Upload
augustus-mclaughlin
View
222
Download
4
Tags:
Embed Size (px)
Citation preview
Chapter 9
Copyright Pearson Prentice-Hall 2010
In previous chapters, we have looked at threats, planning, and response
In Chapter 9, we complete the discussion of the plan-protect-respond cycle
Response planning is necessary because defenses can never stop all attacks. Companies must respond appropriately when attacks happen or natural disasters occur
2
Copyright Pearson Prentice-Hall 20103
Copyright Pearson Prentice-Hall 2010
The Situation◦ Hurricane Katrina devastated New Orleans in
2005 Followed shortly by Hurricane Rita
◦ The U.S. Federal Emergency Management Administration (FEMA) botched the relief effort
4
Copyright Pearson Prentice-Hall 2010
Wal-Mart Is the Largest Retailer in the United States
◦ Supplied $20 million in cash
◦ Supplied 100,000 free meals
◦ 1,900 truckloads full of diapers, toothbrushes, other emergency supplies
45 trucks were rolling before the hurricane hit land
◦ Provided police and relief workers with flashlight, batteries, ammunition, protective gear, and meals
5
Copyright Pearson Prentice-Hall 2010
What Was Wal-Mart’s Process?
Wall-Mart Business Continuity Center◦ A permanent department with a small core staff
◦ Activated two days before Katrina hit
◦ Soon, 50 managers and specialists were at work in the center
6
Copyright Pearson Prentice-Hall 2010
Wall-Mart Business Continuity Center◦ Before computer network went down, sent
detailed orders to its distribution center in Mississippi
◦ Recovery merchandise for stores: bleach and mops, etc.
◦ 40 power generators to supply stores with backup power
◦ Sent loss-prevention employees to secure stores
7
Copyright Pearson Prentice-Hall 2010
Communication◦ Network communication failed
◦ Relied on telephone to contact its stores and other key constituencies
Response◦ Stores came back to business within days
◦ Engaged local law enforcement to preserve order in lines to get into stores
8
Copyright Pearson Prentice-Hall 2010
Preparation◦ Full-time director of business continuity
◦ Detailed business continuity plans
◦ Clear lines of responsibility
Multitasking◦ During all of this, were monitoring a hurricane off
Japan
9
Copyright Pearson Prentice-Hall 2010
Incidents Happen◦ Protections inevitably break down occasionally
◦ Successful attacks are called security incidents, breaches, or compromises
Incident Severity◦ False alarms
Apparent compromises are not real compromises Also called false positives Handled by the on-duty staff Waste time and may dull vigilance
10
Copyright Pearson Prentice-Hall 2010
Incident Severity◦ Minor incidents
Breaches that on-duty staff can handle Little to no management or policy issues
◦ Major incidents
Beyond the capabilities of the on-duty staff
Must convene a Computer Security Incident Response Team (CSIRT)
CSIRT needs participation beyond IT security
11
Copyright Pearson Prentice-Hall 2010
Incident Severity◦ Disasters
Fires, floods, hurricanes, major terrorist attacks Must assure business continuity
Maintaining the day-to-day operations of the firm Need a business continuity group headed by a senior
manager Core permanent staff will facilitate activities
IT disaster response is restoring IT services May be a subset of business continuity May be a stand-alone IT disaster
12
Copyright Pearson Prentice-Hall 2010
Speed and Accuracy Are of the Essence◦ Speed of response can reduce damage
Attacker will have less time to do damage
The attacker cannot burrow as deeply into the system and become very difficult to detect
Speed is also necessary in recovery
13
Copyright Pearson Prentice-Hall 2010
Speed and Accuracy Are of the Essence◦ Accuracy is equally important
Common mistake is to act on incorrect assumptions
If misdiagnose the problem or take the wrong approach, can make things much worse
Take your time quickly
14
Copyright Pearson Prentice-Hall 2010
Planning Before an Incident or Disaster◦ Decide what to do ahead of time
◦ Have time to consider matters thoroughly and without the time pressure of a crisis
◦ (During an attack, human decision-making skills degrade)
◦ Incident response is reacting to incidents according to plan
◦ Within the plan, need to have flexibility to adapt
◦ Best to adapt within a plan than to improvise completely
15
Copyright Pearson Prentice-Hall 2010
Team Members Must Rehearse the Plan◦ Rehearsals find mistakes in the plan
◦ Practice builds speed
Types of Rehearsals◦ Walkthroughs (table-top exercises)
◦ Live tests (actually doing planned actions) can find subtle problems but are expensive
16
Copyright Pearson Prentice-Hall 2010
Process for Major Incidents◦ E.g. Breach of server with sensitive customer
information
Detection, Analysis, and Escalation◦ Must detect through technology or people
Need good intrusion detection technology All employees must know how to report incidents
◦ Must analyze the incident enough to guide subsequent actions Confirm that the incident is real Determine its scope: Who is attacking; what are they
doing; how sophisticated they are, etc. Predominately done via log file analysis
17
Copyright Pearson Prentice-Hall 2010
Detection, Analysis, and Escalation◦ If deemed severe enough, escalate to a major
incident Pass to the CSIRT, the disaster response team,
or the business continuity team
18
Copyright Pearson Prentice-Hall 2010
Containment◦ Disconnection of the system from the site network
or the site network from the Internet (damaging)
Harmful, so must be done only with proper authorization
This is a business decision, not a technical decision
19
Copyright Pearson Prentice-Hall 2010
Containment◦ Black-holing the attacker (only works for a short
time) Blocking the IP address of the attacker What must be in place for this to be an
efficient/effective option? What does black-holing tell the hacker?
