Config/Hygiene: Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that personnel understand current threats and risks, as well as their responsibilities in supporting the incident handling team.
Critical Control 19: Data Recovery Capability
How do attackers exploit the lack of this control?
When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. When the attackers’ presence is discovered, organizations without a trustworthy data recovery capability can have extreme difficulty removing all aspects of the attacker’s presence on the machine.
How can this control be implemented and its effectiveness measured?
QW: Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems storing sensitive information. To help ensure the ability to rapidly restore a system from backup, make sure that the operating system, application software, and data on a machine are each included in the overall backup procedure. These three components of a system do not have to be included in the same backup file or using the same backup software. However, each must be backed up at least weekly.
Config/Hygiene: Ensure that backups are encrypted when they are stored locally, as well as when they are moved across the network.
Config/Hygiene: Backup media, such as hard drives and tapes, should be stored in physically secure, locked facilities.
Procedures and tools for implementing this control:
Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment. The restored systems should be verified to ensure that the operating system, application, and data from the backup are all intact and functional.