News & Commentary

01:25 PM
Danne Buchanan, Fundtech
Danne Buchanan, Fundtech
Commentary
50%
50%

Disaster Recovery: Test, Invest and Educate

All disaster recovery efforts, whether they are for natural disasters or security threats, must ultimately be tested for efficiency and reliability.

Amidst internal and external security threats, natural disasters, hacking attempts and technological changes, banks and service providers today are constantly faced with the possibilities of data loss, security breaches and breaks in business continuity. These institutions are being asked more frequently than ever what plans they have in place for speedy recovery should systems be compromised. Following a number of hard-hitting storms in the United States, including Hurricane Sandy and the devastation wrought on the Midwest following recent tornadoes, attention is focused on preparing for a recovery after natural disasters. Though preparing for natural impact is important, it becomes easy to forget there is just as much, if not more, potential for malicious manmade threats from a security and technology perspective.

All disaster recovery efforts, whether they are for natural disasters or security threats, must ultimately be tested for efficiency and reliability. While banks across the board conduct regular tests, the way in which these tests are conducted is crucial to determining a bank’s true ability to recover in the event of a disaster. In most instances, testing can be considered either static or dynamic. Most disaster recovery tests currently conducted are static in nature, meaning they are crafted to be sterile and built for success, to allow banks to ‘prove’ they have the ability and tools needed to succeed in the event of disruption. In these instances, banks and service providers are able to conduct tests and prove they have a perfect fail-over recovery system in place. The issue here is that these tests are rarely built to actually mimic any real disaster.

An alternative to static testing is dynamic testing. In this instance, banks implement tests that stress their systems, processes and procedures to provide a more accurate look at how disaster recovery systems in place may work in the event of true disruption. These tests are designed to push bank systems to their limits and are undoubtedly more difficult. The risk with dynamic tests is that by adding more variability, more uncertainty and more issues requiring resolution, the likelihood of institutions being able to complete the tests and prove complete fail-over is more complicated. The benefit is that because these tests are designed to evaluate systems and processes in the most real-world, worst-case scenarios, institutions learn a great deal about the true ability of their disaster recovery plans. As a result, they are able to make necessary adjustments to better prepare themselves for prospective disaster. Though peppered with potential for test failure, the benefits of dynamic testing strongly outweigh potential perception risk.

Another important aspect of a sound disaster recovery infrastructure is the ability to deal with and rapidly recover from denial of service attacks, which have quickly become one of the largest, most common threats to banks over the recent years. These attacks, often from overseas, can easily infiltrate thousands of computers and overwhelm entire networks and servers, rendering sites useless until service can be restored. Banks need multiple layers of protection to be best prepared for these seemingly random attacks. This starts with an institution’s ISP and includes hardware and software at all data centers, as protecting each piece is an imperative part of being prepared for these potential attacks. Particularly for smaller regional and community banks, finding a vendor solution provider that can provide the best technological capabilities and tools for intrusion detection and prevention is extremely important.

Finally, in addition to regular testing and security measures, continual education of IT personnel is also a key factor in ensuring banks and service providers are properly prepared. While testing aims to stress systems and processes in case of a disaster, investing in a knowledgeable IT staff can actually serve as a preventative measure. In both small and large banks alike, regular employee education and training is an important step in the disaster recovery process as many technological threats derive from virus-infected emails, links and other Trojan horses employees may encounter.

Modern advancements in technology have increased the general expectation that services provided by banks and service providers are invincible, secure and always available. These institutions are expected to find ways to keep the lights on even through the storm. With regular dynamic testing, investments in security technologies, and staff education, banks and service providers will be best prepared to face threats of manmade or natural disasters.

Danne Buchanan is EVP, Head of North America Operations for Fundtech.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.