◦ Continue to collect data (allows harm to continue) to understand the situation Especially necessary if prosecution is desired
20
Copyright Pearson Prentice-Hall 2010
Recovery◦ Restore site from backup
But what if back-up files are compromised?
◦ Total Software installation
◦ Must leave Site more secure than before, the hackers may be back
21
If you recall….◦ Hello,During a recent security scan on our servers
it has come to our attention one of your DreamHost hosted websites have been compromised. It would appear that an unknown malicious party has modified your site's .htaccess file in order to redirect traffic destined for your website to their own site (or you have become generous and chose to re-route your site's traffic to a "sweepstakes and contests info" website.)
22
First I wanted to understand so I opened some of the infected files – with my Virus Scanner on!◦ Found I had (many files infected with)
◦ Troj/PHPShll-B Downloads more malware Downloads code from the Internet Does not allow me to edit and clean infected files So…
◦ Restore from Backup
23
I was lucky, in a sense?
My blog is not very active
So backing up from a early period did not loose any content
I deleted all the old directories◦ But kept the latest one (for investigating)
Not a good idea, I got re-hacked So I deleted again and tried to re-harden my site
24
Copyright Pearson Prentice-Hall 2010
Recovery◦ Data
Restoration from backup tapes Loses data since last trusted backup
25
After initial restore◦ Updated WordPress admin password
It wasn’t “admin”
◦ Updated WordPress to latest version
◦ I updated my Plugins
Copyright Pearson Prentice-Hall 201026
Remember I said I was hacked again
I forgot to update my themes◦ Wordpress themes are usually PHP code
◦ Determines blog look and behavior Mine was not updated So I updated it…
27
I had 69 out of date themes!!!!!!
The file hacked was .htaccess
So I found a site that had code for hardening this file:◦ WebDesignCode
◦ And changed my code
But still things were fishy so I emailed DreamHost Abuse and this is what else they did….
28
I deleted the new .htaccess file that was placed in my root directory
Though my site was available: Mydebitcredit.com
My Permalinks were broken◦ The direct link to an blog post
404 errors So DreamHost, so changed permalinks
I have an unused Domain that was a vector for some of the virus◦ Deleted two files:
◦ ./robinshermano.com/evangelin_stepped.php---------- 1 shornik pg1249160 28278 2011-08-05 13:12
◦ ./robinshermano.com/maryanna_gennie.php
29
File/Directory Permissions◦ When we've seen files that match that naming
convention and size signature arise over the last couple of months, it is typically due to the folder that it resides in having insecure 777 permission settings that allow for the global writing of files by any user. This means that if another user on the shared server is hacked, the attackers, if they scan for folders with this insecure setting can then place files in the folder , such as the above listed backdoor shell which they later hit via HTTP to inject a base64 encoded payload into your files.
