CCT 076: Risk Indicators, Backup Verification Data for DR and BC Operations (CISSP Domain 6.3)

Are you armed with the knowledge to interpret the health of an organization's operations? Can you differentiate between performance indicators (KPIs), operational performance indicators (OPIs), and risk indicators (KRIs)? This episode of CISSP Cyber Training Podcast is your key to unlocking these concepts. We dissect the purpose and applications of these metrics, laying bare their role in assessing operational efficiency and effectiveness. Additionally, we emphasize the importance of a robust mobile device management strategy in protecting against the ever-evolving cyber threats. 

Have you ever considered the vital role of the 3211 backup strategy in data protection? This episode unravels this strategy, highlighting the need for three separate copies of data, stored on two different media, with one stored offsite. We explore the concept of air-gapped or offline storage copy, and discuss the best practices for monitoring and auditing backup procedures. 

Finally, we wander into the territory of backup and recovery training best practices. We explain why regularly scheduled backups, verification tasks, audit trails, role-based access control, and isolated environments for testing are all crucial. We touch on the significance of multi-location storage, policy review and updates, and training for IT staff. Wrapping up the tour, we briefly overview Disaster Recovery and Business Continuity standards and programs. Join us to stay informed and ahead of emerging threats with our educational and practical guide for cybersecurity professionals. This is your chance to dive into the world of cybersecurity with us. Let's get started!

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Content

Transcript

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning. This is Sean Gerber with CISSP Cyber Training, and I hope you are doing well. You all are having a great day today, today's Monday, and we are going to be going over risk indicators, backup verification data and the disaster recovery and business continuity. This is part of domain 6.3 of the CISSP exam. The ultimate purpose of this training is to help you get ready to pass the CISSP exam the first time, and it's also designed to give you some expertise and some basically insight into how a SISO, or how management, should consider the thought process around these various cyber risks. But before we get started, I wanted to do a quick update based on the recording of this podcast. There are some risks out there as it relates to the iPods and iPads and Apple Watches and Macs and so forth iPod, I don't think they even have those anymore, but bottom line is there's a critical vulnerability as it relates to the Apple products, and you're starting to see more and more of those. This is affecting the most recent versions of iOS and I'll tell you, as a manager that deals with these types of threats, it's something you're having to deal with on a daily basis. I mean, it's just absolutely crazy how much this is popping up and changing. So, if you are, if you have any relation to some of the security that's in your organization, I would highly recommend that you get your systems updated. I'd also highly recommend that, if you are dealing with you do management of large numbers of devices, have some sort of what we call a mobile device management solution MDM and I would have that all of your devices set up in this MDM so that you can push out updates very quickly and efficiently. Else making people just do the updates on their own yeah, they won't happen, because I've tried that and I've seen situations where people had iPhones or any sort of device that are like haven't been updated in four years. So make sure you have a mobile device management strategy for your business so that you can update your devices quickly and efficiently. Okay, so we're going to get into risk indicators, backup verification data and disaster recovery than the BC plans. So we're going to quickly get into this and you will see that it's got a lot of information in today's podcast. So we're going to talk about performance and risk indicators as something you'll see on the CISSP exam and you will hear them talk about. If you're not been, if you have not been familiarized with KPIs, ris and the various likes that go with it I should say KRIs you're going to get asked about, potentially get asked about some of these types of questions, and so you're going to have to understand what are they coming from? Why are they asking KPIs and KRIs? So what is a performance indicator? A performance indicator is a metric that measures the effectiveness and efficiency of an organization's operations. It's typically obviously aligned to what the company wants to do and their goals and desires, but those are what you would typically track from a metric standpoint. What are their performance goals? Then you have what we call risk indicators. Now, these are metrics used to quantify the level of risks associated with the processes, systems or activities within the organization. So you have KPIs and then you have KRIs. They're very different, but they both work hand in hand for an organization and you will need to understand the differences between the two. So a performance indicator it does. It gauges performance on how the company's doing and it helps you drive improvements. I've used this in various situations. When you're trying to manage a project, you'll have KPIs that are performance indicators, that like