Banks regularly undergo mandatory stress tests. These tests are clearly defined, and the results are used to determine how well each bank can maneuver through an economic calamity. If we apply the basic blueprint of a financial stress test to an IT infrastructure, we can loosely define it as:
“An analysis conducted under unfavorable scenarios which are designed to determine whether an IT infrastructure has sufficient mechanisms in place to withstand the impact of adverse developments.”
In other words, a disaster test aimed at all production infrastructure points. Would your IT infrastructure be capable of withstanding a DDOS attack? How about a zero-day malware infection within your DMZ or on your desktops? Are there sufficient disaster recovery plans in case of any system or link failure? A recent Tripwire article on cyber insurance dives into the question of mitigation and acceptance, and implementing countermeasures to reduce the impact of a threat. CISOs and CTOs need to consider running stress test drills to discover areas where there aren't any clearly defined backup or failover solutions; identify devices lacking current arrangements for recovery and engage teams to formulate and document DR plans for all critical devices. Some key areas to verify through regular disaster tests include:
- Ingress data points (dual WAN load balancing)
- Data Loss Prevention devices
- Spam filtering devices
- Proxies and reverse-proxies
- SIEM
- Mobile Device Management solution
- Web application firewalls
Further, subject your workstations to the scenario of a zero-day vulnerability. If one workstation is infected at point (a) in your organization, are there proper controls in place to quickly isolate and take the affected machines offline without malware spreading to point (b)? Is anti-malware up to date and current on all workstations? The same preparation needs to be applied to servers within your DMZ and internal LAN: is there proper segmentation and IPS's in place to prevent malware spreading? Keep all production servers/network devices up to date with the latest patches; form a plan to scan for vulnerabilities on a weekly and monthly basis. The roadmap to a successful disaster recovery plan includes regular backups of all production-critical devices, secure and accessible recovery of those backups and a step-by-step recovery procedure that is clearly known to all responsible teams. Happy and Safe Computing! About the Author: Brian M. Thomas (@InfoSec_Brian) is a passionate professional with 17 years’ experience providing Tier-4 data solutions in all disciplines of IT including Network/Server administration and Information Security. Proven experience in HIPAA, ISO 27001 and PCI compliance. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.
