What’s wrong with storage and backup ransomware protection capabilities?


Storage becomes a prime target for cybercriminals as they attempt to infiltrate the enterprise.

Faced with a wall of perimeter defenses, security measures, and well-patched operating systems and applications, storage and backup systems are now at the heart of the fight against ransomware.

Why? It turns out that backup vulnerabilities and poor storage configurations give hackers a relatively easy passage through organizations. From there, they can cripple backups, lock users out of systems, and demand ransom from the organization.

Existing Ransomware Solutions

Due to the scourge of ransomware, the backup and storage vendor community has responded with a slew of potential solutions.

Ransomware Protection

Different types of ransomware protection capabilities have been developed for backup systems. These include: Using artificial intelligence (AI) to detect ransomware by monitoring data usage patterns for unusual activity such as file name or extension changes, data transfers or permission updates; alerts on potentially threatening user behavior or known file signatures; large-scale modification or deletion of file contents and anomaly detection that can identify configuration changes in backup environments. It’s all worth it, but ransomware attacks continue.

Immutable storage

Immutable backups are a great idea. Once saved, the data is fixed and cannot be modified. It can never be deleted. Organizations benefit from a backup that is always recoverable and secure despite unforeseen events such as ransomware.

Yet many organizations fail to properly configure immutable backups, perhaps due to insufficient understanding of the technology and its limitations. Allow adversaries to compromise the safeguard.

For example, immutable backups should be configured with a “retention lock” – a setting that prevents their deletion for a minimum period of time – even if the backup pools storing them fill up (eg “X” years). If the retention lock is not configured, an attacker can attack the backup by modifying large amounts of data, quickly filling up the backup pools, causing all existing backups to be deleted to free up space. Even when retention locking is enabled, care should be taken to ensure that hackers cannot trick backup devices into believing that time is passing faster than expected (“time zapping” attacks – where the attacker manipulates an insufficiently secure time synchronization configuration to trick the storage device into thinking that “X” years have passed).

Another threat is “data poisoning”. If cybercriminals can access backup systems, they can tamper with backup jobs, poison data before it is immutably backed up, and render it useless in recovery. If they manage to keep the attack unnoticed for long enough (eg, several months) and then launch a ransomware attack, organizations are left with no current backups to restore from.

But there are other errors that can contribute to backup issues. Too often companies don’t find the time to test backups to ensure their systems are recoverable. It is also common for them to fail to log unauthorized entries into backup and storage systems. Thus, they do not spot compromised backup jobs. To make matters worse, some organizations buy immutability features and then don’t activate the necessary licenses or enable the retention lock feature.

Snapshots and replication

These are sensible mechanisms for data protection: a full copy of data at the storage hardware level is made at certain times of the day (snapshots) or data from one location is fully replicated to another location. Very often, these copies are not sufficiently secure and isolated. For example, a server administrator role should not be allowed to manipulate storage copies, but many organizations violate this best practice. This allows hackers who gain access to servers to delete their storage-based copies as well. If the data being snapshot or replicated is corrupt, recovery will not be possible.

Isolated and offline copies

Air spacing is a great way to protect data. You keep a copy of the data in an environment that is completely inaccessible from your network (and from the Internet, for that matter), or offline (i.e. not connected to your computing devices or completely turned off).

A proven way to do this is to use tapes that are physically removed from the network or left offline in a vault. There are also cloud-based and disk-based systems that claim airspace capabilities. However, these systems are almost never completely offline. There is always a risk that a misconfiguration, vulnerability, or human error could expose data to the network – or allow hackers to interfere with data unnoticed.

Fill the void

Comprehensive vulnerability management ensures you have “eyes and ears” on your storage and backup environments at all times. This prevents cybercriminals from exploiting these misconfigurations and security vulnerabilities to break into storage and backup systems. Traditional vulnerability management systems focus primarily on operating systems and software. They don’t do a good job of spotting storage and backup risks.

Continuity’s StorageGuard automated risk detection engines scan for thousands of possible misconfigurations and security vulnerabilities in the storage system and backup system that could pose a threat to corporate data security .

StorageGuard scans block, object, and IP storage systems, SAN/NAS, storage management servers, storage appliances, virtual SANs, storage area network switches, data protection appliances, backup systems, storage virtualization systems and other storage devices.

StorageGuard divides these security risks into four main categories and scans all backup and storage systems to detect them all:

  • Violations of vendor security configuration guidelines
  • Violation of compliance framework requirements (CIS, NIST, PCI DSS and others)
  • Identified Storage Common Vulnerabilities and Exposures (CVE)
  • Deviation from community best practices

Discover today how many potential backup vulnerabilities and storage misconfigurations are present in your environment.

The post office What’s wrong with storage and backup ransomware protection capabilities? appeared first on Continuity™.

*** This is a syndicated blog from the Security Bloggers Network of Continuity™ written by Doron Pinhas. Read the original post at: https://www.continuitysoftware.com/blog/whats-wrong-with-storage-and-backup-ransomware-protection-capabilities/


About Author

Comments are closed.