How make a Windows disaster recovery kit

Hello, everyone. This is Susan Bradley for CSO Online. Over the weekend, I dealt with a misbehaving server that reminded me that no matter how small or how large you are, you need to have a security disaster toolkit or a checklist at the ready should any event occur. But as we move away from on premises, servers to cloud servers, perhaps you need to rereview that checklist and see if there’s any changes you need to make.

At a minimum, you need to review your security checklist at least once a year, if not more often, and especially if you have any major migrations or big changes or plans in the works.

Now to start NIST, the National Institute of Standards and Technology have several documents online regarding disaster plans and checklists, and it’s a way to get started. So if you don’t have your own checklists, start here. In addition, the SANS organization has a disaster recovery plan policy and many other policy resources that you can check out on their site. Now, for many years, the standard operational procedure to deal with a device, especially one that you thought would be attacked or taken over, was you turned off the device and isolated them to ensure that you maintain the log files and evidence. Well, now the standard device may be it depends depending on where the device is located and what exactly it is. Instead of taking the device off line instead, you may flip that device to an isolated network for future investigation. So don’t just knee jerk turn off the device. Think about where it is and what ways you have to access. When you’re investigating workstations and servers, you want to ensure that your processes include backup. The devices are made to ensure the system is in its impacted state. Before you restore something and before you put something back online, make sure you have a capture of it in its impacted state. You want those actual log files. You want those evidence. And especially in case there’s some sort of FBI investigation you’ll need later on. Often in recovery, in the zeal of trying to get back online, you don’t think of maintaining evidence and you forget what to do. So relax. I know that’s hard, but slow down. Make sure you have a checklist and do the processes.

Now, even before an incident occurs, you may want to have certain things in your toolkit. For example, for servers that are in high risk areas, you may want to install or you do want to install Sysmon from Sysinternals. Which once installed on a system, remains resonant across system reboots in order to monitor and log system activity to the windows log file. The site Github Swift on security has a Sysmon configuration that you want to check out. And of course, because attackers these days want to do lateral movement inside an organization. You want to install and use the local administrator password solution toolkit. Attackers gain network access through the use of targeted phishing attacks. From there, they’ll use a variety means to harvest hashes. And their goal is to get a local administrator password. Now, in the old old days, we pick a local master to password it and use it throughout the network. These days, that’s not a good idea, because once an attacker pops one password, they can’t get access to the entire network. So again, looking to the local administrator password solution toolkit to solve that issue. The next tool you want to bookmark but not download is something called the Microsoft safety scanner. It’s a tool that scans and is triggered and is only available for use 10 days after being downloaded. Because obviously you want the latest signature files included. You’ll download it, you’ll accept the terms, and you want to install an honor system in order to do a scan to see what’s up.

You will determine if there is any malicious files on your computer.

The next thing you’ll want to make sure you have is what’s called a jump bag, and these things could be personal items or there could be tools. For example, if you’ll be traveling someplace or going to some location, you may need to have a bag of personal items toothbrush, toothpaste, clothes. These days with cloud computing, you’ll want to make sure that you have bookmarked Azure portal links licenses. ISOs of operating systems, the ability to have access to needed operating systems to be able to boot back into and restore from a backup is key to recovering quickly. So have documentation online as well as off line in various paper formats. Yes, old fashioned paper and make sure you have means to access such items as your firm’s Azure portal, Volue license portal or other access to ISOs and products. You may want to have access to a corporate credit card or some other purchasing authorization in order to purchase resources and access to services. Think in terms of alternatives to your normal channels of communication. Remember in a disaster, email or other means that you normally contact with each other may be off line. So having that jump bag, a list of contact information and alternative ways to contact key from key players, you should you’ll want to review this on a regular basis. So here’s some things you might want for an on premise situation in a jump bag network cables, USB, cables, hard drives, SSD, external USP drives, flash drives, device interface adapters, a handheld label printer in order to label drives and things that you’re taking out for incident handling hub devices, digital cameras, cable ties and cable snips. Screws. Notebooks. Chain of custody forms. So you document and have a witness of how items were obtained. Incident handling procedures and finally, business cards for all members of the team. So that when you go in a situation, you could hand out authoritative information about who’s on that team. As we go to cloud, we move from to a different set of proper steps in order to do deal with compromised accounts. For example, in Office 365, you’ll want to follow the Microsoft recommendations and how to secure and restore e-mail function. You want to reset passwords. You want to make sure you have multi factor enabled. You want to block the user account from signing in again, follow the steps here. Then you’ll want to go and review the Microsoft security score and what to do if you haven’t already. Take a look at the security roadmap. Look at the 30 day out steps, the 90 day out steps, the beyond reviewing, constantly reviewing what threats and risks are coming to cloud security. And finally, you want to review the Microsoft secure score here in my sample tenant. I have a lousy score. You want to get that total score higher. You want to be where the attackers go to somebody else. It’s easier to attack, not you. So take the time now when you’re not in the middle of a disaster to plan on having one. Make sure you’re ready. Ready for when the event occurs. Not if. And of course, last but not least. Join us on Tech Talk from IDG, the new YouTube channel for the tech news of the day. Until next time. This is Susan Bradley for CSO Online. See you next time.

READ MORE HERE