A CISOs Practical Guide to Storage and Backup Ransomware Resiliency
One thing is clear. The “business value” of data continues to grow, making it an organization’s primary piece of intellectual property.
From a cyber risk perspective, attacks on data are the most prominent threat to organizations.
Regulators, cyber insurance firms, and auditors are paying much closer attention to the integrity, resilience, and recoverability of organization data – as well as the IT infrastructure & systems that store the data.
Just a few years ago, almost no CISO thought that storage & backups were important. That’s no longer the case today.
Ransomware has pushed backup and recovery back onto the IT and corporate agenda.
Cybercriminals, such as Conti, Hive and REvil, are targeting storage and backup systems, to prevent recovery.
Some ransomwares – Locky and Crypto, for example – now bypass production systems altogether, and directly target backups.
This has forced organizations to look again at potential holes in their safety nets, by reviewing their storage, backup, and data recovery strategies.
To get insights on new storage, backup, and data protection methods, 8 CISOs were interviewed. Here are some of those lessons.
CISOs are concerned about the rise of ransomware – not only of the proliferation of attacks but also of their sophistication: “The storage and backup environments are now under attack, as the attackers realize that this is the single biggest determining factor to show if the company will pay the ransom,” says George Eapen, Group CIO (and former CISO) at Petrofac,
John Meakin, former CISO at GlaxoSmithKline, BP, Standard Chartered, and Deutsche Bank believes that “As important as it may be, data encryption is hardly enough to protect an organization’s core data. If attackers find their way into a storage system (as data encryption alone won’t prevent them from doing so), they are free to cause severe damage by deleting and compromising petabytes of data – whether they’re encrypted or not. This also includes the snapshots and backup.“
Without a sound storage, backup, and data recovery strategy, organizations have little chance of surviving a ransomware attack, even if they end up paying the ransom.
While storage & backup vendors provide excellent tools for managing availability and performance of their infrastructure, they don’t do the same for the security and configuration of those same systems.
Some storage and backup vendors publish security best practice guides. However, implementation and monitoring of security features and configurations is the responsibility of an organization’s security department.
There are, however, a number of cyber resiliency initiatives that are being carried out. These include:
Adding an air-gap means separating backups from production data. This means that if the production environment is breached, attackers don’t immediately have access to backups.
You can also keep storage accounts separate.
Snapshots record the live state of a system to another location, whether that’s on-premises or in the cloud. So, if ransomware hits the production system, there is every chance it will be replicated onto the copy.
Immutable storage is the simplest way to protect backup data. Data is stored in a Write Once Read Many (WORM) state and cannot be deleted for a pre-specified period.
Policies are set in backup software or at storage level and it means backups can’t be changed or encrypted.
While immutability is helpful in remediating cyberthreats, it is certainly not bullet proof.
Immutable storage can be ‘poisoned’, enabling hackers to change the configuration of backup clients and gradually replace stored data with meaningless information. In addition, once hackers gain access to the storage system, they can easily wipe out snapshots.
Storage security posture management solutions help you get a full view of the security risks in your storage & backup systems. It does this by continuously scanning these systems, to automatically detect security misconfigurations and vulnerabilities.
It also prioritizes risks in order of urgency and business impact, and provides remediation guidance.
NIST Special Publication 800-209; Security Guidelines for Storage Infrastructure provides an overview of the evolution of storage technology, recent security threats, and the risks they pose.
It includes a comprehensive set of recommendations for the secure deployment, configuration, and operation of storage resources. These include data and confidentiality protection using encryption, isolation and restoration assurance.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.