Protect data backups from malicious attacks and theft

Backing up servers, workstations, and other devices is a best practice and business imperative, but backups alone are no guarantee of business continuity and data protection. While creating a backup, be it a disk images or copies of files, is the start of a disaster recovery plan, it is no guarantee that a company can recover if the backup is damaged. However, an even greater concern could be the theft of an organization’s confidential data if a backup itself is stolen or otherwise compromised by an attacker.

Today’s cyber criminals are far more devious and effective than those of generations past. In the early 2000s, a cyberattack often consisted of damage to data or the theft of files. Today, attackers can steal data without the victims even knowing the theft occurred.

Phantom cloud accounts

With so much data today stored in the cloud, sophisticated attackers now can redirect backups or traditional data storage from the victim’s own cloud-based accounts to those of the attackers. Essentially, today we have organizations saving their data to their attackers’ web accounts, even though it would appear to the victim that their data was housed safely in their own cloud environment.

For organizations that are saving their backups to the cloud, their security professionals need to ensure periodically that they are indeed saving the backups to their own accounts, not a redirected account. Using compromised systems administrator credentials and by by-passing second-factor authentication in a manner similar to that of Russian state actors described in the Sophos Naked Security article CISO warning: “Russian actions bypassed 2FA” – what happened and how to avoid it, cyber criminals can highjack one or more accounts on a cloud server and access corporate files, including backups.

Protect your backups

Backups that are not encrypted could be compromised, allowing attackers with the ability to both read the data in the backup and/or inject malware into the backup so that if the organization’s servers are later compromised, the backup would re-infect the servers when the backup is restored.

Having encrypted backups is not only a best practice for cybersecurity but one of the 12 keystone security controls the cyber insurance firm Marsh McLennan Agency lists as a top five security control required to qualify for obtaining cyber insurance. Encrypted backups rank right up at the top of the list of essential controls along with multifactor authentication, endpoint detection and response, privileged access management, and email filtering and web security.

Backup products that monitor for anomalies in access and data patterns can be used to identify potential malware on the system, including ransomware attacks. Integrating the server backups with existing security information and event management (SIEM) software or security orchestration, automation and response (SOAR) applications could help the IT security team identify system aberrations that could alert the team to a potential system compromise.

Plan for an attack

Creating a backup strategy that anticipates an attack can provide the organization backing up their data with an edge. Let us assume that the servers being backed up are running a version of Windows, be it for workstations (Windows 10 or 11, for example) or a Windows Server version. If the organization is primarily a Windows-centric enterprise, then an appropriate backup system would be running Linux and storing the resultant backup on a Linux system not connected to the corporate network.

While this approach is not foolproof, it will eliminate a sizeable percentage of attacks designed for Windows-based networks.

Selecting the right off-site storage environment can have a significant impact on the restore rime required for a backup. If you choose to have a hot site as a backup — a site that exactly mirrors the existing network so if the primary network fails, there is a duplicate ready to take its place — consider putting some distance between the two sites.

After a major hurricane hit Florida in the early 2000s, one company was forced offline for several weeks because its hot site was located just a few miles away. Flooding not only damaged the company’s primary data center but also the backup. Similar occurrences were reported after the felling of the two World Trade Center towers. A major data center was located below one of the towers. Companies in the towers that used the data center as their hot backup not only lost everything in their offices, but also all their backups when the data center was buried under tons of debris.

A better option is to select a location perhaps a hundred or more miles away. While there will be lag time between writing data to a local disk and writing that same data to the hot backup, the physical separation eliminates any potential carry-over effect from a disaster, natural such as flooding from a hurricane or fire damage from a massive forest fire. Rarely does a natural disaster impact facilities a hundred or more miles apart, although that could happen if the facilities are long natural disaster lines, such as common paths for hurricanes on the east coast.

Protecting backups from being compromised, intercepted, or damaged is an essential task of an organization’s cybersecurity team. With World Backup Day right around the corner, security teams should re-double their efforts to ensure every backup is safe, secure, encrypted and stored in multiple locations, including at least one location far from the source servers.

Latest Posts