5 Steps to Ransomware-Proof your Backup Systems

THE AUTHOR

Brad Rudisail
April 29, 2022

5 Steps to Ransomware-Proof your Backup Systems

When formulating a strategy to protect your enterprise against ransomware, it’s critical to shore up your backup system defenses. Backups don’t often get the respect they deserve, yet they are the white knight that often comes in to save the day after a ransomware attack has laid waste to your data.

That’s why your backup system is targeted for encryption in the same fashion as your servers and data repositories. The security measures required to protect your backup systems aren’t much different than the ones you use to secure systems within your production network. Here are 5 steps you should take to ensure that your backups remain resilient enough to withstand any attack, and bring your organization back from near disaster.

1. Isolate Your Backup System From Your Production Network

While we certainly want to prevent a ransomware attack altogether, at some point, an unsuspecting user is going to click on a malicious link or fall prey to a zero-day attack due to an unpatched vulnerability. That’s where the secondary goal of containment comes into play. In the same way the hull of a ship is segmented into multiple watertight compartments to restrict the flooding to one or more compartments in case of damage, your network should be split into multiple distinct security zones, also known as VLANs. Your backup system should be separated from the rest of your network by its own segment.

2. Use Next-Generation Firewalls

Partitioning your network into multiple VLANs isn’t enough, however. While VLANs will suppress broadcast traffic, it’s not enough to contain advance malware attacks such as ransomware. You need to implement next-generation firewall (NGFW) protection within your network perimeter to inhibit the lateral movement of malicious code using firewall policies that only allow designated traffic to traverse these defined subnet borders. A NGFW can also supplement these policies with antivirus scrubbers, application filtering and intrusion protection.

3. Don’t Join Your Backup System To Active Directory

You must also assume that threat actors will target your AD environment as well. Their goal is to crack it and seize control of privileged accounts with admin rights to critical resources such as your backups. Once a single privileged account is compromised, external threat actors can attain access to anything. Only use local accounts to access your backup management system.

4. Don’t Use Remote Desktop To Access Your Backup Server

Remote Desktop Protocol (RDP) is a highly convenient way for IT admins to bounce from server to server when needed. Unfortunately, convenience often sacrifices security. According to a 2020 Incidence Response and Data Breach Report compiled by Palo Alto Networks, 50% of ransomware attacks were perpetrated using RDP compromise as the initial attack vector. While most security-minded organizations prohibit the use of RDP to access internally located resources from outside the network, the internal use of RDP should be prohibited when accessing your backup management system as well. An advanced backup system will have a dedicated remote console assigned to a custom port. This is the most secure way to remotely access your backup system.

5. Implement the Principle of Least Privilege

It’s very simple: in the same way that you restrict membership of your global admin groups to a select few individuals, you must do the same for the group representing your backup admins. There is no reason why your entire IT staff needs management privileges to your backup system. The fewer accounts that have access, the less chance there is of your backups being compromised.

Respect the Backups

A well-designed security strategy takes time. Don’t shortchange your backup efforts by taking shortcuts or minimizing their importance. Give your backups the respect they deserve and ensure that they’re protected.

Ransomware Spelled Out In an Image

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

envelope
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap