Data Protection, Disaster Recovery Plan, And DDoS Attack Mitigation For STP Limited

Project Background

STP limited have traditionally been cabinet makers in Wollongong from a factory that they own and Wollongong remains the head office.  Sales have been going well and STP have recently bought competitors operations and premises in Bathurst and Lithgow.  They have also opened a store in Sydney and in future they plan to open more.  In Sydney, they have built a state of the art computerised manufacturing facility to produce cupboard and drawer fronts.  The cupboard and drawer fronts are produced in three styles and come in an enormous range of colours which are produced to order.  The new equipment means that they can produce the new fronts in less than a week and appreciable cheaper than other products on the market (around $1000 for a standard kitchen).  STP has begun to sell a lot of cupboard and drawer fronts to people who want to update their kitchen without spending a lot of money.  The cupboard and drawer fronts come complete with fixings and handles so that a home handyman could install them.  However, not everyone can install the fronts themselves and STP is currently considering having vans carrying samples of their product and staffed by people who can install the products.  These vans could act as salespoints as well as installers for the product.   STP is not sure if they will run these vans themselves or offer than as a franchise opportunity for someone or a mix of these business models. The cost advantage as well as a high interest in home renovation has driven a lot of sales with a lot of enquiry from areas outside of the current STP locations.  The owner Joe Smith, wants to take advantage of the capacity of the new machinery and pay for the machinery as quickly as possible.

As STP Limited have bought two existing stores and opened a new branch, there is a feeling that they have outgrown their current office arrangements.  Currently, they do not run a lot of customer accounts rather the people ordering the cupboard and drawer fronts pay cash on ordering.  However, as they are currently receiving a lot of enquiry from builders and developers they have had to implement customer accounts.  STP Limited have also started a web site to showcase their products and publicise their range of products.    Traditionally they have had a very rudimentary stock control system only carrying a small range of wood material, hinges and handles, however with the increase in sales they are now buying cupboard/ drawer material, hinges and handles in bulk and the stock system is not working particularly between branches.  They are currently using on standard office software on standalone machines in each location.  

The staff in the Bathurst and Lithgow offices have transferred from working with the previous owners and are used to working in small standalone locations with a limited range of products.  They are therefore used to working with simple casual processes where they would mostly deal with builders and they would personally know a substantial proportion of customers.  There are therefore no formal processes in place at these locations and limited processes in place in Wollongong and Sydney.  Now they have retail people coming into the store wanting to talk about colours and styles of the cupboard and drawer fronts.

STP Limited had been running into problems where customers are ringing to check on the delivery of their order, which maybe as small as a replacement handle and the staff have to ring around all locations to see if one of the other locations have the parts in stock.  There was also a problem where the system they have is showing the parts in stock and this is communicated to the customer but when the customer arrives at the store to pick up the items they find they are actually not in stock because they have been transferred to another location.  There was also no means for the management to receive a report showing expenditure per location.  In fact, there was limited ability to produce any reports.

They have upgraded their information systems, with a new stock control system, website and customer management system and accounting system.  They have distributed databases in each location.

Stock control system – Currently trialling TradeGecko

Customer management system - SalesForce

Accounting system – MYOB (web-based)

Microsoft Office

They are also considering hiring salespeople at all the offices.  Although Wollongong, has traditionally been the head office, Sydney sales are more than the other stores combined and continue to increase.

Each location has

• 2 to 4 counter staff handling sales and stock.
• A store manager.
• 2 to 4 desktop systems to handle point of sale transactions and an office machine.

Sydney office also contains:

• The owner (who travels regularly to the other stores)
• Accounts clerk
• Part time IT technician, who also has responsibility for the website.
• Part time accountant who works on special projects for the owner
• These people also have a machine, the owner, technician and accountant laptops, the accounts clerk a desktop.

The Internet connection is via ADSL and each office has a modem and switch.  Wireless is also made available at each office and the staff are free to BYOD and connect to the network.  

You are a new information systems manager hired by STP to help them achieve their strategic goals, their second project is that they are concerned about how to best protect the data in the organisation.  There is an increased awareness of the importance of their data as a foundation to increased growth within STP.  

You have been requested to prepare a report by the owner, although he has limited technical knowledge he is extremely anxious to understand how his data will be protected.  He also wants a   Disaster recover plan for a flooding natural disaster and a Distributed Denial of Service Attack.

The STP limited is the traditional cabinet makers situated at Wollongong, Australia. They have been owning factories and their sales department is found to be developing.  They have bought the operations of competitors and premises.

