The Importance of a Great Backup Plan
Ransomware attacks are increasingly frequent and precise; here’s what you can do to protect your backups.
In a world under threat from state actors of every stripe, ransomware attacks and regulatory nightmares associated with malware are now targeting backup data. Unsurprisingly, everyone is in a state of heightened concern.
Enterprises are trying anything and everything to preserve data backups, from strategically scattering important data to heavy investments in disparate data protection resources and processes. But as data proliferates, organizations are also landing on vast silos of fragmented data that actually broaden their attack surfaces.
Increased activity, increased threat
Cybercriminals have shifted tactics from the opportunistic attacks of yesterday to the more deliberate, persistent threat attacks we see today. Bad actors have built capabilities into their malware so that it spreads automatically across networks. This ensures ransomware will persist, even if the original entry point is remediated.
Cybersecurity Ventures cites 2021 research showing that a ransomware attack occurs every 11 seconds, costing global businesses billions. The Cybersecurity Venture study also projects that ransomware is going to cost industries $10.5 trillion worldwide by 2025.
And now, cybercriminals are aggressively targeting backup data in an effort to control or destroy what was once regarded as an organization’s last line of defense. Specifically, attackers are modifying their malware to locate and eliminate backups.
Get in front of the issue now
Effective planning is essential to minimize risk. Making backup data less accessible to cybercriminals is the goal. Whether it's attack or remediation roles, you need to plan your readiness today.
To get there, you’ll need a modern backup process that’s immutable and air-gapped.
- An immutable backup is a backup file that can't be altered in any way. An immutable backup should be unchangeable and able to deploy to production servers immediately in case of ransomware attacks or other data loss.
- An air-gapped backup is a copy of your organization's data that's offline and inaccessible. Without an internet or other network connection, it's impossible for your backup device to be remotely hacked or corrupted.
An air gap makes it virtually impossible for hackers to remotely access your information when it is isolated from the public internet or a LAN. This means that at any given time, a tertiary copy of your sensitive data is offline, disconnected and inaccessible from the internet.
Traditional air gaps used tape media. Today, the cloud has emerged as an alternative. However, it is important that the architecture is designed in such a way that the data is stored in isolation. Air-gapped backups do not solve for a situation where production environments are infected and then backed up.
Say your data gets compromised and you need to restore from a backup. You need a good plan for how to execute your restoration.
Encryption, write-once-read-many (WORM) storage devices, built-in fault tolerance and immutable data can strengthen the layers of protection against ransomware most companies are experiencing. Still, there is no 100% fail-safe solution.
Separation is the goal — separate networks, usernames, passwords, multi-factor authentication and access controls. Otherwise, if your backup is part of the original infrastructure, it’s easier for a bad actor to pivot and compromise it as well.
Isolate and disconnect
Malware spreads so quickly today because of multiple connections across the same network. Attackers will find a way in through either weak access, vulnerable software or user misconfiguration. A 2020 study found there are some 230 million internet-facing cloud misconfigurations available to bad actors every day.
Without isolation, production data can become compromised just as quickly as your backup data. You can overcome this threat by physically separating your data in a separate storage location that’s not connected to any network.
Some customers prefer SLAs that have them back up and accessing their data within minutes, while others are satisfied with driving across town to retrieve a stored, encrypted physical copy of data backup tapes and restore. The choice is based on individual business requirements.
Take control through resilience and redundance
First there were ransomware attacks, then attacks on production environments, and now, we’re seeing attacks on backups. And it’s only escalating — we expect state actors of varying origin to become involved in some way.
To keep your business running, you need to know about an attack early-on so that you can take immediate action. You’ll want a next-generation, nimble backup platform that can minimize recovery time. And it’s important to remember that you can never fully mitigate the risk of an attack. However, if something happens, an isolated and redundant solution will help ensure that you have clean copies of your backup data.
Test every quarter
It’s vital also to test your data/backup recovery plan at least once per quarter. When the time comes to restore your data, your previous rehearsals of this process will prevent surprises and a scramble to learn proper restoration procedures. Run a mock restoration process into non-production at least quarterly.
Consider the usefulness of your data
In a modern cloud-like world where data must be available on-demand, the traditional ideal of a golden copy of your data on a tape that’s separate from any system is untenable because of your need to restore instantly. Long-term retention on tape is passé, and even seven-year retention should be on disc now.
It’s one thing to sterilize an archive, but you must also be able to recover from it. Original backup data should be kept in an immutable state and never exposed to prevent it from being mounted by an external system.
Be proactive and plan for the unexpected
Your overall security strategy goal: Have a great backup plan. Because you can never be fully protected, resiliency and redundancy are key.
Don’t wait until it’s too late and your business suffers. The desired result is to be able to identify a ransomware attack quickly and head off problems earlier, enabling productive work to continue.
Why Containers Are Integral to Digital Transformation
About the Authors
Product Director, Private Cloud
Michael Levy is product director for private cloud at Rackspace Technology. Previously, he was a core member of the CenturyLink team that spun out Cyxtera Technologies. He entered the world of cloud services and internet infrastructure as an analyst for 451 Research where he provided advisory for industry leaders, emerging players, and investors. He lives in Manhattan with his wife, two daughters, and dog.Read more about Michael Levy