Principles of Incident Response and Disaster Recovery - PowerPoint PPT Presentation

View by Category
About This Presentation

Principles of Incident Response and Disaster Recovery


RAID spreads out data across multiple units, and offers recovery from hard drive ... Used when immediate data recovery is a priority ... – PowerPoint PPT presentation

Number of Views:947
Avg rating:3.0/5.0
Slides: 55
Provided by: polari
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Principles of Incident Response and Disaster Recovery

Principles of Incident Response and Disaster
  • Chapter 6
  • Contingency Strategies for Business Resumption

  • Know and understand the relationships between the
    overall use of contingency planning and the
    subordinate elements of incident response,
    business resumption, disaster recovery, and
    business continuity planning
  • Become familiar with the techniques used for data
    and application backup and recovery
  • Know the strategies employed for resumption of
    critical business processes at alternate and
    recovered sites

  • Contingency planning addresses everything done by
    an organization to prepare for the unexpected
  • IR process focuses on detecting, evaluating, and
    reacting to an incident
  • Later phases focus on keeping the business
    functioning even if the physical plant is
    destroyed or unavailable
  • Business resumption (BR) plan takes over when
    the IR process cannot contain and resolve an

Introduction (continued)
  • Business resumption (BR) plan major elements
  • Disaster recovery (DR) plan lists and describes
    the efforts to resume normal operations at the
    primary places of business
  • Business continuity (BC) plan contains steps for
    implementing critical business functions using
    alternative mechanisms until normal operations
    can be resumed at the primary site or elsewhere
  • Primary site location(s) at which the
    organization executes its functions
  • BR plan operates concurrently with DR plan when
    damage is major or long-term

Introduction (continued)
Introduction (continued)
Introduction (continued)
  • Each component of CP (IRP, DRP, and BCP) comes
    into play at specific times in the life of an
  • 5 key procedural mechanisms for restoring
    critical information and facilitating
    continuation of operations
  • Delayed protection
  • Real-time protection
  • Server recovery
  • Application recovery
  • Site recovery

Data and Application Resumption
  • Backup methods must be used according to an
    established policy
  • How often to back up
  • How long to retain the backups
  • What must be backed up
  • Data files and critical system files should be
    backed up daily, with one copy on-site and one
    copy off-site
  • Nonessential files should be backed up weekly
  • Full backups keep at least one copy in a secure
    location off-site

Disk-to-Disk-to-Tape Delayed Protection
  • Decreasing costs of storage media, especially
    hard drives and removable drives, precludes the
    time-consuming nature of tape backup
  • Storage area networks provide on-line backups
  • Lack of redundancy if both online and backup
    versions fail or are attacked dictates that tape
    backup is still required periodically
  • Disk-to-disk initial copies are efficient and can
    run simultaneously with other processes
  • Secondary disk-to-tape copies do not affect
    production processing

Disk-to-Disk-to-Tape Delayed Protection
  • Types of backups
  • Full backup
  • Differential backup
  • Incremental backup
  • Full backup
  • Includes entire system, including applications,
    OS components, and data
  • Pro provides a comprehensive snapshot
  • Con requires large media time consuming

Disk-to-Disk-to-Tape Delayed Protection
  • Differential backup
  • Includes all files that have changed or been
    added since the last full backup
  • Pro faster and less storage space than full
    backup only 1 backup file needed to restore from
    full backup
  • Con gets larger each day and takes longer one
    corrupt file loses everything
  • Incremental backup
  • Includes only files that were modified that day
  • Pro requires less space and time than the
  • Con multiple incremental backups are required to
    restore from the last full backup

Disk-to-Disk-to-Tape Delayed Protection
  • Fastest backup method incremental backups
  • Fastest recovery time differential backups
  • All on-site and off-site storage must be secured
    and must have a controlled environment
    (temperature and humidity)
  • Media should be clearly labeled and
  • Tape media types
  • Digital audio tape (DAT)
  • Quarter-inch cartridge (QIC)
  • 8 mm tape
  • Digital linear tape (DLT)

Disk-to-Disk-to-Tape Delayed Protection
  • Typical backup scheduling
  • Daily on-site incremental or differential backup
  • Weekly off-site full backup
  • Tape media should be retired and replaced
  • Popular strategies for selecting the files to
    back up
  • Six-tape rotation
  • Grandfather-Father-Son
  • Towers of Hanoi

Disk-to-Disk-to-Tape Delayed Protection
  • Six-tape rotation
  • Uses a rotation of six sets of media
  • Five media sets per week are used with one extra
    labeled Friday2
  • Friday full backup is taken off-site
  • Friday1 and Friday2 are rotated off-site every
  • Provides roughly 2 weeks of recovery capability
  • Variation keep a copy of each off-site Friday
    tape on-site for faster recovery

