Most companies are fully aware of Ransomware attacks nowadays and understand the importance of Cybersecurity. Although many of these companies invest heavily in preventive solutions like EDR, MDR, and XDR, they tend to forget to set up (and test) a Disaster Recovery Plan (DRP) in case of a Ransomware attack.
Because of this, many companies, although well protected with Cybersecurity solutions, still have to deal with the double extortion risks when becoming a victim of a Ransomware attack, ending in paying a ransom because:
- Backups are not working as intended (if any)
- Sensitive information has been obtained by the Ransomware party, leading to blackmail: dumping/selling information of people and/or intellectual property on the dark web
This post will be the first of two posts in which I will give insight into how to implement these essential solutions into an organization. For now, I will focus on the backup of data, and the next post will focus on how to protect your sensitive information.
Shocking Data Recovery Facts
Most organizations back up their data…. or at least think they do. In most cases, the backups they have in place are not working as intended. According to a VEEAM report in Q1 2021, companies fail to back up 14% of their data, and 58% of all data recoveries fail. Many companies will have a severe challenge in recovering their complete data in case of a disaster that creates data loss. A decent backup policy is required to restore all data after an incident of data loss. However, only a backup policy is insufficient: you need to test a backup and a restoration plan regularly to prevent any issues in case of an incident.
Backup Policy
One of the main areas to prepare for a Ransomware attack is backing up your data to prevent data loss. A well-defined backup policy is a must because of this. Restoring data from a backup solution is a corrective control measure. Your backup strategy should specify the frequency and the types of backups, including what data you want to back up and how you back up this data.
There are several ways to back up your data which you need to describe in detail in your backup policy. The policy should also include the functional area responsible for data backups, including how quickly you want to restore data. The policy’s main goal should always be to keep the amount of time between an incident and the recovery from a backup as low as possible. This time window is called Recovery Point Objective (RPO). As stated before, the backup policy should pre-define a maximum amount of time allowed for a resource not to be available. You call this the Recovery Time Objective (RTO). In a recovery plan/backup strategy, an RPO and an RTO help your organization to calculate how much the organization can lose if a system goes down before you can bring all systems online again by executing your backup.
Your backup policy should also indicate whether you store your data backups offsite. If this is the case, you must also define the transportation of your backups and if the transported data has to be encrypted (which I would always advise). Finally, a backup policy should also define who is responsible for data backups and the actual plans and procedures you will use to perform your backups. The policy gives you direction on what you have to do and why you have to do it, but it does not tell you how you do it. You realize the how by plans and procedures, and they have to specify details like how you back up the flat files and database information and what encryption method you use. Backup strategies and policies also need to define how you perform backups, what methods you use, and what restoration options.
Frequency and execution of Backups
There are several ways to perform backups, and the choice of the method you use depends upon several factors you must consider. The most critical factor is the criticality of data: how important is the data that you have to back up, and how quickly does it have to be restored to get your organization up and running again?
Some backup methods can back up data faster than others, but they might restore data more slowly. Other forms back up data in specific increments based upon file archive bits. You can combine these methods to select the optimum backup solution for your organization.
The frequency of your backups is also a factor that you have to determine. In case data rarely changes, a monthly backup might be sufficient. Daily transactional data like financial or commercial transactions is a different story. These kinds of data might need a minute-by-minute backup or even a close to real-time backup to guarantee that most of the current data is available and that critical transactions are processed. Backup frequency is also related to the criticality of the data. If the tolerance for losing data is very low because of its criticality, you should increase backup frequency. Finding the right balance between resources (money spent and staffing) and backup frequency is critical. You don’t want to “overspent,” but you certainly also don’t want to “underspent.” Finally, you should review your current situation periodically and “rebalance” if needed.
Types of Backup
There are two types of backup methods:
- Standard backup methods
- Backup media
Standard Backup Methods
There are four types of standard backup methods:
- Full backup: in this method, you include everything, regardless of what you back up. You can do this by a shared folder, a single hard drive, a RAID array, or an entire server: this type of backup set includes everything. A full backup also sets the archive bits on files to mark that you have backed up all the files. An archive bit is like an on/off switch. If the archive bit is turned “on” (a binary number one in the file metadata), you change the file and require a backup. If the archive bit is turned “off” (a binary number zero in the file metadata), you backed up the file, and the archive bit “has been cleared.”
- Incremental backup: this type of backup only backs up files that have changed since the last full backup. With this form of backup, you back up the files that have the archive bits turned on. After you back up those files, the process turns off the archive bits. It would be best to run incremental backups daily because data can change daily. In case data loss on the backup source itself happens, apply for this restoration order:
- First, restore the entire backup
- After that, restore all subsequent incremental backups in the correct chronological running order.
- Differential backup: When using the differential backup method, the process does not run off the archive bit once backed up. This difference in backup is a big difference compared to the incremental backup. When you run a full backup and data changes, you can run a differential backup which will back up the data files that have the archive bits turned on. Because a differential backup does not clear the archive bit, the next differential backup you run backs up the existing data and the additional files you have changed since the last differential (and complete) backup. Using this process means that differential backups are cumulative. The first differential backup you run after a full backup won’t take very long to execute. Still, every subsequent differential backup you run after that will take an increasing amount of time to complete. The increase in time that it takes is because you are backing up more and more data than your previous differential backup. You have an advantage of using a differential backup: if you must restore your data, you restore the whole backup first, followed by only the last differential backup executed. No other differential backups are required for the restoration order because the previous backup contains all accumulated changed data.
