The challenge this presents is knowing how far back you will have to go to find a clean copy of data. Ransomware, however, complicates matters because attackers often wait for weeks or months after they have penetrated networks before they deploy the malware. Quicker recovery means more frequent backups and higher storage costs. In conventional disaster recovery planning, RTO needs to be as short as possible to minimise revenue losses, and RPO as recent as possible to reduce the need to reconstruct lost data. CIOs need to be aware of storage and data egress costs, although cloud can still be more cost-effective than building extensive, on-premise backup hardware.Īny disaster recovery plan will set out the organisation’s recovery time objective (RTO), or how quickly data should be restored, and the recovery point objective (RPO), or how far back the restore needs to go to find a clean, workable copy of their data. More backup and recovery tools now support storing immutable backups in the cloud. Organisations should also consider backup to the cloud, to provide a logical and physical separation. Ideally, firms should use both strategies. If possible, backups should be air-gapped, either physically separated from production systems or logically separated by the backup and recovery tool. This provides added protection against malware that attempts to delete or corrupt backup files. These snapshots are now often referred to as “immutable”, as once copied they cannot be changed.Īnd backup security tool suppliers have added measures to prevent snapshots being wiped, for example, by requiring multi-factor authentication to move or delete the data. Snapshots contain more information than just the data, but include metadata, parent copies and even deleted files. Options include restoring from offsite media, including optical or tape drives, or from snapshots. But backups need to be “hardened” against ransomware attacks. If an attacker does gain access to the network and is able to encrypt files, the only option – short of paying the ransom – is to restore data from backups. This is much easier for firms that have robust and reliable backups.įirms can take a range of steps to reduce the risk of a ransomware attack, from technical security tools, regular patching and operating system updates to user education. It has the advantage of not putting money into the hands of criminal gangs, and possibly falling foul of sanctions for doing so. Although it is not currently illegal to pay a ransom in the UK, the NCSC and the Information Commissioner’s Office (ICO) recently called on firms not to pay ransoms. Ultimately, this can be the most effective strategy. Understandably, chief information officers (CIOs) and chief information security officers (CISOs) may feel it’s worth going it alone and attempting to recover data from their own backups. Then there is the time, inconvenience and cost involved in recovering encrypted data. Research by Venafi, another cyber security supplier, suggests this happens in 35% of cases. There is plenty of research to suggest that ransomware groups often fail to hand over a decryption key or, if they do, the key does not work. None of this is news, nor is it news that paying a ransom is no guarantee of being able to retrieve data. Attackers infiltrate a network, find and encrypt data, and demand a payment (usually in cryptocurrency), in return for a decryption key. Ransomware has grown steadily in its prominence and impact since the WannaCry attack five years ago – and backup is no less important as a means of recovery, despite changes in attackers’ techniques.īecause, while criminal groups resort to ever more advanced techniques, including double and triple extortion attacks, the fundamentals of ransomware still matter.
0 Comments
Leave a Reply. |