Cybercriminals are increasingly using a two-pronged approach to ransomware attacks. First observed in 2018, attackers destroy the backup data, then encrypt the systems.

“Today, this cyberattack method is occurring more frequently and on a larger scale,” says Ryan Weeks, CISO, Datto, pictured above. “With ransomware predicted to increase, organisations need to revisit their business continuity and disaster recovery (BCDR) strategy and take measures to ensure their backups are secure.

Backup software requires a high level of access to files, systems, virtual machines, databases and other aspects of a computing environment, creating additional risk, Weeks advises. “To minimise this risk, companies need to take a multi-step approach, both on-premises and in the cloud. The first step is to make a two-factor authentication mandatory for access to both the backup administration portal and for activities that have the potential to manipulate or delete backup data.”

ALL THE RIGHT CONNECTIONS
Be sure connections cannot be made directly to a backup appliance, he states. For remote access, use key-based SSH authentication. “If a remote monitoring and management solution (RMM) is used, this could be a point of attack and security needs to be heightened. In addition, separate the appliance from backups stored in the cloud with independent authentication mechanisms, and never store admin credentials on a local browser.”

Backup files are easy targets, because file extensions, such as BAK, are easily located. “To keep backups secure, they should be stored in read-only state. If encrypting, follow best practices, such as storing the encryption key on a separate physically secured device. In addition, proactively scan backups for ransomware.

BACKUP – BACKUP - BACKUP
“Maintain multiple copies of backups in separate secure locations and limit the ability to modify the data or its storage. Current backup solutions can provide several point-in-time recovery points, as well as the ability to replicate backups to cloud storage. In addition, protect backups from intentional and accidental deletion by creating an ‘undelete’ time window.”

When testing backups on a regular basis, make sure testing includes full restoration, Weeks continues. “Perform bare metal restorations as it would occur in a real disaster situation. Finally, confirm that network connectivity can be re-established, Active Directory is properly working, applications can communicate with each other and document everything.”

Backups are an organisation’s last line of defence and hackers know this, he concludes. “They are increasingly looking for vulnerabilities in backup software, backup files and the systems on which backup data is stored. Now’s the time to take the necessary steps to ensure backups are safe, uncorrupted and readily available for instant recovery.”