When formulating a strategy to protect your enterprise against ransomware, it’s critical to shore up your backup system defenses. Backups don’t often get the respect they deserve, yet they are the white knight that often comes in to save the day after a ransomware attack has laid waste to your data.
That’s why your backup system is targeted for encryption in the same fashion as your servers and data repositories. The security measures required to protect your backup systems aren’t much different than the ones you use to secure systems within your production network. Here are 5 steps you should take to ensure that your backups remain resilient enough to withstand any attack, and bring your organization back from near disaster.
While we certainly want to prevent a ransomware attack altogether, at some point, an unsuspecting user is going to click on a malicious link or fall prey to a zero-day attack due to an unpatched vulnerability. That’s where the secondary goal of containment comes into play. In the same way the hull of a ship is segmented into multiple watertight compartments to restrict the flooding to one or more compartments in case of damage, your network should be split into multiple distinct security zones, also known as VLANs. Your backup system should be separated from the rest of your network by its own segment.
Partitioning your network into multiple VLANs isn’t enough, however. While VLANs will suppress broadcast traffic, it’s not enough to contain advance malware attacks such as ransomware. You need to implement next-generation firewall (NGFW) protection within your network perimeter to inhibit the lateral movement of malicious code using firewall policies that only allow designated traffic to traverse these defined subnet borders. A NGFW can also supplement these policies with antivirus scrubbers, application filtering and intrusion protection.
You must also assume that threat actors will target your AD environment as well. Their goal is to crack it and seize control of privileged accounts with admin rights to critical resources such as your backups. Once a single privileged account is compromised, external threat actors can attain access to anything. Only use local accounts to access your backup management system.
Remote Desktop Protocol (RDP) is a highly convenient way for IT admins to bounce from server to server when needed. Unfortunately, convenience often sacrifices security. According to a 2020 Incidence Response and Data Breach Report compiled by Palo Alto Networks, 50% of ransomware attacks were perpetrated using RDP compromise as the initial attack vector. While most security-minded organizations prohibit the use of RDP to access internally located resources from outside the network, the internal use of RDP should be prohibited when accessing your backup management system as well. An advanced backup system will have a dedicated remote console assigned to a custom port. This is the most secure way to remotely access your backup system.
It’s very simple: in the same way that you restrict membership of your global admin groups to a select few individuals, you must do the same for the group representing your backup admins. There is no reason why your entire IT staff needs management privileges to your backup system. The fewer accounts that have access, the less chance there is of your backups being compromised.
A well-designed security strategy takes time. Don’t shortchange your backup efforts by taking shortcuts or minimizing their importance. Give your backups the respect they deserve and ensure that they’re protected.