30
31
32
33
Copyright Pearson Prentice-Hall 2010
Recovery◦ Software
Total software reinstallation of operating system and applications may be necessary for the system to be trustable
Manual reinstallation of software Need installation media and product activation keys Must have good configuration documentation before the
incident
Reinstallation from a disk image Can greatly reduce time and effort Requires a recent disk image
34
Copyright Pearson Prentice-Hall 2010
Apology◦ Acknowledge responsibility and harm without
evasion or weasel words
◦ Explain potential inconvenience and harm in detail
◦ Explain what actions will be taken to compensate victims, if any
35
Copyright Pearson Prentice-Hall 2010
Punishment◦ Punishing employees usually is fairly easy
Most employees are at-will employees
Companies usually have wide discretion in firing at-will employees
This varies internationally
Union agreements may limit sanctions or at least require more detailed processes
36
Copyright Pearson Prentice-Hall 2010
Punishment◦ The decision to pursue criminal prosecution
Must consider cost and effort
Must consider probable success if pursue (often attackers are minors or foreign nationals)
Loss of reputation because the incident becomes public
37
Copyright Pearson Prentice-Hall 2010
Punishment◦ Collecting and managing evidence
Forensics: Courts have strict rules for admitting evidence in court
Call the authorities and a forensics expert for help
38
Copyright Pearson Prentice-Hall 2010
Punishment◦ Collecting and managing evidence
Protecting evidence Pull the plug on a server if possible This is a business decision, not an IT decision
Document the chain of custody Who held the evidence at all times What they did to protect it Document the chain of custody
39
Copyright Pearson Prentice-Hall 2010
Postmortem Evaluation◦ What should we do differently next time?
◦ I’ve set up my them to update automatically and only have 1 theme to keep tack of.
◦ I still need to check for updates of WordPress and Plugins routinely
40
Copyright Pearson Prentice-Hall 2010
Organization of the CSIRT◦ Should be led by a senior manager
◦ Should have members from affected line operations
◦ The IT security staff may manage the CSIRT’s operation on a day-to-day basis
◦ Might need to communicate with the media; only do so via public relations
◦ The corporate legal counsel must be involved to address legal issues
◦ Human resources is necessary, especially if there are to be sanctions against employees
41
Carnegie Mellon Computer Emergency Response Team (CERT)◦ XNET
Copyright Pearson Prentice-Hall 201042
Copyright Pearson Prentice-Hall 201043
Dimension Criminal Law Civil LawDeals with Violations of criminal
statutesInterpretations of rights and duties that companies or individuals have relative to each other
Penalties Jail time and fines Monetary penalties and orders to parties to take or not take certain actions
Cases brought by Prosecutors Plaintiff is one of the two parties
Criterion for verdict Beyond a reasonable doubt
Preponderance of the evidence (usually)
Requires mens rea (guilty mind)
Usually Rarely, although may affect the imposed penalty
Applicable to IT security Yes. To prosecute attackers and to avoid breaking the law
Yes. To avoid or minimize civil trials and judgments
Copyright Pearson Prentice-Hall 2010
Cyberlaw◦ Cyberlaw is any law dealing with information
technology
Jurisdictions◦ Areas of responsibility within which government
bodies can make and enforce law but beyond which they cannot
44
Copyright Pearson Prentice-Hall 2010
The United States Federal Judicial System◦ U.S. District Courts
94 in the United States
Decisions in trials are only binding on the litigants
45
Copyright Pearson Prentice-Hall 2010
The United States Federal Judicial System◦ U.S. Circuit Courts of Appeal
13 in the United States
Do not conduct trials
Review district court decisions
Decisions are precedents only for the district courts under the circuit court of appeals making a decision
46
Copyright Pearson Prentice-Hall 2010
The United States Federal Judicial System◦ U.S. Supreme Court
Final arbiter of U.S. federal law
Only hears about 100 cases per year
Usually only reviews cases that involve conflicts between appellate court precedents or important constitutional issues
47
Copyright Pearson Prentice-Hall 2010
U.S. State and Local Law◦ In the United States, many powers are reserved
