I sat down with Macrium’s Technical Director, John Pendleton, to discuss how the landscape of cybersecurity is changing — and how it probably always should!
The profitability of data ransom and data theft are proving to be huge. This is driving an increasing trend for multilayered and highly sophisticated attacks.
To counter this, system protection must cover all components and their interfaces, lines must be blurred otherwise you remain exposed; a single vulnerability can be used to gain a foothold to launch the next step in an attack.
A further blurring of the traditional considerations is that software now exists within every network and computer component. This software, typically called firmware, provides further opportunities for exploit.
A backup nullifies the leverage of a traditional ransomware attacker, as data can be quickly recovered without paying the ransom. This has driven the evolution of ransomware to also target and encrypt backup files, hence the increased vulnerability.
However, data security has two core facets, protection against loss (either accidental, hardware failure or by evil intent) and protection against theft. The threat is shifting to data theft, particularly for high value targets. In this case, backups provide no protection.
Despite this trend, backups still provide vital protection against SME or personal data where the inherent value of data recovery is greater to the owner than avoidance of public disclosure.
Note that SMEs that hold sensitive data (health, financial, legal etc) are very much exposed to a public disclosure risk, even if it isn’t currently under active exploit. Now that privacy legislation, particularly GDPR, is finding its teeth, that risk will extend to all companies with a significant customer base.
General AV / IDS techniques are very applicable in this space. This is a mature field, and much has been already written.
However there are a few backup specific protection techniques. Our anti-ransomware solution, Macrium Image Guardian, only protects against unexpected backup set access. This is less vulnerable to both false positives and negatives and less resource intensive than generic anti-malware techniques, but cannot provide alerts for non-activated ransomware. There are other vendor solutions such as storing backup sets outside a traditional filesystem.
No software based protection can protect against a physical access attack or a compromised operating system and it is easy to underestimate the effort required to keep a determined attacker out. The old adage of defense in depth is still very relevant however and will generally keep your data safe.
Feature wise, a basic but key feature is encryption of backups, given the rise of data theft, this is self-evidently important.
Good backup practice includes keeping the data in more than one location. I would be looking for flexibility here, you don’t want to be restricted to the vendor’s choice of cloud storage.
Backup set specific protection is important. You want to ensure that they are protected against malware encryption (or deletion) before they have been synchronized to a trusted remote location. You can rely on the operating system file security mechanisms. However these can be easy to mis-configure so you may want to look for an additional layer of backup set protection. This can be a focused solution that only protects backup sets, or more generalized anti malware protection.
However, non-feature based considerations are of at least equal importance. Backup software necessarily reaches deep into the Windows storage subsystems; if coded without care, it can itself be used as a malware vector itself, or stepping stone for a system compromise. Look for vendors with a reputation for reliability as this a good proxy also for secure development practices. A published vulnerability reporting process and a track record of quickly responding to bug reports is also a good sign.
If the software is to operate close to, or within operational or other critical environments, check if it will operate without any internet connectivity as this will significantly reduce the attack surface.
A novel and quickly evolving risk to add to the list of concerns is the supply chain attack. This puts a spotlight on the security of the vendor build, release and patch process. Unfortunately, the IT industry is still learning how to address this. We are currently looking at various options including a software bill of materials and reproducible builds hosted in escrow by a mutually trusted 3rd party. There is much to learn from the open source community.
Maintain a synched copy of your (encrypted) backup sets, segregated from your main network. Aside from that, following standard security best practices is key.