Backup security was never much on the radar until cybercriminals started to raise their ransom demands.
They found that their victims could sometimes ignore their requests as they had good backups to fall back on. That led to a revised ransomware strategy that involved backups. Suddenly the security of backups moved front and center.
Here are some of the top trends in the backup security market:
1. Infected backups
Doron Pinhas, CTO at Continuity Software and co-author of NIST Special Publication: “Security Guidelines for Storage Infrastructure,” said that modern data-targeted attacks explicitly focus on storage and backup systems.
“By destroying backup copies in addition to encrypting and locking data, cybercriminals put much more effective pressure on victims to pay the ransom,” said Pinhas.
Many ransomware victims found that when they turned to their backups to recover their data, they were recovering infected files within the backup copies. Result: They remained in the grip of a ransomware attack and still could not access their data.
“By infecting backup media, cybercriminals can ensure attacked environments will remain compromised even after the organization restores them to the last known good configuration,” said Pinhas.
2. Data theft from backups
Cybercriminals are getting picky. As well as infecting files in general, they want to find the most sensitive, confidential, and valuable data.
Intellectual property or databases of key customers are a couple of examples. Such repositories are often the most protected.
Hackers might try for months to infiltrate these data sources without success. But another attack vector often bears fruit – via the backups.
“Realizing that storage and backup system security often lags, cybercriminals steal data directly off the backup media (and, in particular cloud- and offsite-backup),” said Pinhas with Continuity Software.
“It is often much faster, evades data loss prevention solutions, and takes advantage of backup mechanisms, which often enjoy high-level of trust by other components of the data center. Thus backup systems can be manipulated to exfiltrate otherwise hard to reach data.”
3. Backup safeguards
Accordingly, awareness is slowly rising that lax security in storage and backup systems must be stamped out.
Pinhas with Continuity Software recommends:
- Make sure you address storage and backup vulnerabilities such as applicable patches and common vulnerabilities and exposures (CVEs).
- Harden your storage and backup services by removing unnecessary services, disabling insecure protocols, using central access rights management, disabling or securing local device management features, using multi-factor authentication (MFA), and configuring encryption in a secure manner.
- Segregate your backup environment from others at multiple levels: network, users and roles, and by business function (application level, dev/testing, etc.)
“Test your backup solutions and continuously scan all storage and backup systems for security misconfigurations and vulnerabilities,” said Pinhas.
4. Single pane for multiclouds
Multi-cloud environments are becoming the norm.
As a result, management can get complex due to there being so many consoles to check. This can lead to sloppiness and misconfigurations.
“Invest in backup solutions that address data protection requirements in the data center, public cloud and edge environments, and favor solutions that offer a single pane of glass to manage these distributed environments,” said Gartner analyst Michael Hoeck.
“Choose products that offer a secure and granular recovery testing experience.”
Hoeck also recommends the selection of “backup tools that provide a comprehensive solution for ransomware anomaly and malware detection as well as expedited recovery capabilities from ransomware attacks.”
Yes, immutable copies are important by creating second copies of backups through write once, read many (WORM) software and immutable snapshots. But that is not enough.
Systems are also appearing, said Hoeck, that can spot ransomware attacks by monitoring behavioral anomalies of protected data and are adding malware detection provided by partnering with security vendors or by developing these capabilities in house.
Jesper Tohmo, CTO and co-founder of ShardSecure, noted that the traditional practice of storing backups on tapes, provided an added a layer of protection since physical access to the tapes was necessary to access data.
This is known as an air gap. It is a smart strategy that is still used widely. However, many have moved to cheap storage in the cloud provided by AWS and others and no longer have that kind of protection.
“Even with encryption of cloud-based backups, a complete dataset will be available and vulnerable to attackers in the backup location,” said Tohmo.
“One alternative is to use a solution that microshards that distribute data to multiple customer-owned locations. This kind of microsharding solution allows customers to protect their data in the cloud and achieve a quick recovery if needed.”