for the states
◦ This typically includes the prosecution of crimes taking place within a state or that do not affect interstate commerce
◦ For most cybercrimes committed within a state, state law applies
◦ State cybercrime laws vary widely
◦ Local police usually investigate crimes under both local and state laws
48
Copyright Pearson Prentice-Hall 2010
International Law◦ Differences are wide and rapidly changing
(generally improving)
◦ Important to multinational firms
◦ Also important to purely domestic firms Suppliers and buyers may be in other countries Attackers may be in other countries
◦ Several treaties exist to harmonize laws and facilitate cross-border prosecution Generally immature
49
Copyright Pearson Prentice-Hall 2010
Admissibility of Evidence◦ Unreliable evidence may be kept from juries
◦ Belief that juries cannot evaluate unreliable evidence properly
◦ Example: hearsay evidence
Federal Rules of Civil Procedure◦ Guide U.S. courts
◦ Now have strong rules for evaluating the admissibility of electronic evidence
50
Copyright Pearson Prentice-Hall 2010
Computer Forensics Experts◦ Professionals trained to collect and evaluate
computer evidence in ways that are likely to be admissible in court
◦ Meet with them before there is a need because the initial moments of an intrusion require correct action
51
Copyright Pearson Prentice-Hall 2010
Expert Witnesses◦ Normally, witnesses can only testify regarding
facts, not interpretations
◦ Expert witnesses may interpret facts to make them comprehensible to the jury in situations where juries are likely to have a difficult time evaluating the evidence themselves
52
Copyright Pearson Prentice-Hall 2010
18 U.S.C § 1030◦ United States Code Title 18, Part I (Crimes)
Section 1030
◦ Actions prohibited Hacking Malware Denial of service
53
Copyright Pearson Prentice-Hall 2010
18 U.S.C § 1030◦ Protected computers
Applicability is limited to protected computers Include “government computers, financial
institution computers, and any computer which is used in interstate or foreign commerce or communications”
◦ Often require damage threshold for prosecution The FBI may require even higher damages to
prosecute
54
Copyright Pearson Prentice-Hall 2010
18 U.S.C § 2511◦ Prohibits the interception of electronic messages,
both en route and after the message is received and stored
◦ Allows e-mail service providers to read the content of mail A company can read employee mail if it owns
the mail system
55
Copyright Pearson Prentice-Hall 2010
Other Federal Laws◦ Many traditional federal criminal laws may apply
in individual cases
◦ For example, fraud, extortion, and the theft of trade secrets
◦ These laws often have far harsher consequences than cybercrime laws
56
Copyright Pearson Prentice-Hall 2010
Event logging for suspicious events
Sometimes, send alarms
A detective control, not a preventative or restorative control
57
Copyright Pearson Prentice-Hall 201058
Management:
Configuration, Tuning, etc.
Actions:
Generate Alarms
Generate Log Summary Reports
Support Interactive Manual Log Analysis
Automated Analysis:
Attack Signatures versus Anomaly Detection
Event Logging:
Individual Events are Time-Stamped
Log is Flat File of Events
(Sometimes) Data Aggregation from Multiple IDSs
Logging◦ Captures discrete events time-stamped
◦ Stored in a sequential file
Automated Analysis◦ Attack Signatures (see my Hack)
◦ Anomaly Detection Deviations from past activity
Actions◦ Alarm
◦ Log Summary Reports should be reviewed
◦ Support Interactive Log Analysis Tools
Copyright Pearson Prentice-Hall 201059
Multiple IDS allow a better overview of attack Agents
◦ Each device collecting data/event
Manger program◦ Integrates log files from all sources
◦ Batch transfers Least expensive
Hacker disables event logging, if done between batches hack may go undetected
Real-Tim More expensive Doesn’t suffer from hacking
Copyright Pearson Prentice-Hall 201060
Copyright Pearson Prentice-Hall 201061
1.Manager
2.IntegratedLog File
4.Agent:
NetworkIDS
4.Agent:
Network IDS
3.Agent:HostIDS
Switch
Router Firewall
IDS Vendor
5.Encrypted
Communication
5.Encrypted
Communication
4.Agent:
NetworkIDS
Copyright Pearson Prentice-Hall 2010
Network IDSs (NIDSs)◦ Stand-alone device or built into a switch or router
◦ NIDSs see and can filter all packets passing through them
◦ Switch or router NIDSs can collect data on all ports