The report is prepared regarding how the data must be protected. A disaster recovery plan is needed for flooding the natural disaster. It also considers the DDoS or Distributed Denial of Service Attack.

The study analyzes the project background, including the backup plan for STP and disaster recovery planning. Then, the project scopes, goals and strategic alignment of the project are considered. Further, the literature demonstrates the backup plans and the disaster recovery plans. The last section includes the flooding of natural disaster and DDoS attack.

Most of the IT departments possess some type of disaster recovery plans for avoiding various downtimes. This takes place because of occurrences like natural disasters.  On the other hand, some of them has been considering of attack under their plans of disaster recovery (Phillips 2015). To prepare the disaster recovery plan, the STP must take into consideration the requires steps for DDoS attack or the different risks kept vulnerable to the financial loss, downtime, costs of emergency mitigation and the extortion plots. Widely, the DDoS recovery plans of DDoS are needed to incorporate mitigation, testing, ownership and detection.

The time is needed to be considered by STP to backup the files and applications. This also includes the running while going for what type of backup is used. Here the storage device selected and the location of the placing of the backup is also considered (Raj, Kant and Das 2014). The quickest method to get the applications backed up and run after the disaster is to generate the picture of backup that has been locally stored. It must be reminded that as one have the stored offsite of secondary backup the disaster eradicates the entire local backup. The DR or disaster recovery also referred to as the image backups generates the picture of the complete system. This includes the operating system, applications, system settings and all other files (Sahebjamnia, Torabi and Mansouri 2015). This kind of backup delivers the easiest path of data recovery. However this needs a lengthier backup gateway.

Various businesses have been generating the picture of critical system. Next, it is done as they create alterations to the applications or operating system running on the particular system. This has been always the effective concept to make a DR image prior to make the changes in major system (Minh et al. 2014). Hence is anything goes wrong, one can smoothly recover the complete system to the previous phase. As something goes proper with every update, STP can generate another picture backup for capturing the latest system state.

STP needs their distinct set of processes and procedures as per as recovery for the disaster events are concerned. There are many steps needed to follow for formulating the disaster recovery plan that has been appropriate for their particular business. The steps needed for the disaster recovery plan is outlined hereafter. At first, the risks are needed to be assessed (Morreale, Goncalves and Silva 2015). Then the critical processes, functions and systems are needed to be established. Then the qualitative effects of the systems are needed to be documented. This is on the basis of operational and financial costs.  Further, STP must establish their individual RPO and RTP for every system. Then the systems are to be ranked according to the priority (Ju 2014). The prevention strategy is needed to be determined and the response strategy is needed to be documented. The recovery strategy is needed to be outlines and the recovery plan is required to be tested.

Backup planning for STP

This includes the providing for safety and well-being of the people during disaster. STP must continue complex business operations. They must minimize the time of serious disruptions to the resources and operations. The immediate damages must be minimized. The efficient coordination of the recovery tasks must be facilitated. The complexity of the recovery effort is to be reduced. The supporting functions and critical lines of business must be identified.

The vulnerability to the important service interruptions in the business facilities and data centre must be determined. The service, economic and public images must be analyzed and identified. The quick, intermediate and the widened resource perquisites and recovery needs must be determined.

Here, the strategies must define the methods for implementing the needed resilience such that the guidelines of the incident restoration, recovery, response, detection and prevention are placed. These strategies must define what they have planned to perform while reacting to the incident as the plans describe what has been needed to be done. As the critical systems are identified to the RPOs and RTOs, would help to formulate the strategies of disaster recovery used to protect them.

The initial task of the backup administrator at STP is needed to be understood, defined and controlled regarding what data is to be protected and backed up. For decreasing the risk of data loss, STP needs to back up the databases and back up files. However, they also need to back up the applications, operating systems and configure all that could be (Baham et al. 2017). As the virtualization is used, the management consoles and hosts are needed to be backed up apart from the VMs or virtual machines. As the cloud IaaS or cloud infrastructure-as-a-service is used, STP needs to include that in the scope. Further, they must not forget the mobile devices. The tablet of the CEO of STP must be holding the critical data of the company that could be more vital that the data stored in some of their servers. The backup scope must be revisited all the time the infrastructure gets changed. It must be reminded that the new devices, solutions and services all have been using the data. The motto of STP should be backing up often and backing up all the things.

As the backup solution is chosen, STP must assure that it can protect all the data. Hence otherwise some data might remain unprotected or might require various solutions of backups. Here, for instance, as there is any physical server in the data center, the resolutions backing up the VM’s has not been sufficient (Couto et al. 2014). Rather than this, STP requires to implement different, disparate solutions. Further, they can use the solution backing to all the devices and the systems in the scope of the backup.