milestones that will set up to help you gauge how you're doing. But I'll also talk about, when you're talking, risk indicators. These are identified to manage the potential threats that may be associated with what you're trying to accomplish. So let's say, for example, you are operating in I don't know, let's say Malaysia, and then you understand that, based on what your business is, you have a certain level of risk based on what you've seen. So those would be a KRI. They're usually cautionary and they point out vulnerabilities or exposures. So one what could be a geographical to it could be that you're working with really old systems that are severely haven't been patched, ie Apple devices. You could have many different ways that will help you indicate your overall risk, that you are within that area of influence. Again, it could be location, could be vulnerabilities of systems, could be pretty much anything, but you want to try to come across and express what are the risks associated within that ecosystem. Now there's various different categories and types. You have performance in the performance indicators of KPIs. They are critical to achieving your organization. So if you have very specific KPIs that are called out, those would be measuring what you need to achieve, like the vision, like where you're trying to go, type of thing that's very important for your company. Then there's OPIs, which is your operational performance indicators. This is your day to day operations. So you have KPIs, which is what you're achieving for your organizational goals. You have OPIs, which is your day to day operation aspects, and OPIs will feed into your KPIs. So, again, as you do these daily tasks, these step by step by step, that will feed into your overall KPI goals that you're trying to accomplish. Now we get into the RIs, so the KRIs. Those are critical for assessing the overall risk that impact your company's organizational objectives. So we've got KPIs, which is your organizational goals. We have KRIs, which is your organizational risk goals, and then you have ORIs. I've just thrown alphabet soup of acronyms at you, but ORIs, they assess the day to day operations of the risks that are affecting you. So you break it down real easy. So you get your KPIs and then you have your OPIs. So K and O. K is your vision, o is your operational, day to day, your KRIs. That's your vision. Your ORIs is your day to day. Those are the things that you want to do. So, let's say, for an ORI, example would be you have a large set of devices that need to be updated. Well, that large set of devices that need to be updated, your plan is that I'm going to knock out five a day or five a week. That would be your ORI. That would be your goal, your day to day or weekly operations that are moving you towards your KRIs. So that's, I hope that makes sense. It's just. It's basically designed a lot of words, but it's mainly designed to help move you from step A to step B, to step C, and then your overall goal is A through Z. That is your goal. Now, these are usually done. Usually, when you're coming down to your performance objectives your performance indicators those are done in short term objectives. Your risk indicators indicators, both are present conditions and your future risk. Okay, so what is the timeframe to get all this done? When you're dealing with KPIs your performance indicators these are usually focused on the present performance and your short term objectives right? That's your overall vision of where you want to go. Your risk indicators are based on both the present conditions of risk and your future risk scenarios what could be affecting you in the future. So those are the two timeframes that you have set up, and the ultimate goal of this is to make sure that you have a level of understanding of how you're going to manage each one of these from a performance standpoint and from a risk standpoint. But always keep in mind that your performance indicators are tightly connected and aligned with your organizational strategy and your overall goals, where the risk indicators are more aligned with your organization's risk management and the government governance frameworks. So performance indicators are tied to your strategy. Risk indicators are tied to your risk management and government governance frameworks. So let me give you just a couple of quick examples around PIs and RIs. So another one of PIs is percentage of resolved security incidents. So let's say I had a sock. When I led the sock, we would have a number of security incidents that would come into the sock, and then how fast we resolve those would be what we call a performance indicator. That would be how fast do we deal with it, how fast do we triage it, how fast do we put it to bed and shut it down Now? And that another one of those could be times taken to detect and respond. One example would be is if you know that it takes you five minutes to detect it and then another 30 minutes to respond to it, that would be a potential KPI. Now, the other thing what we would do is then you would go all right, I need to get my KPIs lower, how can I get those lower? And it would force you to think outside the box, and you would go well, if I created a program, a training program, that would teach my employees how to report these incidents to me, that would be a way to potentially treat each person as a sensor and therefore it would allow them to help me report and find issues that maybe I'm missing, so that you use those KPIs to help you move you in that direction. Risk indicators are