◦ A NIDS collects data for only its portion of the network Blind spots in network where no NIDS data is
collected
◦ Cannot filter encrypted packets
62
Copyright Pearson Prentice-Hall 2010
Host IDSs (HIDSs)◦ Attractions
Provide highly detailed information for the specific host
◦ Weaknesses of Host IDSs Limited Viewpoint; Only one host Host IDSs can be attacked and disabled
63
Copyright Pearson Prentice-Hall 2010
Host IDSs (HIDSs)◦ Operating System Monitors
Collects data on operating system events Multiple failed logins Creating new accounts Adding new executables (programs—may be
attack programs)
64
Copyright Pearson Prentice-Hall 2010
Host IDSs (HIDSs)◦ Operating System Monitors
Modifying executables (installing Trojan horses does this)
Adding registry keys (changes how system works)
Changing or deleting system logs and audit files Changing system audit policies User accessing critical system files User accessing unusual files Changing the OS monitor itself
65
Copyright Pearson Prentice-Hall 2010
Log Files◦ Flat files of time-stamped events
◦ Individual logs for single NIDs or HIDs
◦ Integrated logs Aggregation of event logs from multiple IDS
agents (Figure 9-12) Difficult to create because of format
incompatibilities Time synchronization of IDS event logs is crucial
(Network Time Protocol)
66
Copyright Pearson Prentice-Hall 2010
Event Correlation (Figure 9-15)◦ Suspicious patterns in a series of events across
multiple devices
◦ Difficult because the relevant events exist in much larger event streams that are logged
◦ Usually requires many analysis of the integrated log file data
67
Copyright Pearson Prentice-Hall 2010
Sample Log File(many irrelevant log entries not shown)
1. 8:45:05:47. Packet from 1.15.3.6 to 60.3.4.5 (NIDS log entry)
2. 8:45:07:49. Host 60.3.4.5. Failed login attempt for account Lee (Host 60.3.4.5 log entry)
3. 8:45:07:50. Packet from 60.3.4.5 to 1.15.3.6 (NIDS) 4. 8:45:50:15. Packet from 1.15.3.6 to 60.3.4.5 (NIDS) 5. 8:45:50:18. Host 60.3.4.5. Failed login attempt for
account Lee (HIDS) 6. 8:45:50:19. Packet from 60.3.4.5 to 1.15.3.6 (NIDS) 7. 8:49:07:44. Packet from 1.15.3.6 to 60.3.4.5 (NIDS) 8. 8:49:07:47. Host 60.3.4.5. Successful login attempt
for account Lee (HIDS) 9. 8:49:07:48. Packet from 60.3.4.5 to 1.15.3.6 (NIDS)
68
Copyright Pearson Prentice-Hall 2010
Sample Log File 10. 8:56:12:30. Packet from 60.3.4.5 to 123.28.5.210.
TFTP request (NIDS)
11. 8:56:28:07. Series of packets from 123.28.5.210 and 60.3.4.5. TFTP response (NIDS)
12. No more host log entries
◦ (The log would not say this; it would merely stop sending events)
69
Copyright Pearson Prentice-Hall 2010
Sample Log File
(many irrelevant log entries not shown)
13. 9:03.17:33. Series of packets between 60.3.4.5 and 1.17.8.40. SMTP (NIDS)
14. 9:05.55:89. Series of packets between 60.3.4.5 and 1.17.8.40. SMTP (NIDS)
15. 9:11.22:22. Series of packets between 60.3.4.5 and 1.17.8.40. SMTP (NIDS)
16. 9:15.17:47. Series of packets between 60.3.4.5 and 1.17.8.40. SMTP (NIDS)
17. 9:20:12:05. Packet from 60.3.4.5 to 60.0.1.1. TCP SYN=1, Destination Port 80 (NIDS)
18. 9:20:12:07: Packet from 60.0.1.1 to 60.3.4.5. TCP RST=1, Source Port 80 (NIDS)
19. 9:20:12:08. Packet from 60.3.4.5 to 60.0.1.2. TCP SYN=1, Destination Port 80 (NIDS)
20. 9:20:12:11 Packet from 60.3.4.5 to 60.0.1.3. TCP SYN=1, Destination Port 80 (NIDS)
21. 9:20:12:12. Packet from 60.0.1.3 to 60.3.4.5. TCP SYN=1; ACK=1, Source Port 80 (NIDS)
70
Copyright Pearson Prentice-Hall 2010
Tuning for Precision◦ Too many false positives
False alarms Can overwhelm administrators, dull vigilance
◦ False negatives allow attacks to proceed unseen
71
Copyright Pearson Prentice-Hall 2010
Tuning for Precision◦ Tuning for false positives turns off unnecessary
rules, reduces alarm levels of unlikely rules
For instance, alarms for attacks against Solaris operating systems can be deleted if a firm has no Sun Microsystems servers
Tuning requires a great deal of expensive labor
Even after tuning, most alerts will be false positives
72
Copyright Pearson Prentice-Hall 2010
Updates◦ Program, attack signatures must be updated
frequently
Processing Performance◦ If processing speed cannot keep up with network
traffic, some packets will not be examined
◦ This can make some IDSs useless during attacks that increase the traffic load
73
Copyright Pearson Prentice-Hall 2010