- Snapshots: a snapshot stores a version of your operating system, including all applications, at any given moment. Snapshots are common for individual system backups, like restoring points in Windows and Time Machine backups in macOS. In the case of servers, a snapshot as a backup refers to powerful features with Virtual Machines that enable you to save a version of a functional Virtual Machine (VM) from restoring quickly in case anything adverse happens to the active server.
Backup Media
The most commonly used types of backup media are External Enclosures, Network Attached Storage (NAS), Storage Area Networks (SAN), and Cloud solutions.
External Enclosure
All local and network-based backup solutions use hard disk drives as a primary storage unit. You can directly connect a complicated drive system to an external source like NAS, SAN, or a Cloud-based solution. An external hard drive backup system typically has one or more drives in an enclosure that plugs directly into a computer. It is a standard backup method that everybody should use. Make sure to get a USB 3+ for sufficient speed when backing up.
NAS
If you want to scale up backup for active home use or in case you have a small business, you can add storage devices to a wireless network. You can do this with a Network-attached storage (NAS) system. A NAS is a standalone box with hard drives that you can remove. The NAS operating system is accessible remotely. It also has many handy features like monitoring options and media centers. NAS devices provide file-based storage of data. If you access the NAS from a Local Area Network (LAN) device, it is precisely the same as if you are accessing another computer’s shared folder over a network.
SAN
With a growing enterprise, you also require a more scalable backup solution than, for instance, a NAS solution. A Storage Network Area (SAN) combines multiple devices into a systematic block-storage space which then connects to hosts using a Fibre Channel network. The block storage enables a SAN to provide high-speed access to various users, dividing space in whatever way makes sense for your network. It even creates what appears to be external hard drives connected to local machines. A SAN device is far more complicated (and expensive) than a NAS, but they are an excellent solution for enterprise on-premises backup and storage.
Cloud
Nowadays, the Cloud is a great way to host your backup. The Cloud harnesses concentrated storage power, is managed by a third party, and is fully equipped to handle a backup process in a very secure way. However, it also creates dependability, so you need to take that in mind.
Online vs. Offline Backups
Online vs. Offline Backup refers to the state of the data when the backup happens. In case you deal with an extensive database, an online backup means that your backup occurs while the database is live and used by simultaneous users. This advantage is that it doesn’t disrupt any use of the database, and logs will keep track of changes and get backed up with the database.
In case you run an offline backup, it shuts down the database. The process backs up a clean copy of the database files and stores no log files because no changes happen to the database during the backup. The restoration process reverses and fully restores the files to the database from the offline backup. After that, the system is brought up again for use. In the case of online backups, the log files stored with the backup will help you guide the restoration process.
I prefer online backups over offline backups because of the flexibility and availability to log files. However, offline backups are still a big part of most companies, mainly because they run on a legacy system that requires a less sophisticated solution than online backups: online backups don’t go with those solutions.
Cloud Storage and Ransomware
Many people believe that storing data in the Cloud gives you complete protection against Ransomware attacks, which is not true. The Cloud does not prevent the encryption of files by Ransomware.
Cloud solutions like Dropbox, OneDrive, Google Drive, iCloud, etc., synchronize your files. At first, you work on the files locally, after which your files synchronize with the Cloud. In case of the unfortunate event that Ransomware is activated, the Ransomware encrypts your local files, and your local files “infect” your files in the Cloud when synchronized.
Disaster Recovery Exercises
The most critical part is conducting full-scale tests of your backup. You do this by simulating an incident that triggers the follow-up of all activities required to meet the defined Recovery Time Objective (RTO) successfully.
You can simulate a disaster by shutting down all systems, after which you execute the entire backup process. However, ensure that this simulation does not impose unnecessary risks on the business. You should never shut down and recover the actual production systems during the exercises because this can lead to an actual incident or real downtime.
Final Thoughts
Investing in a robust backup and data protection system is more critical than a state-of-the-art Cybersecurity system. Especially smaller companies need to choose because their budgets are limited.
Your first line of protection should be a strong backup that prevents a situation in which a party with bad intentions has the opportunity to hijack data and can ask for a ransom fee because you don’t have a backup available. When a thief enters an empty house with nothing to steal, he leaves and won’t return.
Of course, it’s not that “black and white”: you should implement additional (preventive) security measures once the basics are in place. Prevention is important because the stress and recovery time is always there once a Ransomware attack occurs. When cybercriminals enter your system, it damages your system and will have a significant (emotional) impact on your employees because of the event: no matter what). Check out my post about preventive measures for more guidance on this.
Feel free to contact me if you have questions or in case you have any additional advice/tips about this subject. If you want to keep me in the loop if I upload a new post, make sure to subscribe, so you receive a notification by e-mail.
