Thursday, December 6, 2012

Lessons From Sandy for IT, Managers and All of Us

For some, life will never be the same after Hurricane Sandy. Lives and loved ones have been lost. Homes have been lost. Businesses are still closed and some will never reopen.


Trust has been lost. Trust in the notion that life can be stable and predictable has been shattered for many. Trust in the institutions that we depend but take for granted, like the power company, has been damaged.


More than 2 weeks after landfall, 5,000 homes in NJ and 80,000 on Long Island are still without power. There are tunnels and bridges still not open and mass transit still not on normal schedules. Commuters are still feeling the pain and business are still being disrupted. Rebuilding and repair has barely started.


However, we are far enough along on recovery that we can start to look back to find the lessons that must be learned to protect us the next time, God forbid, a disaster such as this befalls us again. These same lessons do not just apply to protecting are homes from natural disasters, but can be applied to protecting are businesses and technology infrastructure from both natural and man-made disasters.


It doesn't matter if your web site is down because power is out or you are the target of a Denial of Service attack. Down means you are out of business, unless you are prepared.


Complacency is our Enemy


The greatest enemy of preparedness is complacency.


Complacency is a hard tendency to fight because we are talking about worst case scenarios. Fortunately, they don't happen very often, and when they do they don't impact everyone equally. It is easy to think, consciously or not, that the warnings are from alarmists and that it won't happen to me!


Take Hurricane Irene, the last monster storm that hit this area just one year ago. Like Sandy it was billed as potentially the worst storm in the history of the New York region. We were told that 100 mph winds could blow out the windows of New York skyscrapers and Jersey shore could be completely underwater.


Well, it wasn't that bad. I was living near the shore at that time and evacuated to North Jersey. As it turned out I was in more danger from falling trees and downed power lines where I evacuated to than the water in my neighborhood.


I got through Irene fine, so I shouldn't be so concerned about Sandy.


One problem with that reasoning: Irene was still very bad and not everyone got through it fine.


My brother had to live without power and water for 9 days after Irene. His basement flooded. He had a sump pump, but what good is that if you don't have electricity to run it?


Start with Prevention


The best strategy does not focus entirely on recovery, but includes prevention. How can I prevent a hurricane? You can't, but you secure your property in a variety of ways that prevent damage.


You can't prevent a hacker from attacking your network, but you can secure your network and computers in a variety of ways that prevent them from accomplishing their dirty work. As with a natural disaster, you should also set up multiple lines of defense, a so called layered approach. If one line fails, the next line may still do the job.


Every point that connects your network to the internet or other networks requires a firewall and malware protection. If your software is perfect, that would be enough to protect all of the computers on your network.


Except, nothing is ever perfect in life. You need to have antivirus scanning and a personal firewall on every computer on your network. I prefer scanners that use a sandbox as an extra layer of protection. If there is any doubt about a program, they run it in an isolated system that allows you to use the program but still protect your computer.


Website operators can also use services provided by companies that scan web sites on a daily basis and identify threats and vulnerabilities.


You Need a Backup Plan


In the event that a disaster does occur, what is most important in the both the natural world and the cyber world is that you are prepared with backups and redundancies. You can't predict exactly what will go wrong, but you know what your points of failure are.


Before the storm I made a point to backup all of my data files in case my home computer was damaged in some way. Backups need to be off site, to another location in a different region. If your computer is underwater it doesn't help if your backup is underwater too!


One of the greatest mistakes in backing up files is to keep backups for too limited a period. If you discover a virus on a system, it doesn't help if all your backups are also infected.


I also pulled out my old laptop and bought a car charger for it. If the power goes out, I could still keep working because I had a redundant system.


Companies need to do the same thing with their data centers and web sites. If you are down because of an attack, natural or man-made, you should be able to cut over to another system.


Urgency


We tend not to prepare for a natural disaster until it is looming before us. The stores were packed here yesterday with people stocking up on food, water, batteries and other supplies.


With cyber disasters you can't wait until the last minute because you never know when that will be. Almost every day there is a news story about a new cyber-attack or malware disaster.


For the man-made threats of cyber criminals you must constantly review your technology and processes to make sure you are protected. Antivirus and firewall products that are fine today may be inadequate tomorrow.


You should assume that you are the next target because you may well be!

0 التعليقات: