Disaster Recovery as a Response to Ransomware
Ransomware became a billion-dollar business in 2016 and the cybercriminals behind it have increasingly put companies of all sizes in their crosshairs. Ransomware is the cybercrime in which attackers lock a victim’s computer or encrypt an entire company’s files and databases, releasing them upon payment of ransom — usually in non-traceable bitcoin.
While the FBI recommends against paying ransom, companies have reportedly become so concerned with the threat that many are now buying cryptocurrency specifically to pay off criminals in case of attack. The reason, most likely, is to avoid the potentially large costs and risks in not paying. These range from temporary or permanent loss of data, disruption in operations, cost of restoring systems and files, and harm to the institution’s reputation should word of the attack become public.
Large companies have generally implemented technical controls to deal with ransomware and keep an attack from escalating to crisis level. While smaller companies might not be able to spend as much on technology, people, and processes as the larger companies, many can probably afford cloud-based Disaster Recovery as a Service (DRaaS) to backup their data as part of a complete Business Continuity/Disaster Recovery (BC/DR) solution.
In Case of Attack, You Only Have Your Backup
Companies, of course, should take all the preventive measures available to them to secure their systems and data against viruses and malware. Today’s best practices include employee education, anti-virus technology, content scanning and filtering on email servers, limiting access to mapped drives, and implementing endpoint security. Working together, these efforts can reduce, though not eliminate, the likelihood of a successful ransomware attack.
Still, as Gartner reported in 2016,1 “the primary defense for ransomware infections (and potentially future coordinated attacks) is backup. In these types of attacks, the hacker may have compromised or encrypted your production data; therefore, you only have your backups to revert to.”
The meaning here is that in case of a ransomware attack, you can take infected systems offline, go back to your last known clean copy, restore from that and be back in business without paying ransom. The FBI, ABA, Gartner and pretty much everyone involved in cybersecurity recommends backing up important data no less than daily.
How DRaaS Can Help You Fight Ransomware
If losing up to a day’s worth of constantly changing transaction data is unacceptable to your company, you will want to contract for a shorter recovery point objective (RPO) with your DRaaS provider. RPO is the amount of time — in hours or minutes — in the past to which you want to return following a disaster. You would notify the provider of the attack, declare a disaster to put your BC/DR plan into action, and count on there being a sufficiently recent uninfected backup from which to restore and resume operations. Your company could even run the backup as production in the cloud until the primary datacenter is known to be clean.
Frequent testing, which every good DRaaS provider should allow, can give you confidence in your ability to load the backup into a safe “sandbox” for verifying its integrity as well as confirming the ability to recover successfully in case of a ransomware attack.
Assuring the integrity of backups requires its own best practices. Organizations should follow the 3-2-1 backup rule: 3 copies of data, on 2 different media, with 1 copy offsite, preferably stored in systems disconnected from the production environment. For additional safety, the DR provider should, in turn, store multiple copies of the data.
Choosing the Right Provider
While protection of a company’s own systems, networks, devices, applications and data against infection is the company’s responsibility, DR providers can help increase customers’ security by using backup technologies that incorporate anti-malware and anti-ransomware safeguards or that are structured to reduce the risk of infection. Veeam Cloud Connect is one technology used by DRaaS providers incorporating such a safe design. Its “out-of-band” protection establishes a secure channel to automatically transfer data to and from the cloud repository and offers data encryption to protect data at rest.
In evaluating a DRaaS provider’s ability to help protect you against ransomware, look for use of this backup technology, or solutions with similar capabilities.
More than that, ask what precautions the provider has in place to prevent its own systems or your backed up data from becoming infected with ransomware viruses. A provider should be using the most up-to-date versions of leading anti-virus, vulnerability scanning, intrusion detection and prevention, log management, and security information and event management tools from vendors such as McAfee, Alert Logic, Symantec and CommVault, among others.
Do not merely trust a provider’s own claims and assertions in this regard. Rather, ask to see third-party certifications that the provider in fact has in operation technological and procedural safeguards that meet stringent industry and government information security standards, such as SSAE 16 SOC2, Payment Card Industry Council Data Security Standard (PCI PSS) Version 2.0, FISMA and FedRAMP. Ask for certification that the provider’s facility meets Uptime Institute Tier III standards for concurrent maintainability, meaning there’s sufficient redundancy in systems so that any element of the physical plant can be taken offline for maintenance with no impact on your contracted backup and recovery services.
Analysts, media, and cybersecurity experts have called 2016 the year of ransomware. In 2017, attacks could well increase to record levels. Companies need to do all they can to implement the physical, technical and administrative precautions to safeguard their data against this threat and to comply with all relevant security requirements. A qualified DRaaS provider can help defend against and respond to ransomware attacks by offering the services, systems and technologies to keep their backups secure and provide the space and support for successful recovery.
Source: 1. Prepare for and Respond to a Business Disruption After an Aggressive Cyberattack; Roberta J. Witty, John P Morency, Rob McMillan and Robert Rhame; Gartner; April 1, 2016