would be a number of unpatched vulnerabilities that maybe you have, or the frequency of failed login attempts over a period of time. Those would be examples of risk indicators, and then that's what you would report up to your senior leaders on how you're actually doing. Okay, so now we're going to get into as it relates to backup and recoveries. We're going to get into the 3211 method. Now. You probably have heard some things around this 3211 method, but what it really is, you're probably more heard about the 3211 method versus the 3211. But bottom line is it's designed to help provide you an extra layer protection, so it's an enhancement onto the 321. Now, what does the 3211 mean? Well, the 3211 is you have three copies of data to in two different storage media and then you have one, at least one of those copies, offsite. Okay, so that's the 3211. The additional one is adding an air gapped or offline copy. This could be a backup you know hard drive backup. It could actually which is, I know, old school it could also be you have something in our in Glacier that is set up totally a way that you can't just go ahead and gain access to it. So there might be other ways that you can deal with it, but bottom line is it's completely air gap from your overall network. So let's go into the three, the three copies of data. Now you need to have at least three distinct copies of data set up for the 3211 method one primary copy, which is your original data, and then two backup copies specifically. So it's instead of having the one backup that everybody says, well, I've got a backup. Well, yeah, you've got one backup. So you're more or less doing the 111 method, but the one backup. You could have it situation where it's corrupted. I've had this happen many times over my years in security you go to the backup and guess what. It's corrupted, and so therefore, your one and only backup is of no use to you. So, therefore, it's important that you have at least two more backup copies available to you, two different media, that's the two of the 3211 method. These are storage. Copies are done in at least two different types of media hard drives, optical disks, network storage, you name it. The ultimate goal, though, is that you have them set up at least in two different types of media storage, because, again, one will fail, another one may not, and that's the ultimate goal is you're planning for enough redundancy that, in the event something does fail, you have a backup of the backup, one offsite storage. You need to at least keep one backup in a geographically separated location from your primary data. This could be remote data center or cloud storage as well. You need to have it at least in one spot out of the way Now. I've talked to many people before where they go. Well, you know what I just had. I don't need to do hard drive backups, because hard drive backups, they just they. They're hard to maintain, it's hard to store, they're hard to keep track of. And I would agree, in today's online world is very important that you understand that just because you have an online backup doesn't necessarily mean it's the right call. One situation may be where you have a lot of latency between one location and another and to get that data back one to upload it up there takes a long time, but then to download it and bring it back to you can take just as long a time. So therefore, you need to have another solution, another plan in place, or at least have your online backup as an additional resource to what you'd have on site. But again, the 3211 method it really is an important factor because of the fact that it's helping you increase against sophisticated cyber threats, which including ransomware and all the other aspects that are out there, as you saw with MGM and Caesars. That is critical and it is crucial. And the last part is the air gap you should have at least one copy that is completely disconnected from your network, air gap, offline storage, and the ultimate point is that if things go totally sideways, in case of emergency, break glass Now, does that mean that that one should be updated to the same frequency as everything else? It depends. It depends on how redundant do you want it to be. Now? Let's say, for example, that you have weekly backups of your data and then you have that builds on to another week and a week after week, after week. So let's just say, hypothetically, you have monthly, you have enough data that's in your backup environment for, let's say, 30 days or even 90 days, and you're going. You know, that's amazing, I've got that. But then let's say, your application is critical to your business to operate. But if something bad were to happen, if I lost all my data, I just have to have the application that runs and at least at a minimum it's got six months of data. So what you could do is you could have, once every six months, you could have that application put in an offline storage environment and then re-back it up once every six months. So you know that it's all of your three, two, one have to fail. But if they fail, you at least have something you can go back to. So that's the importance of the three, two, one, one method. Now some people may say I can't have that. I've got to have it backed up every single week. Now all I can lose is one week of data. Well, now you're going back to the old days where we used to have tapes and you'd take those tapes and you'd take them to a certain location. It's kind of going back that route in some respects. So it's important for you to understand what is your business