E ncryption is a great way to keep data secure, but sometimes it can be used against us. Yes, we’re talking about ransomware. According to Statista, “preventing malware, including ransomware” is ranked as the second most pressing cyber security issue in 2017, according to IT security professionals worldwide, just after “identifying vulnerabilities.”
Ransomware attacks are getting more efficient. They can now encrypt databases, use anti-sandboxing techniques, and steal credentials to allow more targeted attacks—and many types of ransomware can look for your online backups and render them unusable. Even hackers are now encrypting backups to make sure you don’t have a Plan B before they install ransomware to encrypt your laptops or production servers.
Sounds scary, doesn’t it? For a real-life example of a perfect storm, read this case study about a major US West Coast university. The malware was installed on university servers a week before the full attack was carried out, and the intruders reached the backup administrator level. The university attack was timed to begin on Saturday night, starting with the backup servers that the university relied on for protection, before spreading to other devices. Once on the live disk, the malware worked through files, encrypting them so they could no longer be read. Again, having a real offline media copy is the only way to protect your backups.
To protect your data, it’s crucial that you follow the 3-2-1 best practice.
If tape is the ultimate protection against ransomware, what else can you do to protect your data? Specifically, what are your options when using disk and/or deduplication appliances as main backup targets?
Today, disk backup is the most common backup target (it’s faster). But it has a downside—it’s always online. The only way to be sure your data won’t get encrypted is to use tape. To mitigate the downside of using online media (the cloud, disk, etc.), you can “hide” your backups from ransomware. Ransomware can’t encrypt what it can’t see.
If you’re using a Quantum DXi® deduplication appliance to reduce the amount of storage required to store your backups, why not use a different presentation than just NAS? The good news is that DXi is a multi-protocol appliance by default. By using virtual tape library (VTL) or Fibre Channel presentation (or OST if you are using NetBackup, or RMAN and more), you can make it more difficult for ransomware to reach your backups. You have more options than just NAS presentations!
Also, it’s a good idea to have your backups in an area that only authorized personnel can access. But what if your backup administrator account has been compromised? Our DXi deduplication appliances are managed via SSH/chroot connection (virtual shell), so even a compromised backup administrator account/computer can’t directly infect the DXi file system.
What about replication (read “air-gap”)?
Yes, replication can give you some room, but (there is always a “but”), what if your backups are encrypted and replicated? Yes, you have an air gap, but it will only help if you can react before your target appliance replicates your encrypted backups. So, back to our original point. There is a lot you can do to enforce your data protection strategy, but having tape as your last line of defense is a smart way to start.