This is Part 8 & 9 of a 'How-To' effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the CIS Security Controls. A summary of the previous posts is here:
- Part 1 - we looked at Inventory of Authorized and Unauthorized Devices.
- Part 2 - we looked at Inventory of Authorized and Unauthorized Software.
- Part 3 - we looked at Secure Configurations.
- Part 4 - we looked at Continuous Vulnerability Assessment and Remediation.
- Part 5 - we looked at Malware Defenses.
- Part 6 - we looked at Application Security
- Part 7 - we looked at Wireless Access Control
Now we are taking on Data Recovery and Security Training.
8. Data Recovery Capability
8-1 - Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems storing sensitive information. To help ensure the ability to rapidly restore a system from backup, the operating system, application software, and data on a machine should each be included in the overall backup procedure. These three components of a system do not have to be included in the same backup file or use the same backup software. There should be multiple backups over time, so that in the event of malware infection, restoration can be from a version that is believed to predate the original infection. All backup policies should be compliant with any regulatory or official requirements.
- Cobian Backup - A long time player in the data backup arena, Cobian has all the settings you could ever want...except full OS backup. It backs up data, and very well.
- Paragon Backup Free - A free full OS, disk, and data backup utility.
There are many, and it's a hot topic. So, I will point you to the 2015 Gartner Magic Quadrant for Backup / Recovery Software
8-2 - Test data on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.
This is more of a procedure than a tool.
8-3 - Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.
This is more of a procedure than tool. Though, do consider if your storage where backups are stored does not offer disk encryption, many backup software vendors offer strong encryption at the cost of slower backups and higher CPU usage.
8-4 - Ensure that key systems have at least one backup destination that is not continuously addressable through operating system calls. This will mitigate the risk of attacks like CryptoLocker which seek to encrypt or damage data on all addressable data shares, including backup destinations.
Again, more of a process than tool.
Security Skills Assessment and Appropriate Training to Fill Gaps
9-1 - Perform gap analysis to see which skills employees need and which behaviors employees are not adhering to, using this information to build a baseline training and awareness roadmap for all employees.
- The tool you are looking for is called a Competency Assessment Map. You can find an example map here. In a nutshell, you list the required skills in the column on the right, and a subset of skills in the row next to the skill. These maps can become very large for IT personnel.
9-2 - Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training. A second option is to have outside teachers provide training onsite so the examples used will be directly relevant. If you have small numbers of people to train, use training conferences or online training to fill the gaps.
While there are multitudes of free training and paid for training online, I feel this type of training must be customized to meet individual business's employee's needs.
9-3 - Validate and improve awareness levels through periodic tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller; targeted training should be provided to those who fall victim to the exercise.
This is essential Social Engineering! Fun stuff.
- SET - Social Engineer Toolkit. Build, target, shoot.
9-5 - Use security skills assessments for each of the mission-critical roles to identify skills gaps. Use hands-on, real-world examples to measure mastery. If you do not have such assessments, use one of the available online competitions that simulate real-world scenarios for each of the identified jobs in order to measure skills mastery.
Again, a little out of scope for this, as it falls on the business leaders to develop these tools.
Stayed tuned for more blogs in the series!
About the Author:
Rich Johnson is currently a Systems Security Administrator with 15 years of professional experience working in IT (more if you count the years programming in Basic on the Commodore 64 and repairing Nintendo consoles as a child). Rich has a bachelor degree in Information Technology, but feels his real knowledge has been gained through hands on experience, exploring security tools, and attending various security conventions. Rich currently resides in Utah and is probably learning some new interesting thing at this moment.