Bad circumstances happen to us and our technology. Fire, flood, sickness, and death can surprise us, our families, and our technology. While we may not be able to control all aspects of life, we can be prepared. At any time, you might metaphorically get hit by a bus.
While I felt that I had reasonable protections to recover my digital life in case of a technical or personal disaster, I was worried that my wife, without documentation, would be unable to traverse my backups, encrypted file vaults, and password manager. With my wife in mind, I created my own personal disaster recovery plan to document my digital life and even tested the plan for good measure.
Even by following best practices, an oversight caused several of my security controls to conflict in the case of a complete disaster, locking me out of my own digital life as if my backups did not exist. Fortunately, this was just a test, but I was a single disaster or hard drive failure away from complete data loss.
Companies have been learning that disaster recovery is hard to get right. Recently, ransomware on the City of Atlanta’s network caused years of police dash camera footage to be lost, thereby impacting prosecutions. Hospitals hit by ransomware have also learned the gaps in their plans when patient data is lost or difficult to recover. Ransomware, or another disaster, affect companies and individuals alike and test the quality of their preparations.
It is no longer good enough to do basic backups – to truly be protected, you need to consider multiple aspects of your digital life, plan for how failure can occur, and test your plan to make sure it works.
Your plan should include your passwords, computers, financials, accounts, and automated backups. All backups, and the plan itself, need to be located securely away from your home so disaster does not eliminate your backups when the originals are destroyed.
Plus, you need to test that, starting from nothing, you can actually use your plan to recover your life. This includes thinking about where you can store the plan, so that it can be easily retrieved after a disaster but not by an attacker!
On top of writing and testing your plan, you need your plan to be understandable to other important people in your life, in case you are not there to help. This includes important people that may not be anywhere as technically savvy as yourself! It’s best to review your plan with these people so you can identify gaps in the plan and educate before the plan is needed. It also helps them know the plan exists and what it is for.
As our lives become increasingly digital, personal disaster recovery is going to become more and more important. Previous generations had paper trails to discover assets and in-person methods for regaining access. Now, it is possible to be locked out of an account forever if your family even knows it exists.
For those attending BSidesLV, I will be giving my talk “Watch Out For That Bus! (Personal Disaster Recovery Planning)” as part of the Common Ground track. See you there!
About the Author: David Minch is an OSCP and is currently a cybersecurity engineer at MITRE, which operates multiple Federally Funded Research and Development Centers. During his career, he has focused on exploiting and securing critical systems. He has a blend of technical and non-technical experience that helps him practice balanced security. In his free time, he enjoys playing with his overly complicated home network, especially a new-to-him Dell R610 running more VMs than necessary for a house. When he isn’t doing security, he’s probably destroying his house, serving his cats, or drinking orange crushes (it’s a Maryland thing).
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.