Further, the Recovery Time Objective or RTO has been the target time set for the recovery of the business activities and IT after the disaster gets struck. The main aim here is to measure how fast they require the recovery that could dictate the preparations and time needed for implementing. The entire budget must be assigned to the business continuity (Aldrich 2015). For example, as STP has been five hours, indicates that the business could be surviving with the systems that have been down for the quantity of time. Then, STP must assure the high level of preparing and the higher budget for ensuring the high level of preparing. This also includes the higher budget for ensuring that the systems could be quickly recovered. The RTO is of two weeks on the other hand. Here one could generally budget less and invest lesser advanced solutions.

Disaster Recovery Planning

Moreover, the RPO is also another measure for the Strategy for data backup including calculations. This is focused on the information and the loss tolerance of the STP regarding the data. The RPO is determined through looking at the time happening between the data backups and the quantity of data that could be lost among the backups (El-Serafy et al. 2014).

As the component of the planning of the business continuity, STP requires to figure out the time they could afford to operate devoid of the data till the business suffers. RPO is the indicator of the frequency that helps in backing up the data in case the work gets saved. As the business could survive few days in between the backups, in that the RPO must be the shortest time between the backups.

STP must use the devices of backup storages for providing the redundant copies of information that they consider vital for their sustained business activities. The devices could include the dedicated hardware appliances of backup and the systems of magnetic taped (Sakano et al. 2016). The system of data deduplication consists of HDDs and the equipped software for setting policies in the data reduction and backups.

The current storage systems of data backup keep data at the blocking level. This is done by utilizing the software for keeping track not only for the data blocks under the file changing the last complete backup. The process under the changed block tracking has been sending the changed blocks to the backup storages.

The backup software has been vital. This is been consisting of the trusted and comprehensive backups among the most vital considerations for both people and business of STP. This has been irrespective of whether Windows Server or PCs, Unix or Mac environment is run (Sahebjamnia,  Torabi and Mansouri 2015). In the smaller computers the Office 365, MS SQL, the accounting and payroll packages of STP is needed to be secured.

The best way to save data in the mobile devices is the usage of automatic backup programs. Various phones of current era possess the cloud services that are built in. The mobile users taking benefits of the services have been highly restricting the chances to lose data. The cloud services have been effective for the trusted data storages (Ma et al. 2015). This is because the files have been present on the remote server. As the mobile and the PC are lost at the same time, there is still access to the data. STP could also set the devices for backing up the vital files automatically that they has been in range to the Wi-Fi network.

STP might start with their disaster recover or DR plan with the précis of the important action measures and the list of vital contacts and the list of vital contacts. Thus the most important data is easily and fast accessible (Ma et al. 2015).  The planning must define the tasks of members of disaster recovery team and show the criteria for launching the plan into effective action. The plan specifies the in-depth incident reactions and the recovery activities.

DDoS Attack Mitigation

Conclusion:

It has been basically impossible to seek who has been flooding STP through technical means. STP should secure them by assuring that the infrastructure has been protected against the hackers. The report shows that there are various ways for achieving the DoS. It might take huge time in enumerating all of them. The report shows that the data on the server could be backed up. The backup of hard copy of vital records could be done through scanning the written documents to the digital formats and permitting them to support the other digital data. It must be reminded that the business never stays the same. They grow, alter and realign.  The disaster plan for STP must be reviewed on daily basis and upgraded for assuring them it shows the present state of the business and meeting the aims of the organization. This must be reviewed and should be tested for ensuring that it must be the success as it gets implemented.

Replication of Databases:

A proper replication of database is recommended for STP. As far the proper configuration and the access towards working on database servers are there, the DR will not encounter any problem. This must also include the correct configuration of the DR environment. This would make the writing to the configured database. This phenomenon never cares about whether the previous data is present. However, STP cannot report on the data that I not present in the database. As the database replicated to DR, the reports must continue to be developed as usual and must contain desired data.

Backing up of User data:

In various cases the replication and keeping of the present data backup directories exists for the user data. Thus a proper solution of file replication is needed for STP. While restoring a site, the directory structure could be optionally recreated. As needed, at many times the files existing within the directories of the users never gets restored or backed up. As STP possesses the virtual folders generated in the VFS or Virtual File System using the UNC paths for sharing on the network, the shares exists and are available in the DR surrounding. However, if they are not there, the virtual folders must not work appropriately. Thus in this case, the client would never receive any failure message. This would take place as they try to browse through them. Further, this might also place as the home folder of the user is the virtual folder or remains under the virtual folder that gas been inaccessible. Hence, they could encounter errors as they log in.

