In the
weeks since Hurricanes Katrina and Rita, there has been much talk about
disaster preparation as well as discussions on how society can avoid such a
tragedy the next time. And that’s not surprising: Such large-scale situations, including
Hurricane
Katrina, September
11, and even the Blackout
of 2003 in the northeastern United States, always highlight the importance
of strong disaster recovery plans.

In the
aftermath, organizations tend to focus more time and money on preparing for
natural disasters (such as hurricanes
and earthquakes)
and physical disasters (such as fires and floods). However,
what companies often fail to realize is that disasters also pose a significant
threat to electronic assets—particularly in our ability to communicate and in
the value of information itself.

An
Internet disaster—whether accidental or intentional—could damage or destroy the
ability of a company to communicate with the outside world and seriously impact
business. For example, a company that’s the target of a denial of service (DoS)
attack or that has lost its Internet connectivity due to a cut fiber-optic
cable is often helpless.

Knowing
what to do in these cases can be confusing, but companies should seriously
consider the cost of lost productivity due to Internet problems. It can be
extremely difficult to plan for or recover from an electronic disaster due to
the complexity of the Internet.

Planning
for a physical threat to a building (such as a fire) and to the employees who
work in that building requires sprinklers, fire alarms, and fire escapes.
Similarly, strict access controls and expensive fire-suppression equipment typically
protect a corporate data center because serious problems could cause a
significant loss of business. (This planning occurs not only for the safety of
the occupants, but also because of fire codes and insurance requirements.) In
addition, most companies plan for power problems by using battery-backed power
supplies or installing backup generators.

Some
companies plan for internal computer system disasters on key assets by using
clustering and highly available server systems and by using a disaster recovery
vendor. They put the time and money into all of this disaster planning because
these assets are essential tools of business. Yet, in my experience, even
though many companies consider the Internet an essential tool to conduct
business, few plan for Internet problems—until, of course, the systems stop
working.

When
there’s a problem (such as a mass-mailing worm) that disables a company’s
e-mail server, this shuts off e-mail. A crashed virus-scanning system or
firewall also paralyzes e-mail. A DoS attack on a gateway router can shut off a
company from the Internet completely. By the same token, a fiber cut in Chicago
can shut off a company in Cleveland.

That’s why
I advise companies to prepare for Internet disasters in the same manner they do
for physical disasters. Being prepared for Internet disasters requires planning
and redundancy on key Internet systems, similarly to how some companies
implement highly available systems for internal business needs. This means that
companies that depend on the Internet as a communication tool should consider
these essential components: multiple Internet gateways, redundant firewall
systems, e-mail servers, and virus-scanning systems.

Companies
should plan for virtual disasters in the same manner as physical disasters by
developing and implementing disaster planning procedures for Internet
equipment. If your company is Internet-dependent, make sure you’re prepared in
the unfortunate event that a disaster occurs.

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.