Disk-to-Disk-to-Tape Delayed Protection
  • Grandfather-Father-Son (GFS)
  • Uses five media sets per week
  • Allows recovery for previous 3 weeks
  • First week uses first set, second week uses
    second set, third week uses third set
  • Following week starts with first set
  • Every 2nd or 3rd month, a group of media sets are
    taken out of the cycle for permanent storage and
    replaced with a new set

Disk-to-Disk-to-Tape Delayed Protection
  • Towers of Hanoi
  • More complex approach
  • Based on statistical principles to optimize media
  • 16-step strategy assumes that 5 media sets are
    used per week on a daily basis
  • First media set is used more often and must be
    monitored for wear

Disk-to-Disk-to-Tape Delayed Protection
Disk-to-Disk-to-Tape Delayed Protection
Disk-to-Disk-to-Tape Delayed Protection
Disk-to-Disk-to-Tape Delayed Protection
Redundancy-Based Backup and Recovery Using RAID
  • Redundant array of independent disks (RAID) uses
    online disk drives for redundancy
  • RAID spreads out data across multiple units, and
    offers recovery from hard drive failure
  • 9 established RAID configurations RAID Level 0
    through 10
  • RAID Level 0 (disk striping without parity)
  • Not redundant
  • Spreads data across several drives in segments
    called stripes
  • Failure of one drive may make all data

Redundancy-Based Backup and Recovery Using RAID
  • RAID Level 1 (disk mirroring)
  • Uses twin drives in a system
  • All data written to one drive is written to the
    other simultaneously
  • Is expensive and is an inefficient use of disk
  • Vulnerable to a disk controller failure
  • Disk duplexing mirroring with dual disk
  • RAID Level 2
  • Specialized form of disk striping with parity
    that is not widely used
  • Uses the Hamming code for parity
  • No commercial implementations of this

Redundancy-Based Backup and Recovery Using RAID
  • RAID Levels 3 and 4
  • RAID 3 uses byte-level striping while RAID 4 uses
    block-level striping
  • Parity information is stored on a separate drive
    and provides error recovery
  • RAID Level 5
  • Balances safety and redundancy against costs
  • Stripes data across multiple drives
  • Parity is interleaved with data segments on all
  • Hot-swappable drives can be replaced without
    shutting down the system

Redundancy-Based Backup and Recovery Using RAID
  • RAID Level 6
  • Combination of RAID 1 and RAID 5
  • Performs two different parity computations or the
    same computation on overlapping subsets of data
  • RAID Level 7
  • Proprietary variation on RAID 5 in which the
    array works as a single virtual drive
  • May be implemented via software running on RAID 5
  • RAID Level 10
  • Combination of RAID 1 and RAID 0

Redundancy-Based Backup and Recovery Using RAID
Database Backups
  • Databases require special considerations when
    planning backup and recovery procedures
  • Are special utilities required to perform
    database backups?
  • Can the database be backed up without
    interrupting its use?
  • Are there additional journal files or database
    system files that are required in order to use
    backup tapes or disk images?

Application Backups
  • Some applications use file systems and databases
    in unusual ways
  • Members of the application development and
    support teams should be involved in the planning

Backup and Recovery Plans
  • The backup and recovery setting should be
    provided with complete recovery plans
  • Plans need to be developed, tested, and rehearsed
  • Plans should include information about
  • How and when backups are created and verified
  • Who is responsible for backup creation and
  • Storage and retention of backup media
  • Review cycle of the plan
  • Rehearsal of the plan

Real-Time Protection, Server Recovery, and
Application Recovery
  • Entire servers can be mirrored to provide
    real-time protection and recovery in a strategy
    of hot, warm, and cold servers
  • Hot server the server in production
  • Warm server backup server that is running and
    may handle overflow work from hot server
  • Cold server offline, test server
  • If hot server goes down, warm and cold servers
    are promoted while the hot server is being
  • Bare metal recovery technologies designed to
    replace operating systems and services when they

Real-Time Protection, Server Recovery, and
Application Recovery (continued)
  • Application recovery (or clustering plus
  • Applications are installed on multiple servers
  • If one fails, the secondary systems take over the
  • Electronic vaulting
  • Bulk transfer of data in batches to an off-site
  • Receiving server archives the data
  • Can be more expensive than tape backup and slower
    than data mirroring
  • Data must be encrypted for transfer over public

Real-Time Protection, Server Recovery, and
Application Recovery (continued)
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
  • Remote journaling (RJ)
  • Transfer of live transactions to an off-site
  • Only transactions are transferred in near
    real-time to a remote location
  • Facilitates the recovery of key transactions in
    near real-time

