Freely subscribe to our NEWSLETTER

Charlie Smith, Consultant Solutions Engineer at Barracuda, says “Discovering, disabling, or deleting backup data is now an integral part of a ransomware attack. If your backup plan has any security gaps, attackers will find and exploit them.

Backup strategies that attackers like

• High levels of access to backup software — The more people with access rights to your backup software, the greater the risk that attackers can use stolen credentials with domain admin or other privileged access rights to break in.
• Network-connected backup systems — If your backup system is connected to your corporate network, intruders can move laterally from an infected endpoint to discover and gain access to your backup software and either turn off, wipe, or delete the backup files.
• Remote access to backup systems — If your backup systems need to connect remotely to servers for backup or administration, then a lax approach to password authentication can open a channel to protected systems if these passwords are guessed or stolen.
• Infrequent backups — Even if you have an effective backup, if you back up infrequently you may still lose days, weeks, or even months of data if you suddenly need to restore data following a crisis.
• Untested backups — It seems obvious, but you won’t know your backup-and-restore process works unless you test it.
Anything that makes your backup unreliable will increase attackers’ chances of getting you to give in to their demands. Securing backup software and appliances is critical. Robust protection will minimize and mitigate the risk of attackers discovering and wiping backup data before an attack takes place to prevent the victim from restoring their systems after an attack.
A backup strategy that attackers won’t like
If you want to build a robust backup strategy that is focused on security as well as business continuity, the following best practices should help:
• Back up everything, not just business data. A full system backup will enable you to recover systems faster after an incident.
• Try to avoid running your backup manager on the Windows operating system as attackers can breach these relatively easily. A Linux or other operating system may be more secure.
• Make sure your backup server is running anti-malware software.
• Consider implementing an automated backup service that will ensure all data is regularly backed up, so you have minimal data loss when restoring.
• Ensure your backup systems are not connected to your corporate domain, where an attacker with a compromised domain admin account can gain access.
• Implement multifactor authentication (MFA) and role-based access control (RBAC) to ensure that only a small number of authorized users can access your backup. The ability to purge backup files should only be given to a very small number of users.
• Replicate your backups off-site to a remote location or a cloud provider that offers an air-gapped layer of security between your local, on-premises backup server and the off-site location.
• If you are backing up data in the cloud, it makes sense to keep the backup in the cloud as this is more secure.
• Ensure that all backup data is encrypted, both while at rest and in motion.
• Apply the gold standard of 3:2:1 — three backup copies, using two different media, one of which is kept offline.
Good intentions can be undone by poor implementation. Do everything with care and then test it.
For every story of a local backup server that was attacked but the business was saved by the copy of data held off-site, there’ll likely be a story about how attackers were able to delete both the primary and secondary copies of backup data simply because they shared the same security access.”

Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea says “World Backup Day is a reminder for all organisations to review their backup strategy and ensure it is resilient against cyber-attacks.
Companies tend to increasingly rely on online backups, but if they use the same credentials as their production systems for a speedy recovery, that makes it very easy for cybercriminals to access, exfiltrate or encrypt sensitive data with ransomware. Keeping a copy offline is only half of what’s needed to protect digital assets, and organisations should also implement privileged access security to restrict and closely monitor access to backups.
A secure backup rather than a speedy back is what will bring your business back after a cybersecurity incident, use World Backup Day to check your strategy is top-notch.”