Disaster Recovery

Disaster recovery, access rights, and the necessary policies in the event of a disaster are topics that are often overlooked by those new to the security field, yet carry critical importance. We must ensure the security of our data and systems at all times and maintain business continuity. From IT units to cybersecurity teams, organisations must take precautions and plan ahead for such situations. Disaster Recovery — the practice of keeping data on standby at a different location — is one of the measures used to maintain operational continuity in the event of a disaster.

Regardless of the cause of an outage or system crash, many steps are taken to ensure business continuity. The concept known as a disaster scenario or disaster recovery refers to the entirety of backup and redundant systems that an organisation activates in the event of the worst possible scenarios. In today’s technology landscape, these structures are generally provided through cloud servers or rented servers. Naturally, for mission-critical data, organisations may also rely on their own systems located at different sites within their country’s borders.

Disaster recovery, access rights, and the appropriate policies are sometimes overlooked. To make it simple and easy to remember, we can divide the steps for evaluating a system’s security into “Six Sections”.

Disaster Recovery

• Patches
• Ports
• Protection
• Policies
• Probe and Inspect
• Physical Access

System Patches

Patching a system is the most fundamental part of security. For this reason, when assessing the security of a system, you should verify whether a procedure exists to routinely manage the application of all patches. Having a written policy is very important, but ensuring that those policies are actually followed during a security audit has become critical in today’s technology environment.

As you know, operating system and application vendors occasionally discover security flaws in their products and release patches to fix them. Unfortunately, it is not uncommon to find organisations that have not applied patches for 30 days or more after they are released. In some cases, patches may remain unapplied for months due to bureaucratic processes or application compatibility issues.

Ports

All communication takes place over a port (TCP/UDP). This is also true of many virus attacks. Virus attacks typically target an unused port on your system in order to gain access. Keep in mind that ports between 1 and 1024 are assigned and used for well-known protocols. If the ports on which specific viruses, Trojans, and other threats operate are closed, your vulnerability to those specific attacks is significantly reduced.

Unfortunately, some system administrators do not establish a policy for closing unused ports. The reason is that many administrators believe that if the firewall blocks certain traffic, there is no need to close that port on individual machines. However, this approach only provides perimeter security, not layered security. Closing ports on individual machines will also improve firewall efficiency.

As a rule, any port you do not need should be closed and communication should not be permitted on that port. A port is typically associated with a service. For example, an FTP service is generally associated with ports 21 and 20. To close a port on a single machine, you must stop the service using that port. This means that unused services on servers and individual workstations must be shut down.

Both Windows and Linux have built-in firewall capabilities to block specific ports. This means that in addition to shutting down unnecessary services on all client machines, you also need to close those ports.

You should also close unused router ports on your network. If your network is part of a wider wide-area network (WAN), you most likely have a router connecting you to that WAN. Every open port is a potential entry point for a virus or intruder. For this reason, every port you can close is significant in preventing such attacks from affecting your system.

The details of how to close a port on a router vary by manufacturer. The documentation that comes with your router or vendor will provide you with specific instructions on how to do this. If you have a vendor servicing your router, you should compile a list of all required ports and ask the vendor to close any unnecessary ones on the router.

Protection

Protection encompasses the software and hardware tools used to defend your system. In most organisations, protection typically begins with a firewall that filters traffic. Alongside the firewall, intrusion detection systems (IDS), antivirus software, and other protective tools may also be used.

When evaluating the protection measures of a system, the following questions should be addressed:

• What firewall software or hardware is in place?
• Is the firewall properly configured?
• Is an IDS solution in use?
• Is antivirus software installed on all machines?
• Is the antivirus software up to date?

Policies

A security policy defines how a system is to be used and protected. Policies should address all aspects of system usage, from user passwords to system access. A written policy is essential, but it is equally important to verify that the policy is actually being followed. Common examples of security policies include:

• Password policies
• User account policies
• Data backup policies
• System access policies

Probe and Inspect

Probing and inspection involve the processes used to detect security vulnerabilities in a system. This typically includes practices such as log review, system monitoring, and penetration testing. When evaluating a system’s probe and inspection capabilities, the following questions should be considered:

• Are system logs reviewed regularly?
• Are there security monitoring tools in use?
• Are penetration tests conducted periodically?

Physical Access

Physical access refers to controlling who can physically access systems. Even the most robust digital security measures can be rendered ineffective if physical access to systems is not properly controlled. When evaluating physical access, the following questions should be addressed:

• Are server rooms secured?
• Are workstations physically locked?
• Are hardware security measures such as BIOS passwords in place?

Disaster Recovery Plans

A disaster recovery plan is a document that outlines the steps an organisation will take to resume operations following a disaster. A good disaster recovery plan should address the following elements:

• Backup systems: What backup systems will be used when primary systems go down?
• Recovery time: How quickly can systems be restored to operational status?
• Data backup: How are data backups performed and how frequently?
• Communication plan: How will stakeholders be notified in the event of a disaster?
• Testing: How and how often is the disaster recovery plan tested?

Access Rights

Access rights define who is authorised to access which systems and data. Properly managing access rights is a critical component of system security. Access rights should be granted based on the principle of least privilege — each user should only have access to the resources they genuinely need.

When evaluating access rights, the following questions should be considered:

• Is the principle of least privilege applied?
• Are access rights reviewed regularly?
• Are former employees’ access rights promptly revoked?
• Are privileged accounts (e.g. administrator accounts) used appropriately?

Conclusion

Disaster recovery planning, access rights management, and security policies are elements that are sometimes overlooked in cybersecurity. However, these components are as critical as technical security measures. A comprehensive security strategy must include not only technical defences but also proper planning and policy frameworks. Organisations should regularly review and update their disaster recovery plans, ensure that access rights align with current requirements, and verify that security policies are genuinely being followed in practice.