc. </li></ul></ul>
    21. 21. Fortify at risk code Can you find the problem?
    22. 22. Vulnerable Code <ul><li>It’s missing the critical code: </li></ul><ul><li>// no direct access </li></ul><ul><li>defined( '_VALID_MOS' ) or die( 'Restricted access‘); </li></ul><ul><li>While this problem is less prevalent - It still exists and can trip you up </li></ul><ul><li>Note: the previous code snip was purposely modified for demonstration purposes only ! </li></ul>
    23. 23. Fortify - .htaccess .htaccess – your first line of defense
    24. 24. Fortify - Permissions <ul><li>Permissions </li></ul><ul><ul><li>Very common problem </li></ul></ul><ul><ul><li>Check files and Dirs </li></ul></ul><ul><ul><li>FILES: 644 </li></ul></ul><ul><ul><li>DIR : 755 </li></ul></ul>
    25. 25. Fortify – PHP.INI <ul><li>Safe Mode: OFF </li></ul><ul><li>Open basedir: none </li></ul><ul><li>Display Errors: ON </li></ul><ul><li>Short Open Tags: ON </li></ul><ul><li>File Uploads: ON </li></ul><ul><li>Magic Quotes: ON </li></ul><ul><li>Register Globals: OFF </li></ul>
    26. 26. Fortify - Versions <ul><li>Using 1.0.xx </li></ul><ul><ul><li>Make sure you are at least at 1.0.15 </li></ul></ul><ul><li>Using 1.5 </li></ul><ul><ul><li>Make sure you are at least at 1.5.3 </li></ul></ul><ul><li>Older versions are exploitable </li></ul>
    27. 27. Fortify – Common Trip Ups <ul><li>Common issues </li></ul><ul><ul><ul><li>Admin still named ADMIN </li></ul></ul></ul><ul><ul><ul><li>Easy to guess passwords like P@ssw0rd </li></ul></ul></ul><ul><ul><ul><li>Permissions set wrong </li></ul></ul></ul><ul><ul><ul><li>Lack of .htaccess or php.ini </li></ul></ul></ul><ul><ul><ul><li>Vulnerable components </li></ul></ul></ul><ul><ul><ul><li>Hosts not setup properly </li></ul></ul></ul>
    28. 28. Fortify - Poor Host Security <ul><li>Example: Ports open that need not be </li></ul><ul><ul><li>Real case from JoomlaRescue.com Client </li></ul></ul><ul><ul><ul><ul><li>The host had 1,700 ports open. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 53 – Allows for Zone Transfers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 23 – Telnet – Allowed “Banner Grabbing” </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 21 – Allowed me (shouldn’t have) to FTP in </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Port 6667 (note BackOrfice) – Cult of the Dead Cow </li></ul></ul></ul></ul><ul><ul><ul><ul><li>And 1,677 more – (HUN???) </li></ul></ul></ul></ul><ul><ul><ul><li>Host told client: </li></ul></ul></ul><ul><li>“ That’s ok you have a Virtual private Server (VPS) setup” </li></ul>
    29. 29. Fortification Tools <ul><li>Tools to check host out: </li></ul><ul><ul><li>NMAP ( only with host’s permission ) </li></ul></ul><ul><ul><li>Tools from http://centralops.net/co </li></ul></ul><ul><ul><ul><li>Domain Dossier </li></ul></ul></ul><ul><ul><li>Joomla Health Check (available from J!) </li></ul></ul><ul><li>Google </li></ul><ul><ul><li>Google Hacks (again permission please) </li></ul></ul><ul><li>Hire JoomlaRescue.com </li></ul>
    30. 30. Documentation <ul><li>Documentation is a product of your risk assessment, goals, planning and fortification. </li></ul><ul><li>It’s the chief cornerstone of your DR plan. </li></ul>
    31. 31. Documentation <ul><li>Documentation considerations </li></ul><ul><ul><ul><li>First recognize its not the Holy Bible </li></ul></ul></ul><ul><ul><ul><ul><li>It CAN be changed as needed to fit </li></ul></ul></ul></ul><ul><li>Establish a review process </li></ul><ul><ul><ul><li>It will change from time to time </li></ul></ul></ul><ul><ul><ul><li>Make sure the Date is on it </li></ul></ul></ul><ul><li>Keep it in a safe place </li></ul><ul><ul><ul><li>Key DR team members must have it </li></ul></ul></ul><ul><ul><ul><li>Don’t let it fall into competitors hands </li></ul></ul></ul>
    32. 32. Maintaining your plan <ul><li>Test your plan </li></ul><ul><ul><ul><li>Accomplished through drills </li></ul></ul></ul><ul><ul><ul><li>Document the results </li></ul></ul></ul><ul><ul><ul><li>Change documentation as needed </li></ul></ul></ul><ul><ul><ul><li>Collect old docs, distribute new </li></ul></ul></ul><ul><li>Tracking changes </li></ul><ul><ul><ul><li>Why did you change it? </li></ul></ul></ul><ul><li>Always ask WHY changes </li></ul><ul><li>will increase survivability </li></ul>