Storage◦ There will be limited disk storage for log files
◦ When log files reach storage limits, they must be archived
◦ Event correlation is difficult across multiple backup tapes
◦ Adding more disk capacity reduces the problem but never eliminates it
74
Copyright Pearson Prentice-Hall 2010
Business Continuity Planning◦ A business continuity plan specifies how a
company plans to restore or maintain core business operations when disasters occur
◦ IT Disaster response is restoring IT services
75
Copyright Pearson Prentice-Hall 2010
Principles of Business Continuity Management◦ Protect people first
Evacuation plans and drills Never allow staff members back into unsafe
environments Must have a systematic way to account for all
employees and notify loved ones Counseling afterwards
76
Copyright Pearson Prentice-Hall 2010
Principles of Business Continuity Management◦ People have reduced capacity in decision making
during a crisis Planning and rehearsal are critical
◦ Avoid rigidity Unexpected situations will arise Communication will break down and information
will be unreliable Decision makers must have the flexibility to act
77
Copyright Pearson Prentice-Hall 2010
Principles of Business Continuity Management◦ Communication
Try to compensate for inevitable breakdowns Have a backup communication system Communicate constantly to keep everybody “in
the loop”
78
Copyright Pearson Prentice-Hall 2010
Business Process Analysis◦ Identification of business processes and their
interrelationships
◦ Prioritization of business processes Downtime tolerance (in the extreme, mean time
to belly-up) Importance to the firm Required by higher-importance processes
◦ Resource needs (must be shifted during crises) Cannot restore all business processes
immediately
79
Copyright Pearson Prentice-Hall 2010
Testing the Plan◦ Difficult because of the scope of disasters
◦ Difficult because of the number of people involved
80
Copyright Pearson Prentice-Hall 2010
Updating the Plan◦ Must be updated frequently
◦ Business conditions change and businesses reorganize constantly
◦ People who must execute the plan also change jobs constantly
◦ Telephone numbers and other contact information must be updated far more frequently than the plan as a whole
◦ Should have a small permanent staff
81
Copyright Pearson Prentice-Hall 201082
Business Continuity:Keeping the entire firm operatingor restoring the firm to operation
IT Disaster Response:Keeping IT resources operatingor restoring them to operation
Copyright Pearson Prentice-Hall 2010
IT Disaster Recovery◦ IT disaster recovery looks specifically at the
technical aspects of how a company can get its IT back into operation using backup facilities
◦ A subset of business continuity or for disasters the only affect IT
◦ All decisions are business decisions and should not be made by mere IT or IT security staffs
83
Copyright Pearson Prentice-Hall 2010
Types of Backup Facilities◦ Hot sites
Ready to run (power, HVAC, computers): Just add data
Considerations: Rapid readiness at high cost
Must be careful to have the software at the hot site up-to-date in terms of configuration
84
Copyright Pearson Prentice-Hall 2010
Types of Backup Facilities◦ Cold sites
Building facilities, power, HVAC, communication to outside world only
No computer equipment
Less expensive but usually take too long to get operating
85
Copyright Pearson Prentice-Hall 2010
Types of Backup Facilities◦ Site sharing
Site sharing among a firm’s sites (problem of equipment compatibility and data synchronization)
Continuous data protection needed to allow rapid recovery
86
Copyright Pearson Prentice-Hall 2010
Office Computers◦ Hold much of a corporation’s data and analysis
capability
◦ Will need new computers if old computers are destroyed or unavailable Will need new software Well-synchronized data backup is critical
◦ People will need a place to work
87
Copyright Pearson Prentice-Hall 2010
Restoration of Data and Programs◦ Restoration from backup tapes: Need backup
tapes at the remote recovery site
◦ May be impossible during a disaster
Testing the IT Disaster Recovery Plan◦ Difficult and expensive
◦ Necessary
88
Or, as we say in Hawaii, “All pau”
89
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.
Copyright © 2010 Pearson Education, Inc. Copyright © 2010 Pearson Education, Inc. Publishing as Prentice HallPublishing as Prentice Hall