In today’s bulletin, Charlie discusses backups and looks at some reasons why hackers may be able to access your backups.
As many of the readers of this bulletin will know, PlanB Consulting, has recently been bought by Databarracks. The company has four main services: business resilience services (the PlanB bit), disaster recovery as a service, public cloud, and backup as a service. Throughout my career to date, I have avoided getting too involved with the technical side of business continuity and cyber. I know backups play a huge role in cyber response, if you can recover quickly and easily from your backups, then you can mitigate much of the impact of a cyber attack. Being part of Databarracks is a huge opportunity for me to learn more about DR and backup, and so I thought as I learned more about backups, I would share them via my weekly bulletin.
My first learning is about the 3-2-1 backup rule.
- You should keep 3 copies of your data – the original copy and 2 backups.
- You should use 2 different media to store the data.
- 1 of the copies should be kept off-site.
Looking at the NCSC website, I found some interesting guidance on principles of ransomware-resilient cloud and onsite backups. They are worth having a read of, but what I also thought was interesting, is how the bad guys ‘get’ your backups. There seems to be quite a long list!
- If you have a main and a backup with open access, an attacker can find it very easy to encrypt or destroy the main and the backup fairly simultaneously.
- Attackers can access backups via unpatched vulnerabilities.
- If you store your backups on write-once-read-many media, then they will not be able to destroy the backups.
- Implementing a retention period after data deletion, so attackers believe they have erased the data, while a copy is actually stored elsewhere on the network, ready to be accessed and used.
- They can flood your data storage facility with corrupted data which overwrites all the different versions of the data.
- If data is encrypted at rest, the attacker can delete or modify the encryption key, rendering the backup inaccessible.
- If the data is stored in the cloud, the attacker can stop a victim organisation from accessing its own backup data by disabling or deleting all customer accounts or corporate identities.
That’s as far as I have got for today, but in the new year, I will be writing in more detail on the subject!