Les Bell

The Australian Cyber Security Centre, aided by the US's Cybersecurity and Infrastructure Security Agency, has released a guidance package aimed at ensuring continuity of operations for both email communications and critical business applications following a significant incident - the most obvious example being a ransomware attack, but physical disasters do happen, too.

The package, entitled Business Continuity in a Box, is aimed at small and medium businesses and provides step-by-step instructions on how to deploy the necessary services in the cloud. It consists of three guidance documents plus a supporting PowerShell Script:

• ACSC Business Continuity In a Box - Overview
• ACSC Business Continuity In a Box - Communications
• ACSC Business Continuity In a Box - Applications
• ACSC Business Continuity In a Box - Automation Tool

The Communications document provides a detailed, step-by-step, plan for provisioning a replacement email service using a Microsoft 365 Business Standard Tenant (one can't help wondering if the focus on Microsoft's cloud is the first fruit of Microsoft's recent much-touted $A5 billion investment in cybersecurity and AI in Australia).

In stage 1, the user reviews the pack and verifies that they have the prerequisites (a Windows 10 or 11 computer, a phone, an email account, relevant information about the organisation - particularly access to its DNS configuration - and a credit card).

In stage 2, the guide walks the user through provisioning the MS 365 tenant, while in stage 3, they update the organisation's DNS entries, following provider-specific guidance supplied at the time by Microsoft. Stage 4 uses a PowerShell script to apply configuration settings to the MS 365 tenant and the associated Exchange Online instance. while the final stage validates the environment.

The guide seems to be well thought-out, with good explanations at an appropriate level for an only moderately technical user who is working quickly, under pressure, possibly somewhat panicked.

Despite my idle musings above, the guide does make the point that this MS 365 account can operate on a 30-day free trial, so it's not very profitable for Microsoft (but neither will it cost them much, either). But I wouldn't be surprised if Google and other SaaS providers produced similar guides for their own services.

The Continuity of Applications guide is, of necessity, much less detailed - there being so many different types of applications. It covers three stages - 1: determining the critical applications (essentially a crude Business Impact Analysis, described in a few paragraphs), 2: Determining a continuity path (selecting SaaS, PaaS or IaaS), and 3: deploying an IaaS application environment, IaaS being the fastest way to deploy an existing application, although some basic applications could be deployed on SaaS using low-code/no-code tools such as Microsoft PowerApps or Google AppSheet (unfortunately, not covered here).

The discussion for stage 3 covers the various architectural principles and patterns as well as relevant issues, and is more agnostic than the Continuity of Communications document, providing examples for MS Azure, AWS and Google Cloud. However, in all cases, a lot more preparation work will be required of the user, if they are to respond quickly to a business continuity incident.

Overall, this is a useful set of preparatory documents for SME's. What's more, we know from experience that at least some of the techniques described really work. Take, for example, the experience of Norsk Hydro, which suffered a targeted ransomware attack (Beaumont, 2019 and Clueley, 2019,) but quickly got on the front foot by deploying an interim web site in Azure and providing status updates to customers via email (which was unaffected since they were already using MS 365).

ASD and ACSC (with CISA), Business Continuity in a Box, documentation web page, 10 November 2023. Available online at https://www.cyber.gov.au/smallbusiness/business-continuity-in-a-box.

Beaumont, Kevin, How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business, DoublePulsar blog, 21 March 2019. Available online at https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880.

Clueley, Graham, In its ransomware response, Norsk Hydro is an example for us all, blog article, 3 April 2019. Available online at https://www.grahamcluley.com/in-its-ransomware-response-norsk-hydro-is-an-example-for-us-all/.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.