Real-Time Protection, Server Recovery, and
Application Recovery (continued)
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
  • Database shadowing (or databank shadowing)
  • Storage of duplicate online transaction data and
    duplication of databases at a remote site on a
    redundant server
  • Both databases are updated, but only the primary
    responds to the user
  • Combines electronic vaulting with remote
  • Used when immediate data recovery is a priority
  • Also used for data warehousing, data mining,
    batch reporting, complex SQL queries, local
    access at the shadow site, and load balancing

Real-Time Protection, Server Recovery, and
Application Recovery (continued)
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
  • Network-attached storage (NAS)
  • Usually a single device or server attached to a
    network to provide online storage
  • Not well suited for real-time applications due to
  • Storage area networks (SANs)
  • Online storage devices connected by fiber-channel
    direct connections between the servers and the
    additional storage

Real-Time Protection, Server Recovery, and
Application Recovery (continued)
Real-Time Protection, Server Recovery, and
Application Recovery (continued)
Site Resumption Strategies
  • If the primary business site is not available,
    alternative processing capability may be needed
  • CPMT can choose from several strategies for
    business resumption planning
  • Exclusive control options
  • Hot sites
  • Warm sites
  • Cold sites
  • Shared-use options
  • Timeshare
  • Service bureaus
  • Mutual agreements

Exclusive Site Resumption Strategies
Exclusive Site Resumption Strategies (continued)
  • Hot site
  • Fully configured computer facility
  • Duplicates computing resources, peripherals,
    phone systems, applications, and workstations
  • Can be 24/7 if desired
  • Can be a mirrored site that is identical to the
    primary site

Exclusive Site Resumption Strategies (continued)
Exclusive Site Resumption Strategies (continued)
  • Warm site
  • Provides some of the same services and options as
    a hot site
  • May include computing equipment and peripherals
    but not workstations
  • Has access to data backups or off-site storage
  • Lower cost than a hot site, but takes more time
    to be fully functional

Exclusive Site Resumption Strategies (continued)
Exclusive Site Resumption Strategies (continued)
  • Cold site
  • Provides only rudimentary services and facilities
  • No computer hardware or software are provided
  • Communications services must be installed when
    the site is occupied
  • Often no quick recovery or data duplication
    functions on site
  • Primary advantage is cost

Exclusive Site Resumption Strategies (continued)
Exclusive Site Resumption Strategies (continued)
  • Other options
  • Rolling mobile site configured in the payload
    area of a tractor-trailer
  • Rental storage area with duplicate or second
    generation equipment
  • Mobile temporary offices

Exclusive Site Resumption Strategies (continued)
Shared Site Resumption Strategies
  • Timeshare
  • Leased site shared with other organizations
  • Possibility that more than one organization might
    need the facility simultaneously
  • Service bureaus
  • Service agency that provides physical facilities
    in the event of a disaster
  • May provide off-site data storage

Shared Site Resumption Strategies (continued)
  • Mutual agreement
  • Contract between two organizations to provide
    mutual assistance in the event of a disaster
  • Each organization is obligated to provide
    facilities, resources, and services to the other
  • Good for divisions of the same parent company,
    between business partners, or when both parties
    have similar capabilities and capacities
  • A memorandum of agreement (MOA) should be drawn
    up with specific details

Service Agreements
  • Service agreement
  • A contractual document guaranteeing certain
    minimum levels of service provided by a vendor
  • Service agreement should specify
  • The parties in the agreement
  • Services to be provided by the vendor
  • Fees and payments for those services
  • Statements of indemnification
  • Nondisclosure agreements and intellectual
    property assurances
  • Noncompetitive agreements

  • Contingency planning includes everything done to
    prepare for the unexpected and recover from it
  • BR plan includes the DR plan for resuming
    operations at the primary site and the BC plan
    for moving to an alternate site if needed
  • 5 procedural mechanisms for restoration of
    critical data delayed protection, real-time
    protection, server recovery, application
    recovery, and site recovery
  • Backup plan is essential
  • Retention period for backups must be specified

Summary (continued)
  • 3 types of backups full, differential, and
  • RAID systems provide online disk drives for
  • Databases require special considerations for
    backup and recovery planning
  • Mirroring and duplication of server data storage
    provide real-time protection
  • Electronic vaulting, remote journaling, and
    database shadowing store data at remote locations

Summary (continued)
  • Business resumption strategies include hot sites,
    warm sites, cold sites, timeshare, service
    bureaus, and mutual agreements
  • Service agreements guarantee certain minimum
    levels of service by the vendor