Biles’ Hierarchy of Disaster Recovery Needs

by Simon Biles

Having failed to keep up with my New Year’s resolution of being more organised (the observant of you might have noticed the absence of a February column), it’s nice to be able to move into a new season – spring is with us and in the UK at least, that seems to mean a return to below freezing nights and having to defrost my car each morning. Roll on global warming I say! It never ceases to amaze me how quickly the UK grinds to a halt when we have a little inclement weather, you’d think that we’d be used to it by now – but over December I had the absolute pleasure of being stuck in Edinburgh because there was the wrong amount of snow on the runwayor something like that. Luckily, we had contingency plans in place and, after 48 hours we were back at home in Oxfordshire. We were certainly fortunate – we passed hundreds of people in the airport who weren’t going anywhere and had no other option but to wait it out. In vast contrast, in the Middle East over the last few months, not only has the weather been hot, but so has the political climate, and I have been amazed by the speed with which the ruling governments have acted to cut off the internet.The tenuous link? Business Continuity Planning and Disaster Recovery Planning. It doesn’t take long if you watch the IT News before you come across a good example of bad BCP/DRP – my favourite this month was Vodafone but this is just a retelling of an old story. The fact that a major organisation (a) had a single point of failure in the first place and (b) couldn’t fail it over to another, backup site immediately is more than a little embarrassing. Vodafone are in quite a privileged position though, whilst their outage is clearly damaging to their image, in real terms, their clients are tied into long term contracts, it was one day out of service out of a year, and their clients’ capability to demonstrate their own BC/DR plans (e.g. use a landline) mean that they are unlikely to lose much business from the mistake. For a smaller outfit however, the loss of even one component (like your laptop or examination machine) could cripple you for days and potentially lose you significant business. I, personally, suffered a hard disk failure on my MacBook Pro (under Apple Care, but not a quick fix – two weeks) and although I had full backups of everything to within 24 hours, I had to go and source a temporary machine to restore them to in order to carry on working. In fact, in light of the fact that I _didn’t_ have a BCP/DRP, I bought a second, smaller & cheaper, laptop that I could bring into play should the main one fail again.

Before I go on, I should clarify that there is a difference between BCP and DRP – one (BCP) tends to be used for aspects of failure, such as a hard-disk failing, the other (DRP) is in the case of catastrophic events, such as your building burning down. In my experience most people don’t have adequate of either, however there is a lot of common material between the two, and I’m going to continue this article from more of a DRP perspective.

In a lot of businesses, the “cloud” is a great solution, all of your data is “out there” and all you need is a “dumb” terminal to get to it – however for those of us that operate in the security or forensics space this is an impossible thing – although I know a few freelancers that make use of the professional Google Tools for their e-mail – although that, sadly isn’t a guaranteed solution either.

So as a minimum what should you be doing to manage your DR plans? I’d like to propose a model (I’ve not seen it done before, but I hesitate to call anything new in this day and age! [ I was infuriated the other day to see that someone had trademarked the word “automagically” – something that I’ve been using for decades (and will continue to do, citing prior art if anyone complains !) ] ) based on Maslow’s Hierarchy of Needs:


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


 

 

Biles’ Hierarchy of DR Needs

Fundamentally, of course, there is actually a layer underneath the bottom one here, which is the most critical of all – the fundamental wellbeing of staff. If there has been a significant event which has resulted in a site becoming unavailable then there is a risk of trauma to staff – potentially physical, but also emotional – even more so if you generally work from home! Also in recent cases where BCP/DR plans have had to be enacted through terrorist action, there can be a lot gained by providing a mechanism for communication between staff and their nearest and dearest so that they can be reassured that there are no issues. I was lucky on July 7th, not only was I not on the tube in London at the time, but I had called my wife from the station saying that I was OK before the mobile phone network became overloaded – knowing that she wasn’t worrying and that she knew I was walking to work meant that when I got in the office I could get on with what needed to be done (and so could she).

The above pyramid, though, does quickly illustrate what you need – but bear in mind how easy some of these are to comply with. You can get through nearly all of the first three with a laptop, a mobile-phone and the local pub with a Wi-Fi point – in fact, if you have Skype, you can even skip the mobile phone. Clearly, though, these features change as soon as you are operating your business from an unstable Middle Eastern state – if that is the case then you need to consider Inmarsat phones and data links, petrol generators and a stash of local currency – but each plan is dependent on scenario.

Please bear in mind the potential size of an incident – there were reported issues for companies in the aftermath of the Buncefield fire where their DR site was just as badly damaged as their main site, being almost equidistant on opposite sides of the event!

Click here to discuss this article.

Read Simon’s previous columns

Simon Biles is one of the founders of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK. He has worked on security projects for commercial, charity and government organizations for over 10 years. Simon is studying Forensic Computing at Cranfield University, although very slowly because of work commitments! He posts on the forum as Azrael and you can read an interview with him here.

Leave a Comment