• James Blake, Field CISO of EMEA at Cohesity


• 18.01.2023 04:45 am
#cybersecurity

In an ideal scenario, after a ransomware attack that encrypts all production systems, the IT teams react and restore the applications and data from the backups, whilst the forensic experts investigate the attack and identify the weak spot and the vulnerability. Thus the blackmail attempt amounts to nothing. 

Unfortunately though this scenario is far from the reality, which typically involves bad actors in the cyber industry examining the network structure and the backup system in the first few days after successfully penetrating the victim’s network. The aim for bad actors is to find weaknesses and undermine the last line of defence. And it’s clear to see why they go to such effort, Cryptocurrency analytics firm Chainanalysis reported that approximately $1.3 billion in ransomware payments were paid globally over the past two years, which is a notable increase compared to 2019's $152 million. 

Keeping that in mind, every financial organisation can enforce technical and organisational best practices to protect themselves from some of the weaknesses.

Managing passwords and privileges

It is commonplace for the main administrator of the backup infrastructure to own the most access privileges within a company, because, by definition, the backup tool must be able to access all key production systems and access data there. If saboteurs manage to compromise this key account, all production data will be under threat in one fell swoop. For convenience purposes, it is often possible to manage this superuser and his/her privileges and passwords via central user directories such as the Active Directory. It is important to separate these two worlds, so that users are only listed in the respective backup and disaster recovery environment. The power users should receive user profiles that follow the principle of ‘least privilege’, i.e., as many access rights as necessary and as few as possible. It’s vital that access to such accounts should of course be secured by multi-factor authentication.

A number of hardware systems are used to record the backup data, especially in large environments. Only authorised personnel should have physical access to this, otherwise a saboteur could compromise the hardware and thus the data. Through the use of remote maintenance tools, modern providers are accessing the systems securely and, for instance, installing a new boot image or accessing the hard disks directly. It should be possible to upload a new image on-the-fly during operations including rollback with a simple mouse click to quickly activate new functions or install bug fixes. 

The importance of communication and anomaly detection 

Backup systems must be able to talk to each other and to the data sources in order to backup data. This requires opening ports on firewalls. To increase the level of security, this traffic should be carried over isolated physical or logical networks.

Understanding exactly what protocols and services are being used across the network for this purpose is important for IT teams to understand. For example, some providers use less secure variants of protocols such as SNMPv2 for administrative tasks, which should be replaced by SNMPv3. If you use a new version, you should definitely use SHA and AES as authentication algorithms, as it is more secure than MD5.

During the transfer, the data between the data source and backup should be encrypted, and at the destination. If you want to achieve high cyber resilience, you should also insist on the principle of immutability (immutable backups), which importantly needs to be integrated. This is critical in order to help ensure that data cannot be changed, encrypted, or deleted. This makes immutable backups one of the best ways to combat ransomware, because the original backup largely remains inaccessible.

Combatting organisational conflicts and isolated legacy tools

IT infrastructure and security operations teams live in two worlds that are often separated by design. Whilst the SecOps teams want to regulate all access as strictly as possible, the IT infrastructure teams need to be allowed to access all important systems for backup.  

Many of these teams are not collaborating as effectively as possible to address growing cyber threats, as a recent survey found out. Those respondents who believe collaboration is weak between IT and security, nearly half of respondents believe their organisation is more exposed to cyber threats as a result. For true cyber resilience these teams must work closely together, as the high number of successful attacks proves that attack vectors are changing and it’s not just about defence, but backup and recovery.  

Even with the best practices, basic backup design flaws cannot be fixed unless teams are willing to modernise the infrastructure across the board. Research found out that a large percentage of companies globally (nearly 50%) are relying on backup and recovery infrastructure designed in or before 2010, long before today’s multi-cloud era and onslaught of sophisticated cyberattacks plaguing enterprises globally.

If financial organisations want to achieve real cyber resilience and successfully recover critical data even during an attack, they will have to modernise their backup and disaster recovery infrastructure and migrate to modern approaches such as a next-gen data management platform.

In order to take the Zero Trust model even further the data should be brought together in a centralised data management platform based on a hyper converged file system that scales up. In addition to the strict access rules and multi-factor authentication, the platform should generate immutable snapshots that cannot be changed by any external application or unauthorised user.

For financial organisations, any delay in ransomware response and recovery can lead to increased downtime and increased data loss. Integrating both worlds of SecOps and IT can help link data management and data security processes more effectively. It's vital to stay ahead of ransomware attacks and to reinforce your cyber resiliency.