THANKS FOR RECOVERING…NOW I CAN HACK YOU

Charles Greene, CISSP, GSLC

Speaker Bio• Senior Information Security Architect

• I&AM Team Lead, DR Team Lead

• Bachelor's Degree in Information Systems from Virginia Commonwealth University

• Master's Degree in Disaster Sciences from the University of Richmond

• CISSP, GIAC Security Leadership Certification

• SANS Mentor - MGT-512 Security Leadership Essentials and MGT-432 Information Security for Business Managers

• GIAC Advisory Board

Leading Questions…How many of your organizations perform annual Disaster Recovery Tests?

How many of you are Information Security Professionals?

How many Information Security Professionals play an active part in Disaster Recovery Tests?

Why?

Why Not?

Disaster Recovery Journal, Winter 2013 Vol.26, Num.1

Agenda

Disaster Recovery Test Scenario DR Test Security Vector Identification Other Considerations

Open and Interactive DialogueThoughts About DR TestingUltimate Goal of Enhancing DR Test Plans

Background ScenarioDR ASSIGNMENT

Operations System Architects Management Security

DR Lead – RTO/RPO Sys Admin – RECOVERY Sec Admin - Security

DR RESPONSIBILITIES

In this scenario, the DR tasks were assigned to Systems/Network Management. The DR teams were comprised of Systems and Network Administrators and the Security Administrators had no role in DR planning or exercises.

What Happened?

Planning Focus on Recovery Developed and Reviewed

by Systems Administrators

Test Planning for RTO/RPO

What Happened?

Test Execution

Going as Planned Ah Ha Moment Vendor Response

What Happened?

Mitigation

Security Realization Identify DR Vectors of

Attack Plan Updates

Vector Identification Local Switch

Infrastructure

Vector Identification Local Switch

Infrastructure Who controls the switch

configurations?

Can you verify the configs?

Who has physical access to the switches?

Vector Identification Firewall

Configurations When is the FW

recovered?

What does it protect?

Is it complete?

Vector Identification System

Administrator Devices

Is there corporate data on the laptop?

Will this device connect to the DR network?

Create a Device Use Policy

Vector Identification VPN Access Does it bypass the

Firewall?

Identity and Access Management?

Vector Identification Server

Configurations Timing of the build

process might create opportunities

Use a protected build DMZ to lessen the risk

It’s Your Data…Protect It!

Recovering Live Data Incident Handling at DR location Logging?

Update Your Plans!

Goals for DR Testing Experience Plan Verification

Questions/Discussion

Thank You!

Chip Greene, CISSP, GSLCSenior Information Security ArchitectSANS Mentor (MGT-512, MGT-432)

cgreene2@richmond.educgreene2@mcvh-vcu.edu