Businesses commit IT hardware and budgeted funds into their defense again cyber attacks. But have they considered their last line of defense …. their backup solution?
As a last line of defense at the battle of Gettysburg, the Union regiment led by Colonel Joshua Lawrence Chamberlain, at Little Round Top, made a desperate, yet strategic move that halted the Confederate assault and helped tilt the outcome of the war.
His men out of ammunition, they turned to bayonets. A single “right wheel forward” maneuver, orchestrated by Chamberlain, not only stopped the seemingly overwhelming Confederate threat, but reinforced the strength of a timely, calculated strategy.
2021 continues to be a battleground for businesses and cyber attacks. Just last week, news broke of global consulting firm Accenture being hit by a LockBit ransomware attack, inspiring one cyber security leader to reference the current state of affairs as a “cyber-pandemic.”
Certainly anyone, including large-scale entities like Accenture, can fall victim to cybercrimes. Attacks on SMBs amount to 28 percent of all cyber attacks in 2020, according to the Verizon 2021 Data Breach Investigations Report. Furthermore, malware attacks (which include Ransomware) are 2X more likely for SMBs.
Businesses commit IT hardware and budgeted funds into their defense again cyber attacks. But amidst their strategy, have they considered their last line of defense …. Their backup solution?
A backup is a critical component of any Business Continuity and Disaster Recovery (BCDR) plan. If a server is infected with ransomware, or critical files are deleted in error, your backup solutions are essential to restoring. But restore times can vary widely depending on the solution. Even worse, your backups themselves may be targeted by hackers.
In the war against cybercriminals, what maneuvers can help you halt the assault on your business? Can you defend your last line of defense?
3 Common Ways Backup Attacks Occur (And how to Defend Against them):
Three major types of threats today include hacking (stolen credentials, backdoors), errors (misconfiguration, misdelivery, loss) and malware (Ransomware, viruses, etc.). Let’s take at each one and its associated backup vulnerability.
By definition, a hacker is a malicious actor who looks for weaknesses in computer systems, applications and networks to compromise the associated systems and/or to steal data. With regards to backup, hackers are increasingly looking at vulnerabilities in both backup software, backup files, and the systems on which backup data is stored.
- Backup Software: Backup software solutions, by nature, require a high level of access to files, systems, virtual machines, databases, and other aspects of a computing environment. Hackers have been known to steal the credentials of a backup administrator as a backdoor to access systems and data. Additionally, some backup products maintain a configuration database that stores the credentials required to connect to the systems they backup. If that database is compromised, a hacker could potentially gain access to every protected system.
- Backup Files: Backup files can be targets simply because backup file extensions, e.g. .BAK, are easy to find. Hackers may gain access to the backup software and either turn off or delete the backup files.
- Remote Access: Since many backup products must connect remotely to serversto back them up or to administer backups, using password authentication can open up a path to attack protected systems, simply because passwords are easy to steal. Additionally, if you are using a remote monitoring and management solution (RMM) to administer backups, this could also be a point of attack.
- Backup Encryption: It isn’t uncommon for backups to be encrypted. However, if an attacker gains access to this key, they have the ability to read the backup and/or change the key to make the data inaccessible. That’s why it is essential to follow backup encryption key best practices such as storing the key on a separate machine, physically secure that machine, etc.
Best backup practices include:
- Use two-factor-authentication (2FA) to access your backup software admin portal.
- If you utilize a backup appliance ensure you cannot connect to it directly via a simple LAN connection.
- For remote access, do not use passwords. Utilize key-based SSH authentication instead. If you are using a separate product to administer backups, such as a RMM tool, make sure it also has 2FA.
- Make sure that you keep backup copies in a safe, secure location - preferably geographically disperse from the primary data and backups.
Everyone falls victim to that “oh no” moment at some point. You delete something unintentionally. Human error is inevitable. Below are some common errors that impact your ability to restore.
- Backup file deletion: It is easy to find the file extension name for backups. This makes it easy for malicious actors to find them. However accidental deletion can occur as well. Since backup files can be large, there is nothing to stop someone from “reclaiming the space” used by a large backup file.
- Decommission or remove storage: This is an especially important consideration in larger environments with multiple systems administrators. If one sysadmin doesn’t know what the other is doing and the storage provisioned for backups is removed or deleted, you’ve got a problem.
- Agent deletion: It’s not uncommon for servers to come and go or applications to be upgraded or even a virtual machine to be moved, renamed or deleted. Sometimes in the midst of this type of action the backup software agent and/or entry is deleted, so those machines will no longer be backed up.
- Upgrades: Step one of any upgrade is to “backup before you make changes” but what if the upgrade is the backup solution itself? Many legacy backup products rely upon catalogs or indexes of the data that gets backed up. If those catalogs or indexes are overwritten, deleted, renamed etc. the backups themselves may be unreadable even though the backup file itself exists.
Best backup practices Include:
- The more copies the better. Modern backup software doesn’t have the problems or level of overhead legacy solutions have when it comes to backups. Most modern solutions can provide numerous point-in-time recovery points as granular as the backups occur (5 minutes to 24 hours for example).
- Implement access controls for backup files, limiting who can delete them.
- Replicate your primary backups. The most common restore occurs from a backup that is less than 48 hours old, so why not replicate a copy of the recent backups to a secure cloud or another server within your organization.
- If you have backup software that utilizes catalogs or indexes, be sure to back them up. Also, look for modern backup solutions that aren’t as easy to corrupt.
Ransomware, which falls into the Malware category is on the rise and is now the second most
common type of malware, according to Verizon’s report. Ransomware is typically distributed via phishing emails which then tricks a user into clicking a link or downloading an attachment that installs the malware on their system.
Once the ransomware has been installed on a PC or server, it then begins searching for files to encrypt. Since ransomware spreads silently, it may take some time before making itself known. After the attackers believe they have thoroughly infiltrated the systems, they then begin encrypting files that will be made unavailable to the users and possibly deleted if the ransom is not paid.
- Backup files: Backup files are just another file type, so they can be encrypted by the ransomware too. If your backups have been compromised, there really is no way to recover other than paying the ransom. And since the file extensions for backup solutions are easily attainable, ransomware attackers can go after those files to ensure the compromised systems cannot be recovered.
Best backup practices include:
- Be proactive and scan for ransomware during backup. Most modern backup solutions offer ransomware scanning as an integral part of their solution.
- Keep backup copies offsite in a secure location. If your primary systems are compromised, including the (on-prem) local backups, you can restore your compromised systems locally or in the cloud with the untouched backups that have been stored in a secure, immutable, cloud storage repository.
- The more copies the better. With modern backup solutions, granular backups or “snapshots” provide multiple points in time to recover from.
- Consider BCDR solutions that allow you to recover business operations quickly locally or in the cloud when primary systems are compromised
When it comes to guarding against hacking, malware, or human error - your backup solution is not just your critical recovery tool - it could be another one of your vulnerabilities. Datamax can help secure your last line of defense with the proper cyber security strategy, including a BCDR plan. Interested in learning more, let's visit!