References:

Aldrich, D.P., 2015. Social capital in post disaster recovery: strong networks and communities create a resilient east asian community. In Resilience and Recovery in Asian Disasters (pp. 19-34). Springer Japan.

Baham, C., Hirschheim, R., Calderon, A.A. and Kisekka, V., 2017. An Agile Methodology for the Disaster Recovery of Information Systems Under Catastrophic Scenarios. Journal of Management Information Systems, 34(3), pp.633-663.

Carter, P.A., 2016. Understanding High Availability and Disaster Recovery Technologies. In SQL Server AlwaysOn Revealed (pp. 9-28). Apress.

Couto, R.D.S., Secci, S., Campista, M.E.M. and Costa, L.H.M.K., 2014. Network design requirements for disaster resilience in IaaS clouds. IEEE Communications Magazine, 52(10), pp.52-58.

Day, J.M., 2014. Fostering emergent resilience: the complex adaptive supply network of disaster relief. International Journal of Production Research, 52(7), pp.1970-1988.

El-Serafy, M.A., Elsayed, A.M., Aly, M.H., El-Badawy, E.S.A. and Ghaleb, I.A., 2014, September. Multiple Routing Configurations for Datacenter Disaster Recovery Applicability and Challenges. In Computer and Communication Engineering (ICCCE), 2014 International Conference on (pp. 146-149). IEEE.

Ju, H., 2014. Intelligent disaster recovery structure and mechanism for cloud computing network. International Journal of Sensor Networks, 16(2), pp.70-76.

Khoshkholghi, M.A., Abdullah, A., Latip, R., Subramaniam, S. and Othman, M., 2014. Disaster recovery in cloud computing: A survey. Computer and Information Science, 7(4), p.39.

Kitayama, K.I., Yoshida, Y., Yamaguchi, Y., Nakajima, H., Nishimura, K., Bekkali, A., Oishi, M., Iwai, H., Ota, K., Sato, N. and Kamiya, N., 2015, December. High-speed optical and millimeter-wave wireless link for disaster recovery. In Globecom Workshops (GC Wkshps), 2015 IEEE (pp. 1-6). IEEE.

Liu, Q., Yu, M., Jia, H.L. and Chen, P.J., 2014. Network Control of Disaster Recovery Plan. In Advanced Materials Research (Vol. 945, pp. 2289-2292). Trans Tech Publications.

Ma, C., Zhang, J., Zhao, Y. and Habib, M.F., 2015, March. Scheme for optical network recovery schedule to restore virtual networks after a disaster. In Optical Fiber Communication Conference (pp. M3I-4). Optical Society of America.

Ma, C., Zhang, J., Zhao, Y., Habib, M.F., Savas, S.S. and Mukherjee, B., 2015. Traveling repairman problem for optical network recovery to restore virtual networks after a disaster. Journal of Optical Communications and Networking, 7(11), pp.B81-B92.

Minh, Q.T., Nguyen, K., Borcea, C. and Yamada, S., 2014. On-the-fly establishment of multihop wireless access networks for disaster recovery. IEEE Communications Magazine, 52(10), pp.60-66.

Morreale, P., Goncalves, A. and Silva, C., 2015. Mobile ad hoc network communication for disaster recovery. International Journal of Space-Based and Situated Computing, 5(3), pp.178-186.

Phillips, B.D., 2015. Disaster recovery. CRC press.

Raj, M., Kant, K. and Das, S.K., 2014, August. E-DARWIN: energy aware disaster recovery network using wifi tethering. In Computer Communication and Networks (ICCCN), 2014 23rd International Conference on (pp. 1-8). IEEE.

Sahebjamnia, N., Torabi, S.A. and Mansouri, S.A., 2015. Integrated business continuity and disaster recovery planning: Towards organizational resilience. European Journal of Operational Research, 242(1), pp.261-273.

Sahebjamnia, N., Torabi, S.A. and Mansouri, S.A., 2015. Integrated business continuity and disaster recovery planning: Towards organizational resilience. European Journal of Operational Research, 242(1), pp.261-273.

Sakano, T., Kotabe, S., Komukai, T., Kumagai, T., Shimizu, Y., Takahara, A., Ngo, T., Fadlullah, Z.M., Nishiyama, H. and Kato, N., 2016. Bringing movable and deployable networks to disaster areas: development and field test of MDRU. IEEE Network, 30(1), pp.86-91.

Sengupta, S. and Annervaz, K.M., 2014. Multi-site data distribution for disaster recovery—A planning framework. Future Generation Computer Systems, 41, pp.53-64.