No single security measure will work for every problem or every time. To address that never-ending problem, datacenter administrators depend on a “defense in depth” paradigm. Defense in depth uses a layered approach to security such that multiple items collectively bear the burden of protecting your systems and data. Backup serves a vital role in this model.
This article talks about how to use it effectively.
The Last Line of Defense
Work through a thought experiment: ransomware has scrambled all your data, or a virus has run rampant through your systems. What viable options do you have? Sometimes, ransomware authors provide a decrypt key upon receiving payment. Many times, they don’t; they take the money and leave the organization with nothing.
Whatever motivations virus authors might have, they typically have no way to reverse the damage. Even if you get a decrypt key or find a tool that cleans up the virus, will you ever feel fully confident that you have wiped all traces from your systems?
When we talk about “defense in depth”, backup represents the last layer. First, accept the premise that no system is unhackable. You and your security teams and contractors can take every precaution and still fall victim. You can have all the best tools deployed and someone will circumvent them.
The backup industry and its evangelists initially pushed for offline and off-site backups to protect against natural and physical disasters. Malware added another potent reason. Taking data offline makes it unreachable for an active invasion. Taking data off-site adds barriers against in-person malicious actors, such as rogue employees.
The unchecked spread of ransomware prompted innovation in backup storage technology: immutability. With this feature, written data accepts no changes for a prescribed amount of time. That allows you to maintain an active connection to the backed up data without making it vulnerable to malware. However, treat this as a convenience feature. The “no system is unhackable” adage still applies.
Strategies for Using Backup Defensively
Including backup in your security response does not require major changes. Any security incident that leaves your environment in an unusable or indeterminate state calls for a clean wipe and reload. Essentially, you act much like a natural disaster had destroyed all your equipment. However, since you’re not getting replacement hardware, you need to take the extra step of completely clearing your systems.
Make sure that you understand what “clearing” means. Simply formatting hard drives does not wipe them. Contrary to longstanding belief, even a “full” format does not wipe a drive. It performs the same logical steps as a quick format and then verifies that it can manipulate every sector. Use built-in or software tools that actively zero the storage.
Another persistent myth claims that you need to perform multiple passes in order to truly zero out magnetic storage. No one has showed this as true, and even if it were possible, it would require analog equipment. Your goal is to ensure that traces of malware left behind cannot reinfect the system. A single zeroing pass will accomplish that.
Most modern hypervisors will write zeros to thick-provisioned space when you create a virtual hard disk. They also typically zero the slack area in thin-provisioned space as they add it. That only protects the virtual machine, though.
The management operating system may still read latent data independently of the hypervisor. Therefore, you might choose to skip the manual zeroing process for storage that will only hold virtual hard disks, but it carries some risk.
Zeroing every hard drive in your organization involves significant burdens in time and effort. However, modern malware, especially ransomware, can be pervasive. If you miss a single instance, that might turn all effort into a waste. Make all that clear in your recovery planning.
Your organization might consider alternatives, such as destroying every drive and replacing all of them with new. That still makes for a heavy workload, but it will save time and eliminate some effort. To go a step further, consult with your insurance carrier.
They may consider a malware infestation as a complete loss and allow you to replace all your equipment. Do not assume that you have this coverage. Even if your carrier offers it, it might require an additional purchase above your current policy.
Your drives aren’t the only location where attackers can persist. Over the last few years, different strains of UEFI / firmware malware have been found and whilst not yet being used routinely by ransomware attackers, they are experimenting with it.
If you find that the attackers have hidden in there, the only way to be sure is to replace the hardware. If persistence malware is present in your UEFI, zeroing your drive will accomplish nothing as the attacker will still have access.
Once you have known clean systems, then you can bring out your backup media. Before doing anything else, make a duplicate of your last known good backup on an isolated system. Since you’ve already put in so much work, it wouldn’t add much to duplicate more than one. These duplicates exist as more insurance. You will need to bring an original online to restore from it, which could expose it to any missed malware.
Unless you encounter something of the sort, then you will follow your disaster recovery procedure from this point through final restoration.
For some organizations, size or time constraints will make such a clean procedure impossible. In those situations, you must bring in credentialed security experts before you have any problems to help with design. Use them to build threat containment and define metrics that you can use to consider your system “clean enough” to move to the recovery phase.
Consider the risks of partial cleans thoroughly before deciding that the time or effort saved outweighs them. If performing a full clean once sounds daunting, imagine needing to perform a full clean after a failed partial clean.
To properly protect your virtualization environment and all the data, use Hornetsecurity VM Backup to securely back up and replicate your virtual machine.
For complete guidance, get our comprehensive Backup Bible, which serves as your indispensable resource containing invaluable information on backup and disaster recovery.
To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.
Just as backup provides a foundation for your security response, its safety depends on your security practices. Existing recommended techniques for capturing, transporting, and storing backup data already go a long way toward protecting it from security breaches.
What is the purpose of backup in an organization?
The purpose of the backup is to construct a copy of data that can be retrieved in the event of primary data loss. Prior data failures can result from hardware or software failure, data corruption, or a human-caused event, such as a malicious attack (malware or virus) or accidental deletion of data.
What are backups for security?
Data storage refers to keeping data files in a secure location for you to readily and easily access. Data backup, however, refers to saving extra copies of your data in different physical or virtual areas from data files in storage.
What are the roles and responsibilities for backup and recovery?
Here are the three main roles and responsibilities for backup and recovery:
- Configuration of backup solution on requested servers
- Performing standard and test restores of requested files, folders, databases, and virtual machines, completing disaster recovery tests
- Having basic Windows and Unix OS administration knowledge