How to lock down backup infrastructure

Extorting sensitive data brings far bigger rewards than randomly encrypting desktops, and they’ve figured out that the backup server is a gold mine of data. Your organization’s confidential business plans, intellectual property, personnel files, customer data and emails contain immense value in the wrong hands. The potential damage from exposure can surpass even exorbitant ransom demands. And all of this data is (hopefully) stored inside your backup system. Like I said: a gold mine.

That’s why any security strategy is wholly inadequate if it doesn’t include extra precautions around safeguarding these crown jewels stored in your backup system, because trying to find the right path after an extortionware attack makes choosing between pestilence and cholera seem nice. There are no good options once your data is stolen. That’s why getting back to basics with preventing threats in the first place is so crucial.

Batten down the hatches

The security measures I’m about to advocate may require investments in technologies, added staff and cost. I get that. But let me ask you this – how much is your organization’s future viability, relevancy and reputation worth? How much of a setback is having your new billion-dollar product design leaked to competitors? And I promise you that no court will accept encryption or data theft as a valid excuse for violating disclosure laws.

Block attacks via privileged accounts

The first thing to do is to protect the privileged accounts in your backup system. First, separate these accounts from any centralized login system you use, such as Active Directory, because these systems are sometimes compromised. Create as much of a firewall between that production system and the backup system as possible. And, of course, use a safe password, and do not use any passwords for these accounts that are used anywhere else. (Personally I would use a password manager to support having a different password everywhere.) Finally, make sure that any such logins are protected by multi-factor authentication, and use the best option available. Avoid the use of email or SMS-based MFA, as it is easily foiled by an experienced hacker. Try to use an OTP-based system of some kind, such as Google Authenticator, Symantec VIP, or Yubikey.

Also investigate if your backup system has enhanced authentication for dangerous actions, such as deletion of backups before their scheduled expiration, or restoration of any data to anywhere other than where it was originally created. The first is used to easy delete backups from your backup system, without setting off any alarms, and the second is used to exfiltrate data by restoring it to a system the hacker controls. A common control here is to use multi-person authentication, which requires multiple people to authenticate such actions. While this may slow down some normal operations, it’s a really good protection against a hacker using your backup system against you. Similar to MFA, please do not use SMS or email as the vehicle for such things, as the hacker may have compromised both systems. (A hacker of a former client did just that. They took control of the email system, and used that control to intercept MFA requests and authenticate themselves as many times as they needed to.)

Block attacks via the filesystem

Hopefully everyone knows to have at least one copy of their backups on storage that is immutable, and that is a good start. An offsite cloud copy is the best, as there is no way for the hacker to delete or encrypt these backups without compromising the entire (well vetted) infrastructure of the cloud vendor. This will ensure you will have the backups when you need them to restore after a ransomware attack.