Backup needs to be more than mere ransomware insurance
A backup for any law firm is a vital tool when recovering from a ransomware attack but, as part of a more extensive data management solution, can also help stop other malware, in its tracks, writes Kathryn Ramanathan.
When it comes to cybercrime, one of the most worrying developments has been the spread of ransomware. In Australia, recent victims have included logistics company Toll, hospitals in regional Victoria, and a local council in Adelaide.
These days you don’t have to be a big name to be attacked. As we’ve seen over the years, even law firms are potential targets. Indeed, protecting data against ransomware should be a crucial part of any law firm’s malware strategy, as should a robust backup regime to allow for speedy recovery should the worst happen. However, don’t assume that just because you’re taking backups that you can rest easy at night – it’s not that easy.
They know where your data lives
The bad guys aren’t stupid. They know that companies routinely backup their data and that most see this as the best way of “insuring” against malicious data encryption. They also know that a lot of organisations now store backups online, often on public cloud platforms and, just as often, using cloud syncing services such as Dropbox, OneDrive and Google Drive.
Similarly, many disaster recovery solutions rely on active/inactive replication to networked data stores. Ransomware will now routinely target all these resources, as well as live data, making it increasingly common for victims to discover that, when they need them the most, their backups and disaster recovery systems are also encrypted and of no use.
The kneejerk reaction to this trend will be for companies to review their backup policies and follow guidance such as that provided by the Australian Signals Directorate. This is all very well however, as with a lot of ransomware advice, the assumption is that backup is a tool of last resort. The perception is that it is only of use when recovering from attacks when it can, in fact, be used to help prevent them.
Prevention is better than cure
When it comes to putting this into practice, the best approach is to always include both backup and anti-malware protection as integral components of an overarching data management strategy. This is far better than bolting them on as an afterthought.
Equally, it’s essential to understand that the required data management products have varying capabilities which, in some cases, will limit how far you can go beyond the backup/restore basics. That doesn’t mean you shouldn’t try as there’s a lot at stake, and if the tools at your disposal aren’t up to the job, it’s worth looking around for alternatives.
The question is what sort of functionality, beyond simple backup and restore, does you firm need? Unfortunately, there is no magic formula, although those drawing up a shopping list could do worse than think about these three questions:
1. Can you scan your backups?
Proactive vulnerability scanning is the first line of malware prevention, however scanning live production systems and shared assets (such as NAS appliances) across an extensive distributed infrastructure is far from easy. Scanning backups is a lot less problematic as it can be done without having an impact on system availability and (because backups are more likely held centrally) without having to manage scanning at scale across multiple end points.
Importantly, however, we’re not just talking about tools to simply scan backups and bin them if they contain malware, but as a means of ringing alarm bells and taking pre-emptive action when malware and potential vulnerabilities are detected.
2. Can you lock down your backups?
The days when backups were taken to tapes and stored in offsite vaults are over.
Ransomware prevention requires a multi-layered approach that balances speed and ease of recovery against security. So, as well as offline copies, companies will likely take snapshots, typically, using automated replication tools.
Criminals have advanced their methods and now look to target backups, removing or encrypting them as part of the attack. However, there is a way past this. Your backups need to be stored in an immutable (locked) state that can’t be mounted, modified or deleted and while not all backup programs support this, a lot do, and it can also be implemented using more extensive data management platforms.
3. Can you recover easily, quickly and at scale?
Recovery is a complex and lengthy process, especially where an organisation is dependent on a large hybrid infrastructure spanning multiple clouds and on-premise data stores. Tools that can be used to recover at scale and focus both on rapid recovery point objectives (RPOs) and fast recovery time objectives (RTO) are crucial and should be prioritised.
This is because, without them, recovery can take days, or longer and potentially lead to business failure.
Of course, there are lots of other factors to consider and answers to find, especially with ransomware attacks becoming ever more ingenious and making it essential to keep data management strategies under constant review.
Moreover, while there is no one-size-fits-all solution, whatever approach you take, it should always be based on sound data management hygiene and, as already stressed, the application of multi-layered defences capable of isolating backups from production data stores.
Or you could just pay the ransom, but we all know that isn’t solving the core problem.
Instead, you’re just funding more ransomware initiatives further down the line.
Kathryn Ramanathan is the ANZ channel and distribution manager at Cohesity.