strategy around protection of the data and ensuring that the data can be recovered in a timely and effective manner. So what are some best practices as it relates to the data and how do you deal with that? You want to periodically review and audit your backup procedures. You want to ensure that they're in line with what your current business needs and potential threats are. You want to make sure that that is taken care of. You also want to monitor and alert for these backups if they're not being done properly. I've seen it time and again where you just assume they're working where they're supposed to and then all of a sudden you go to get it. It doesn't work. Well, when you start pulling up some of these reports, you can see that maybe the backups haven't been working. Now, if you can see the backups have not been working, or maybe they're operating at 80% or 90%, that's terrible. For a backup, you need to have the effectiveness of being able to have these performance indicators working at 100% or 99.99%. You should be able to be having a backup and recovery solution in place. So it's important that you do put that in place and you have it ready to go. You also need to have really strong documentation around your procedures, including the 3211 method and where all the data places. That are all the storage locations your data is stored. You just got to have it and it's important that that documentation is there and available for everyone. You need to have training and train your IT staff and the stakeholders on the importance of the 3211 backup strategy and how you would implement it effectively. And then your compliance checks and you do ensure the 3211 backup strategy complies with all of the industry regulations that you may possibly have. I will tell you it does. You just have to make sure that yours will meet what the industry is saying. So again, audits, monitoring and learning, documentation, training for your people, and then compliance checks and insurance, basically coming back around and ensuring that what you have in place from an audit and a learning standpoint is exactly what you want for your company. So what are some of the backup verification methods? So you have checksums and hashing. Now, basically, what the checksum does is it calculates this and and then also going to a checksum or they call it in many cases a hash hash value and it takes the view of that cryptographic check sum or or hash of that data and it compares it to what it should be when it's backed up. That is the checksum, or the hashing aspects of this. It's useful for data integrity, but not for verifying if verifying if the system is properly configured. So it just basically says the data that you have is good. Okay, from what you backed up, it is good. Now, that doesn't mean it's not corrupted. The data could be corrupted and the checksum would not determine that, but it would tell you that it has not been tampered with and it is good. The next one is attest your restores. You need to actually go out and restore these environments from a backup. I see it time and again that if people will just assume the backups there and they don't restore it, they just hate. It's working like it's supposed to, but until you have to actually restore it, that is a different story. So it's important that you do have these restore options available to you. You also need to validate the data integrity and the effectiveness of your restore procedures. By doing that, you'll ensure that the documentation, such as we've mentioned before, is actually being followed and is actually useful. If you don't actually bring it back, if you don't bring back the data from where it was at one point, you don't fully know if your backup recovery procedures will even work. So it's important that you create the documentation as well as test it. You can do some automated verifications that are out there and this will help check the validity of the backups. I would highly recommend that you do have some level of automated verification, just because you don't have time to do all of those, especially if you have a very large organization. These can help alert if there's any inconsistencies that you may find within your backup. Now, just because there's inconsistencies doesn't mean there's a hacker in your midst, but it does mean that you have to understand and go look at your backup strategies to ensure that they are correct. And then timestamps and log files. These timestamps are designed to help you know when the backup files were there, in what time they happened, how often they happen. This does not guarantee that the data can be successfully restored, but it will tell you that they were actually done when they were supposed to be done. So verification methods are checksums, test resorts, automated verification and then timestamps and log files. That's what you'll do when you're looking to try to recover from your backups. Those are the key factors you need to consider. Okay, so what are some best practices as it relates to your backup and recovery solutions? One, obviously, regularly scheduling these backups. You want to ensure that you have them set up correctly and when you want them to be done. You also need to conduct verification tasks based on your schedule you may have Now. This could be automated verification, like we talked up before, or this could be done manually, whichever you prefer. Again, like I said, an automated verification would be highly important. I would also say, if you did the automated one, then you want to go back around and