How Safe Are Your Backups?

It may seem like a silly question, as backups are never traditionally thought of as being at risk. It stems back to a time when backups were on tape—a medium that would be tough for even the most skilled developer to hack into. But today’s backups are stored (whether on-prem or in the cloud) on disk… or more specifically, files in a file system. Depending on how accessible that file system is, your backups themselves may be at risk.

ransom_pay_backup.jpgIt’s far more likely they’d be at risk of attack from ransomware than anything—if for no other reason than the benefit to the cybercriminal: If they can encrypt your backups (along with production data), you’d have no other recourse but to pay the ransom, no matter how high. The only other instance I can think of when backups would be important to an attacker is in the case of data manipulation or data destruction, if they were intent on prohibiting you from putting data back into a known good state, destroying backups could be a strategic move.

Take the following examples of malware and think about how backup data could be accessed:

  • SynoLocker
    This purpose-built ransomware took advantage of a specific vulnerability found on Synology NAS devices and encrypted the contents.
  • EternalBlue
    This code leverages SMB connections to spread malware across multiple Windows endpoints.
  • Locky
    This ransomware-traversed mapped network shares to find content to encrypt.

While none of these specifically are examples of backupsbeing encrypted, the point is, if your backups are accessible to any endpoint (and they are), they are at risk.

First off, if you’re thinking “I’m safe, my backups are encrypted,” you’re missing the point. Attackers aren’t trying to access your backups; they’re trying to take away your ability to use your backups.

So, how do you protect your backups?

Keeping Backups Safe

backup_safe.jpgYour mindset should be one of security here. The goal is to protect a data set that is the foundation for protecting every other data set in your organization. The following steps (although not an exhaustive list) could put your organization in a good position to help ensure backups aren’t inappropriately accessed or manipulated.

  1. Implement least privilege
    To affect your backups, an attack needs to have access to them in the first place. Limit the number of accounts that have access to backup data, restricting the use of those accounts to only backup-related processes (e.g. don’t use Administrator to perform your backups, as you may log on with those credentials on another system that is already infected with, say, a keylogger).
  2. Isolate your backups
    Eliminating the ability for any inbound connections would be a smart start. Set up firewall rules to allow the server performing the backups to operate so that an outbound connection needs to be established with the system being backed up, but no inbound sessions are initiated.
  3. Maintain multiple copies
    Protecting your backups gives new life to the “3-2-1 Backup Rule” (3 copies of your data, 2 different mediums, 1 off-site). If you’re an on-prem backup show, consider going hybrid cloud or cloud-first instead and maintain backups securely in the cloud. If you’re copying data to the cloud as part of a backup job—so, should the on-prem data be manipulated or tampered with in any way, that isn’t copied to the cloud.

If you’re not taking these kinds of proactive steps, your backups are potentially at risk. Cybercriminal organizations are becoming more sophisticated in their tactics, looking for ways to ensure their attacks are successful. So, it’s natural to conclude that if removing backups as an option for their prey is beneficial to the attacker, they’re going to look for ways to make that happen.

By putting the three steps above in place, you can help reduce the likelihood of your backups being a target, and increase your organization’s ability to recover from an attack.


Additional reading: 


Nick Cavalancia has over 20 years of enterprise IT experience and is an accomplished executive, consultant, trainer, speaker, and columnist. He has authored, co-authored and contributed to over a dozen books on Windows, Active Directory, Exchange and other Microsoft technologies. Nick has also held executive positions at ScriptLogic, SpectorSoft and Netwrix and now focuses on the evangelism of technology solutions.

Follow Nick on Twitter at @nickcavalancia