*This is the first in three-part series
As 2020 comes to a close, it’s time to make our New Year’s resolutions.
For our first, let’s pledge not to let ransomware affect us!
To deter ransomware, we take basic steps that broadly protect us from many different types of attack:
- Educate users about spoofing and phishing trends;
- reduce the impact of the occasional mistake and bad click;
- keep systems patched and up-to-date;
- monitor domains and networks for potential attack activity; and,
- have a robust disaster recovery plan.
We have touched upon most of these items recently, so let’s focus more on disaster recovery because, when dealing with ransomware, the data backup is critical.
Our data and our system backups must be accessible, intact, and quickly recoverable.
The Basics of Data Recovery
The 3-2-1 principle provides the backbone for most backup strategies.
It involves keeping at least three copies of the data, a minimum of two different storage types, and no less than one copy of the data off-site. However, organizations should consider additional backup copies, or more variety of backups, to defend against different attacks.
For example, consider the offsite backup. Many organizations use services that make a copy of the backup, which saves to a cloud environment.
However, if the cloud is used as primary storage, “off-site” storage needs to be a different cloud environment, or even the on-premises data center. Offsite no longer means “outside of the data center.” Instead, it means a distinct location from wherever the data normally resides.
Offsite backups provide the assurance of reliable recovery. But, it’s onsite backups that provide the speed.
In practice, downloading a backup from an offsite location — often the cloud — makes two huge assumptions:
1) the organization’s access to the cloud remains intact, and
2) the amount of data to download will be reasonable compared to the download speeds.
If we only need to recover a handful of workstations, then a typical organization will have no problem. However, if we need to recover hundreds of servers and thousands of employees’ workstations, the sheer volume of data to download will result in a bottleneck.
Thus, the onsite backup becomes critical to a quick recovery because it bypasses transmission. Just keep in mind that ransomware attackers understand this, and they will be searching the network for backups to delete.
At least one backup should be kept offline and isolated. Common methods for offline local backups use either tape drives or removable hard drives.
Don’t Forget About System Recovery
Recovering from a ransomware attack means more than just restoring data.
So, what’s the point of putting our data back onto a compromised machine? Servers, network equipment (routers, switches, etc.), and all network connections will must be restored and checked for compromise.
It can take weeks to check systems for compromise and to understand the extent of attacker access. But, recovery rarely has the luxury to wait.
We must assume that the backups are at least partially compromised. Ideally, you should begin system restoration without a connection to the network to safely reset all passwords, permissions, and session keys.
For cloud environments or remote restorations, it becomes trickier to execute. However, the principle remains the same.
We must keep the systems as isolated as possible until we can harden them.
Prepare in Advance
After an attack, it is too late to decide what systems to restore first, what data takes priority, and how to isolate these systems.
IT managers need a formal priority list with management buy-in. And, that list must be updated periodically, and with each major infrastructure change.
Checklists that are pre-approved by management provide critical references for the frazzled IT teams under pressure to recover quickly from an attack.
If possible, table-top exercises or data recovery drills can provide the team with the experience needed to check for gaps in the current plans, and to make a real recovery as smooth as possible.
Insurance and Support
Experts expect ransomware to remain a top threat in 2021, so we need layers of insurance to be resilient.
Some organizations rely too much upon cybersecurity insurance, which may not always cover ransomware, and which definitely will not help restore our systems.
We must ensure proper cloud backups, storage systems patched against the latest vulnerabilities, and team resources critical to execute a recovery.
Ideal Integrations provides IT infrastructure planning and services to help your organization plan its recovery strategy. In fact, we’ll even fully manage your disaster recovery process.
Call us today at 412-349-6680, or fill out the form below, to let us know how we can help develop or manage your backup strategies for your on-premises or cloud infrastructures.