ensure, through a manual testing, that at least at a minimum, you have sampled some of those backups to ensure they're still working correctly. You need to have an audit trail Now. This would include you must have enough data for your audit. It means your log files need to be enough of them that you can actually go back and audit the data specifically and ensure that the backup had occurred as anticipated and if there was any issues. Like I mentioned before, I have written reports of my backups and I'll notice that there has been some very telling signs out of these backup reports saying that maybe the backup recovery solution wasn't working as planned. So it's important that you do understand that Role-based access controls. You also want to limit access to backups and verification systems to authorize personnel only. You do not want just having anybody have access to your backups because one if you allow someone to do it and it gets corrupted, then what ends up occurring is now you have a bigger problem than you had when you started. So you want to ensure that you do have some level of role-based access control environment. You also want to have an isolated environment specifically designed for testing. You really don't want to test your backups on your production network. You want to ensure that you have a environment specifically set aside for it. Automated alerting we talked about already multi-location storage again having them spread out through various locations and you want to ensure, when you're doing all of this, that you go back and you review and update your overall policies for your company. This would include your backup and verification policies. Are they correct? One, are you following what your policy says? And then, two, are you actually do you even have the policies in place? So it's really important that you do that. You want to also understand how is it from a DR and BC integration. So how do your backups work in the event that there's disaster recovery or you have some level of business continuity operations you have to go through? And then, lastly, you want to have some training and awareness designed for your IT staff to understand the backup, your backup policies, as well as what is their role in your backup and recovery strategy. Okay, in 6.3 we briefly going to go over DR and business continuity standards and the programs associated. But when you get into section seven, there's a much larger area of around disaster recovery and business continuity, and so we're just going to kind of briefly touch on those as it relates to those two programs, and then you can expect to see. If you go to CISP Cyber Training, there's more of that data and information available to you there. So again, dr and BC programs. What are they? Well, dr is a disaster recovery and BC is what we call business continuity. So what is disaster recovery? It is designed to prepare your teams or to help you on whoever you're working with, to restore critical IT systems and the data after a disaster. Now, the disaster can be many, many things. It can be tornadoes, it can be floods, it can be hurricanes or Tsunamis, it can be all those kind of things. It can be fire, right, but it also is in the case we're seeing more and more today is ransomware type attacks, which are actually just like a disaster. The downside is is that with a tornado mad live in Kansas. We used to have tornadoes. I don't have too many of any more, but a tornado will come through and it'll wipe out parts of the country right of this local area. But again, your odds are relatively high that you're not going to get totally destroyed by this tornado. They they only hit a very small subset, so they don't come very often. So, as it relates to the insurance people, they think that you know they have actuarial tables that will tell them how often a Tornado will roll through Kansas and so they know they can base their insurance on that. Ransomware is happening so frequently that it doesn't really matter. The actuarial tables around insurance. They can't build those out because there's so many fluid variables to it. As it relates to a tornado, I have no way of stopping a tornado or even slowing it down. But I do have the ability to stop or mitigate or slow down a ransomware attack. So that's why the difference is. Now, when you're dealing with disaster recovery, you have to plan for all these various aspects. This would include system restoration, data recovery and your fallback procedures in the event something were to happen. Business continuity training is to prepare your organization to continue the essential business functions during and after the disaster. So during that entire process but it's again the key thing to take out of there is essential business functions. This is where you deal with a broader organizational process. This includes staff roles, communications, critical business operations. All of those aspects are considered under the business continuity training. So disaster is the key to the business function. So you're working on the business continuity training. All of those aspects are considered under the business continuity training. So disaster is your IT systems, your data post disaster while it's actually even occurring, and then your business continuity is Ensuring that business essential business functions are operating. So disaster recovery is recovering, business continuity is maintaining. So when you're dealing with some key points around disaster recovery training, you want to have procedures for system backups. How do you