Last month, it was announced that a vulnerability in a remote management and monitoring tool utilized by many managed service providers (MSPs) had been exploited to launch a massive ransomware attack that impacted not only those MSPs but possibly their customers as well. In fact, it’s fair to say that the true extent of that breach is still not known.
Unfortunately, that attack, utilizing software made by a company called Kaseya, is not an isolated incident. High-profile ransomware attacks have become front-page news since the beginning of the year, with some – like the Colonial Pipeline hack – giving rise to real-world consequences that impacted everyday Americans, including gas shortages.
Multiple research studies found that more than 50 percent of all organizations were hit by ransomware in 2020. According to Gartner, by 2025, ransomware attacks are expected to increase by 700 percent and at least 75 percent of IT organizations will face one or more attacks.
The costs to the infected organizations are increasing as well. A Forrester study found that only 25 percent of organizations were able to recover between 75 percent and 100 percent of their data after a ransomware attack. And IBM calculated that the average cost of a ransomware attack has now reached $4.4 million (USD),
It’s plain that ransomware attacks are increasing in both frequency and severity. It’s also plain to see that malicious actors are getting increasingly sophisticated and brazen – using complex attacks to go after large targets. And that means government agencies need to start protecting their networks and sensitive constituent data against the threat of these attacks.
The security and performance of an agency’s backup system are integral to its ransomware recovery capabilities. Backup systems are increasingly becoming a key target of ransomware attacks. If the data backup is breached, the attacker may be able to stop backup operations, infect and encrypt the backup data, or possibly completely delete the data. In addition, the backup system can provide the cybercriminal with a ‘roadmap’ of sorts to where critical data is stored on the network so they can expand their attack and make their ransom demands more compelling.
For these reasons and more, it is vitally important that government agencies implement the following ten data protection principles to fortify their backup systems in case of a ransomware attack, courtesy of Quest Software:
1) Maintain multiple copies of data – While most organizations already follow this proven rule, people, processes, and technology must align to the 3-2-1 backup strategy or some derivation of it. The 3-2-1 backup strategy involves utilizing data replication to maintain three copies of data – one production and two backup copies – that are stored on two different media, with one copy off-site at a secondary location or with a cloud provider in a different geographic region. This rule is a foundational element to ransomware recovery capabilities.
2) Dedupe and compress your backup data – Deduplicating and compressing backup data can not only save an agency on storage space and costs, but it will also add layers of abstraction that make it much harder for attackers to read and know what’s in their data repository. Deduplication and compression also abstract and reduce the amount of data in motion to replicated copies, which means attackers have less of a chance to capture data.
3) Encrypt data in motion and at rest – Encrypting backup data adds another layer of abstraction and security. When write-once-read-many combined with deduplication and compression, it will make it nearly impossible for attackers to read and know what’s in an agency’s data repository. In addition, agencies should protect their data in motion with SSL encryption or with the use of proprietary protocols.
4) Harden the data backup with immutable storage – Another measure vital to ransomware recovery capabilities is placing a copy of an agency’s backup data into immutable storage. Immutable storage, or WORM (write once read many) storage, uses media that prevents the data from ever being changed or erased unless the agency has pre-specified a deletion date based on its retention policy. Once data is written to it, the original data cannot be deleted or encrypted by ransomware.
5) Create physical air gaps between copies of your data – Ransomware recovery principles #5 and #6 are based on the premise that once backups are stored on “unconnected” media, it makes it virtually impossible for an attacker to penetrate. When agencies backup data off-site or on systems that are not connected to their network, they have established a physical ‘air gap’ between the copies of their backups. Physical air gaps between the copies of an agency’s backup data make it much harder for a cybercriminal to infect all copies of their backup data.
6) Create virtual air gaps between copies of your data – In addition to implementing physical air gaps, agencies should also create virtual air gaps between systems. They can accomplish this by using different storage types, environments, operating systems, and accounts for each copy of their backup data. For instance, an agency could have their backup system outside of the Active Directory domain and/or in a different operating system like Linux.
7) Limit access to the backup software and repositories – It is always a ransomware recovery best practice to limit access to the backup console and repositories. To accomplish this, agencies should consider creating more than one backup admin role and assign non-overlapping privileges and responsibilities to each role. For instance, they could assign backup job creation, retention policies, and reporting to different admins.
8) Use multifactor authentication (MFA) for admin accounts – If they’re not already using multifactor authentication (MFA) for their admin accounts, agencies should implement it as soon as possible. If an attacker breaches the backup console, they can change policies and jobs, and even delete data from an agency’s system. This applies to their backup repositories as well if they reside on systems separate from the console.
9) Require multiple authorizations for configuration changes – The ‘four-eyes’ principle should rule here. Implementing the four-eyes principle means requiring multiple authorizations for any configuration changes. This prevents an attacker who gains access to a single admin account from making changes that would compromise backup job definitions, retention policies, or the data repository.
10) Ensure a fast and safe data recovery – Unless agencies are very fortunate, at some point, they will become a victim of a ransomware attack. When planning your data recovery, they need to consider that data backup may be infected. A best practice is to assume that it is infected and to restore and clean backup data in a sandboxed environment before putting it back into production.
And since the agency will need to restore a large amount of data in a short timeframe, they should have a plan for scaling the performance of their data recovery capabilities and for how they can orchestrate and optimize the recovery process to meet the recovery time objectives (RTOs) for each application.