How do attackers exploit the absence of this control?
When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker?s presence on the machine.How to Implement, Automate, and Measure the Effectiveness of this Control
- Quick wins: Organizations should ensure that each system is automatically backed up on at least a weekly basis, and more often for systems storing sensitive information. To help ensure the ability to rapidly restore a system from backup, the operating system, application software, and data on a machine should each be included in the overall backup procedure. These three components of a system do not have to be included in the same backup file or use the same backup software. However, each must be backed up at least weekly.
- Quick wins: Data on backup media should be tested on a regular basis by performing a data restoration process to ensure that the backup is properly working.
- Quick wins: Key personnel should be trained on both the backup and restoration processes. To be ready in case a major incident occurs, alternative personnel should also be trained on the restoration process just in case the primary IT point of contact is not available.
- Configuration/Hygiene: Organizations should ensure that backups are properly protected via physical security or encryption when they are stored locally, as well as when they are moved across the network.
- Configuration/Hygiene: Backup media, such as hard drives and tapes, should be stored in physically secure, locked facilities.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
CP-9 (a, b, d, 1, 3), CP-10 (6)Associated NSA Manageable Network Plan Milestones and Network Security Tasks
Backup StrategyProcedures and Tools to Implement and Automate this Control
Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment. The restored systems should be verified to ensure that the operating system, application, and data from the backup are all intact and functional.Control 8 Sensors, Measurement, and Scoring
Sensor: Backup softwareMeasurement: Verify that an automated backup solution is in place for all critical systems. The automated system could be a tape library system, a hot-spare network file store, or something similar.
Score: Percentage of critical systems that are backed up. The score diminishes based on the number of days since the last successful backup of a critical system.