First off, I’m not a subject matter expert in backup or security. Thankfully I lead a team of individuals with specialized expertise in both areas that can help discuss, build, and facilitate solutions to meet your business requirements. With that said, the interrelationship of backups and security becomes more and more evident everyday.
Backups play a critical role in protecting your data from a disaster, whether it’s natural or man-made, and ensuring you can get your organization back on its feet. In the past, few people thought of backups as being an integral part of a security strategy, but there’s no denying the important role they can play in today’s risk filled, connected world. As Charles Carmakal, vice president at FireEye’s Mandiant, stated at the recent RSA conference, “Most of the time, when a threat factor has full control over an Active Directory environment, it’s trivial for him to gain access to the backup environment and destroy the data…it’s best for organizations to lock down administrative access to the backup servers by requiring jump boxes, multi-factor authentication, and so on”.
Hackers are going after the heart of your business and the respirator that could keep it alive! Just look at the recent topic in Veeam’s forum, “Hackers can delete your Veeam backups”. It’s too often an assumption that even if you get hit by ransomware they’ll give you the opportunity to get your data back with a few bitcoins. But what if they don’t? Just like in the forum, they may simply have the malicious intent to wreak havoc on your organization. This highlights the importance of following and adhering to the 3-2-1 rule when approaching your backups and the role cloud backups can play in protecting mission critical, sensitive data.
What is the 3-2-1 rule and how are clients leveraging the cloud to help facilitate it?
D: The 3-2-1 rule is fairly simple. It’s 3 copies of your data on 2 different mediums and 1 maintained offsite. I’m seeing an increase in the adoption of cloud backups. I think it’s a lot easier and simpler for a company to spin up cloud services, specifically BaaS and DRaaS in this case, and doesn’t typically have a lot of upfront costs. You can even use some of your current investments like Veeam, Unitrends, and Data Protection Suite to tier your storage to the cloud for offsite backup, long-term retention or archiving.
How are backups being used to help bolster organizations’ security strategies?
D: In working closely with Jason, we’ve seen an increase in the number of our clients using backups as a way to ‘rollback the clock’ to the point in time before an attack or issue occurred. As mentioned above, backups have been used more recently to help organizations defend against potential ransomware. We have also seen an increase in air gapping, or segmenting the backups from the production network in order to protect them from outside threats.
What is the impact that ransomware has on backups?
J: We have seen ransomware specifically target backups and do one of two things. Often times, ransomware will encrypt the backups and hold them hostage with the rest of the infrastructure; however, in a few instances we have seen ransomware simply delete all of the backups. In the Veeam forums post referenced earlier, users confirm that their backups were deleted with logs showing the confirmed backups existing.
What is the best way to protect your company’s backups from ransomware and or other attacks?
J: Users that follow the 3-2-1 rule are often less vulnerable to ransomware attack because they have one copy of their backup off-site. If the ransomware isn’t able to see the backup target on the network it’s less likely to be able to delete or encrypt it. Additionally, on-site backups should be password protected and leverage two-factor authentication which makes it harder for ransomware to access your backups with stolen credentials via a key logger component or elevated privileges. Implementing VLANs can also reduce the surface area of attack if ransomware gets into the network. This reduces the number of devices it is able to see on the LAN.
Backups are clearly a great way to help remediate issues after an attack. What are some recommended strategies or solutions to help proactively avoid security breaches?
J: The strategy with the highest impact on proactive protection is education. Properly educating employees about what suspicious e-mails and attachments look like is often more impactful in reducing threats than any single product. We can help with phishing simulators and interactive trainings in order to create a baseline and show improvement over time. This also holds users accountable and empowers them to be part of the organization’s first line of defense.
Historically, industry analysts were seeing malware take months or years before there was a new variant; now, analysts are seeing variants within hours of detection. For this reason, malware and ransomware specifically have been difficult to stop with traditional signature-based antivirus. There are things you can do with your existing infrastructure and some key additions to reduce your attack surface area:
- Turn on deep packet inspection (DPI) of Secure Socket Layer (SSL) traffic on your firewall.
- If your firewall has URL filtering, turn on “malicious sites” even if you don’t want to restrict your user’s general surfing habits.
- Keep your endpoint protection up-to-date and fully enabled.
- Do not allow end users to have admin access on their devices.
- Enable two-factor authentication on admin accounts.
- Restrict access of VPN creation and SSH use. Enable two-factor authentication on these services.