Ransomware is moving on – to attack organisations’ back-ups. The problem is that there is too much focus on anti-virus software, and so people are being reactive rather than proactively defending themselves against cyber attacks. It’s time to re-think how to migrate and store data securely by creating new cyber security strategies with the inclusion of air gaps.
By creating air gaps between back-ups –with some of the data being stored offline and disconnected from any other data source, it becomes possible to protect critical data. So, when a ransomware attack occurs, it should be possible to restore your data without much downtime – if any at all.
While this is very good advice, life’s not so simple. Organisations therefore find themselves taking one step forward and then one step back. It is always a cat and mouse game with malware of any sort. Once a hole is found to exploit a security weakness, a patch is quickly needed to close it.
Traditionally, the ransomware has targeted the storage subsystems which has spurred organisations into having robust backup procedures in place to counter the attack if it gets through.
Backup programs and their associated storage will be next on their target. Unwittingly everyone has made it slightly easier for cyber-attackers with the trend to move away from tape storage to disk storage.
Consequently, the battle rages on. Prevention is nevertheless still better than a cure. Organisations therefore need to be more proactive than they ever have been. So, this must be achieved by protecting data in ways that allows it to be readily recovered whenever a ransomware attack, or some other cyber security issue, threatens to disrupt day-to-day business operations.
Clive Longbottom, client services director at analyst firm Quocirca explains: “If your backup software can see the back-up, so can the ransomware. Therefore, it is a waste of time arguing about on-site v off-site – it comes down to how well airlocked the source and target data locations are.”
He agrees with the view that there is too much focus on anti-virus software, claiming that it is very difficult to protect organisations against such attacks. “Education only partially works – newer approaches (ML, AI, etc) are needed to pre-empt and block any encryption attack”, he says.
Layers of defence
However, to defend against any cyber attack there needs to be several layers of defence. That doesn’t matter whether the technology involved is being used in the NHS for medical purposes or within the military. The layers of defence in my view consist of a firewall, anti-virus software, backup, and your last layer of defence must be the most robust of them all to stop any potential costly disruption in its track before it’s too late. So, anti-virus software must still play a key defensive role.
Longbottom nevertheless warns: “A ransomware attack is pretty brutal. It requires a lot of CPU and disk activity. It should be possible for a system to pick up this type of activity and either block it completely, throttle it, or prevent it from accessing any storage system other than ones that are directly connected physically to the system.”
Malware attacks are more akin to one step back one forward as the malware thrusts and then software parries. Each time when one of the layers of defence parries the developers of the malware will try another out-flanking movement to test the defences.
Secure data migration
So, how can organisations securely migrate their data and systems to protect themselves against ransomware and other cyber attacks? Longbottom says they can’t, and adds his thoughts about how organisations can complete these tasks:
“Airlocked sources or target data systems are a starting point, but the airlock has to be broken to allow backups to occur. The best approach is two-stage: a back-up to a first stage, with the source then being broken from the back-up, and a new backup of the first stage then being made to a second stage, after which that connection is broken. At all times, there will therefore be one backup that is securely removed from the rest of the system – but you can’t do real-time snapshots.”
Yet for years larger organisations have implemented disaster recovery plans to protect themselves from natural disasters. This has involved moving and storing a recovery set of data far enough away to mitigate any disaster.
>See also: Held hostage: the rise of ransomware
Many smaller companies have never had this ability; nor have they had the financial resources to implement such plans. However, the nature of a disaster has changed from just natural to man-made cyber attacks. Several ransomware programs are therefore attaching the back-up data sets getting data off site is becoming imperative for every organisation.
The recent developments with cloud storage and Disaster Recovery-as-a-Service (DRaaS) vendors, and the ability to create and manage offsite data sets are within the financial scope of pretty much everyone. Yet the cloud is open and the data flows across the open internet, so it is imperative that data is encrypted as it transverses the internet on its way to the cloud.
ML and AI systems
Longbottom replies: “There is a strong need for machine learning (ML) and artificial intelligence (AI) systems to be able to deal with ransomware attacks in real-time to prevent them from carrying out encryption.”
However, as the backup data set in many cases is the last layer of defence, having that air gap is vital. Think of it as pulling up the drawbridge on a castle; so, make your back-ups your data castle.
Given this, how can data acceleration enable secure data migration compared to any traditional means of back-up and restore? When everything goes wrong, you should recover the time taken to recover the data. Putting distance between your data centre and your off site recovery depository will affect the ability to maximise the bandwidth of your connection due to latency and packet loss.
Some cloud backup and gateway appliances will improve the performance of the data being passed to the cloud by caching and compressing the data before sending it to the cloud. This means you may not have a valid backup until this whole process has been completed. Equally so, there I no performance improvement when pulling data from the cloud.
Wide area network (WAN) data acceleration solutions such as PORTrockIT can enable the secure and encrypted transmission of data for backup and storage in ways that WAN optimisation can’t achieve. This also allows data centres and disaster recovery sites to be located miles away from each other, and without being slowed down by data and network latency. Packet loss is also reduced.
Traditionally, data centres are position in close proximity to each other to tackle the impact of latency. That’s fine and dandy, but for the fact they are all to often situated within the same circles of disruption. This increases the financial, operational and reputational risks associated with downtime. Ideally, just as there is a need for the prevention of cyber-attacks, the focus should be on business and service continuity – leading to better customer satisfaction, saving costs and brand reputations.
That said, my top tips for migrating data to prevent ransomware attacks are as follows:
• The more layers you can add the better.
• User education – normally it is us that is the weakest link.
• Back-up is you last layer of defence – plan it, test it, update it regularly.
• Have a copy off site so they can’t get to it – tape or cloud but don’t leave the drawbridge down.
• Plan you backup process for your recovery requirement.
Humans: Too predictable
Longbottom concludes: “Education is only useful as a stopgap. Humans are too unpredictable (or, actually, too predictable in how useless they are). Much better to go for automated systems – if you can get them. New anti-ransomware systems are coming through – but it is difficult to figure out how effective they are until a massive attack is thwarted by them.”
Thankfully though, data acceleration can ensure that data can be backed up and retrieved more quickly than ever before. The final tip is to use at least 3 disaster recovery sites to back up data. So, if one goes down, two others can keep you operational – and that’s even better when disaster recovery is achieved seamlessly with the help of artificial intelligence and machine learning.
Sourced by David Trossell, CEO and CTO of Bridgeworks