restore them? And this kind of comes back to we talked about before. You want to have the procedure so that you can bring them back to life in the event something bad were to happen. This would be hands-on simulations of the data and the recovery process. There would be guidelines, which we talked about in CISSP, where your guidelines are more or less like a checklist designed to help you guide you through this process of Setting up alternate technical infrastructures. In the event something would have happened In your business continuity training. This should be. Business impact analysis should be occurring. So what would occur? How would your business your business it be impacted in the event of an, of a situation and you'd go through a BIA Process to understand what are the downsides of this happening? You'd have crisis communication protocols. Who do I contact if I use teams? Do I use zoom? Do I use what do I use to communicate with people? Do I send out emails? Do I use we chat? All of those things will be thought of in the business continuity training and then your procedures for Reestablishing your critical business functions would be under business continuity training as well. When you're dealing with disaster recovery testing, you want to do this for more frequent than you. Would you actually Anticipate? You probably should, and I would highly recommend that you do this level of DR training at least once a year. Now Be decide on the size of your company. You may want to do just small parts of it at least once a year. If you can do it Quarterly, that would be awesome, but at a minimum you should do a minimum once a year and you may pick out certain systems that you are going to recover from a DR standpoint. As an example, let's just say you have your payroll system and it's in its own little application and it's a critical system for your business and it goes down. It will go through and test Once a quarter. I'm gonna test the HR system, then I'm gonna test my document management system. All of those pieces I will test maybe once a quarter, but at a minimum you need to test at least one system, your most critical system, once a year just to ensure that it is actually going to work the way you anticipate Business continuity training typically? It's typically is a little less frequent annually or even bi-annually for your BC training and it may involve a much larger group of people and therefore a Larger swath of individuals. So by doing so, that could have a lot of opportunity costs for this person to be able to or for the group to be able to do. Business continuity training. What are the types of exercises and drills your disaster recovery training? You'd have technical drills like system restore exercises. You could have data recovery strategies. The ultimate goal is you'd have one person that is helping guide each of these and what is the plan to do so? Do I have a separated environment where they would bring these systems back up To ensure data integrity? Is that a profitable thing to do? Business continuity training you'd have tabletop exercises involving different departments and you would walk through simulating a real-world exercise. So your disaster recovery focuses on the IT. Business continuity focuses on the process and the overall large organization. What are some of your metrics for success? Again, when you're dealing with disaster recovery, time to recover these systems is a key Indicator of where you're at. So again, talking KPIs, that would be a time to recover these systems would be something you would actually Measure and you'd want to ensure that you have that ability to do that. The accuracy of the data is another one. When we talk about RPO and RTO, your RPO is when you bring the data back. Is the data within a period that's acceptable to the business? You want to ensure that that data is brought back in a way that they are ready to be able to operate it and use it without the loss of significant amount of data. Then, as we let it relate to business continuity training, time to resume critical business operations, effectiveness of the communication among the employees and the stakeholders during the simulations and you want to ensure that this is done in a way that keeps the business going in an effective manner for them and that makes them that they're acceptable with. And Then compliance and documentation Disaster recovery training. You do need to have some level of emphasis on meeting technical compliance requirements, such as GDPR For data recovery, or there could be other types of regulations that are requiring you to recover this data in a certain period of time. Then, as it relates to business continuity training, you mean to focus on meeting your Organizational and potential legal requirements around bringing the data back up. You may have requirements based on some of your third parties that you have to bring this data up Immediately or bring this information up immediately, could be governmental Situations. Say, your nuclear power plant, you you will have to have this defined Extremely tight to ensure that you meet the requirements that they are calling out and as it relates to what the government needs. Okay, that's all I have for today. I hope you have a wonderful day. You can go to cisp cyber training and catch out all of this great stuff. I've got all the videos out there. I've got Test questions, you name it. It's available for you at cisp cyber training. Go check it out right now. All right, have a wonderful day and we'll catch you on the flip side, see you.