    33. 33. Drill for results <ul><li>Establish a ‘failure’ test </li></ul><ul><li>Purpose: </li></ul><ul><ul><li>To shake down your documentation </li></ul></ul><ul><ul><li>To train your staff </li></ul></ul><ul><ul><li>To learn where your plan works and fails </li></ul></ul><ul><li>Establish a ‘regular’ drill time </li></ul><ul><ul><li>Key members should be present at each test </li></ul></ul>
    34. 34. Some things your plan should have <ul><li>Team member contact information </li></ul><ul><ul><li>Plan initiation instructions </li></ul></ul><ul><ul><ul><li>‘when’ we activate the plan </li></ul></ul></ul><ul><ul><li>Location of backup media </li></ul></ul><ul><ul><li>Passwords and other security information </li></ul></ul><ul><ul><li>Contact for host </li></ul></ul><ul><ul><ul><li>Technical support, escalation procedures </li></ul></ul></ul><ul><ul><li>Instructions on HOW to restore </li></ul></ul>
    35. 35. Documentation Example
    36. 36. A few words on drilling Conducting a live test helps increase your sites survivability by proving your plan works, and ensuring your staff knows their job
    37. 37. About your plan &quot;No plan survives first engagement with the enemy&quot; Von Clausewitz.—Prussian Military Thinker
    38. 38. Key Points <ul><li>Your Plan/Docs is a living document </li></ul><ul><ul><li>Care and feed for it </li></ul></ul><ul><li>Test it once you develop </li></ul><ul><ul><li>Conduct regular drills </li></ul></ul><ul><li>Change it if is not working </li></ul><ul><li>Establish a process for distribution </li></ul><ul><li>Keep it safe </li></ul>
    39. 39. Communications <ul><li>Understanding what crisis communication means </li></ul><ul><li>Preparing media communications in advance </li></ul><ul><li>Communicating with your team and externally </li></ul>
    40. 40. Crisis Communication <ul><li>Internal with team </li></ul><ul><ul><ul><li>Coordinates efforts for recovery </li></ul></ul></ul><ul><li>Internal with employees other staff </li></ul><ul><ul><ul><li>Helps to control rumors </li></ul></ul></ul><ul><li>Communications with media / customers </li></ul><ul><ul><ul><li>Prepare plan in advance </li></ul></ul></ul><ul><ul><ul><li>This helps you control the message </li></ul></ul></ul><ul><ul><ul><li>Helps retain customer base </li></ul></ul></ul>
    41. 41. Media Communications <ul><li>Media contact </li></ul><ul><ul><li>Baseline communication regarding the event. </li></ul></ul><ul><ul><li>Reestablishes trust and ensure facts not conjecture. </li></ul></ul><ul><ul><li>The message should drive the behavior you want </li></ul></ul><ul><ul><li>Accomplish this through advanced preparation </li></ul></ul><ul><ul><ul><li>Talking points for employees. </li></ul></ul></ul><ul><ul><ul><li>A template for developing a news release. </li></ul></ul></ul><ul><ul><ul><li>A list of reporters, media outlets or blog sites you want your message directed to. </li></ul></ul></ul><ul><ul><ul><li>A fact sheet for media, both downloadable PDF and paper based. </li></ul></ul></ul>
    42. 42. Staff Communications <ul><li>Establish a communications tree </li></ul><ul><li>Assign a Communications person or team </li></ul><ul><li>Make sure you do two things </li></ul><ul><ul><li>Communicate openly and often with DR team </li></ul></ul><ul><ul><li>Carefully distribute information to rest of staff </li></ul></ul><ul><li>Keep in mind what you say, may end up </li></ul><ul><li>on a blog or in the paper. </li></ul>
    43. 43. Tools for communication <ul><li>www.freeconferencecall.com </li></ul><ul><li>Establish a media checklist </li></ul><ul><li>Establish a Priority system </li></ul><ul><li>Be as ‘open’ as you can </li></ul><ul><ul><li>If your hacked and had credit card data stolen, it may not be the best time to discuss it DURING the crisis </li></ul></ul>
    44. 44. Key Points <ul><li>Be sure you have a plan to communicate </li></ul><ul><li>Keep in mind nothing is “off the record” </li></ul><ul><li>Internal/External communications is vital </li></ul><ul><ul><li>Keeps speculation down </li></ul></ul>
    45. 45. Dodging The Bullets - Book
    46. 46. A Rabbit? My men are not afraid of a Rabbit!

    ×