What’s Wrong with Storage and Backup Ransomware Protection Capabilities?
Storage is becoming a prime target of cybercriminals as they attempt to infiltrate the enterprise.
Faced with a wall of perimeter defenses, security safeguards, and well-patched operating systems and applications, storage and backup systems are now front and center in the fight against ransomware.
Why? It turns out that backup vulnerabilities and storage misconfigurations are handing hackers a relatively easy passage into organizations. From there, they can cripple backups, lock users out of systems, and hold the organization to ransom.
Existing Solutions to Ransomware
Due to the ransomware scourge, the backup and storage vendor community has responded with a great many potential solutions.
Ransomware protection
Various kinds of ransomware protection capabilities have been developed for backup systems. These include: The use of artificial intelligence (AI) to detect ransomware by monitoring data usage patterns for unusual activity like file name or extension changes, data transfers, or permissions updates; alerts about potentially threatening user behavior or known-bad file signatures; large scale file content alteration or deletion, and anomaly detection that can identify configuration changes in backup environments. All of these are worthwhile, yet ransomware attacks continue.
Immutable storage
Immutable backups are a great idea. Once backed-up, the data is fixed and unchangeable. It can never be deleted. Organizations gain an always recoverable and secure backup despite unforeseen events such as ransomware.
Yet many organizations fail to configure immutable backups properly – possibly the result of insufficient understanding of the technology and its limitations. Allowing adversaries to compromise backup.
For example, immutable backups should be configured with “retention lock” – a parameter that prevents their deletion for a minimum period of time – even if the backup pools the store them fill up (say, “X” years). If retention lock is not configured, a hacker can attack backup by modifying large amounts of data, thereby quickly filling up the backup pools which results in deletion of all existing backups to free up space. Even when retention lock is enabled, care must be taken to make sure hackers can’t fool the backup devices to believe time is passing more quickly than intended (“time zapping” attacks – where the attacker manipulates insufficiently secure time sync configuration to trick the storage devices into thinking that “X” years have passed).
Another threat is “data poisoning”. If cybercriminals can access backup systems, they can tamper with backup jobs, poison data before it is immutably backed-up, and render it useless when it comes to recovery. If they manage to keep the attack running unnoticed for sufficiently long time (say, several months), and then initiate a ransomware attack – organizations are left with no current backups to restore from.
But there are other errors that can contribute to backup challenges. Too many times, organizations don’t find time to test backups to ensure their systems are recoverable. It is also common for them to fail to log unauthorized entries into backup and storage systems. Thus, they don’t spot compromised backup jobs. To make matters worse, some organizations purchase immutability features and then either don’t activate the necessary licenses, or don’t turn on the retention lock feature.
Snapshots & replication
These are sensible mechanisms for data protection: A complete storage hardware-level copy of the data is made at certain points of the day (snapshots) or the data at one location is replicated entirely to another location. Very often, such copies are not secured and isolated well enough. For example, a server admin role should not be allowed to manipulate storage copies – but many organizations fail to observe this best practice. This allows hackers that gain access to servers, to also delete their storage-based copies. If the data being snapshotted or replicated is corrupted, recovery won’t be possible.
Air-gapped and offline copies
Air gapping is a great way to safeguard data. You retain a copy of the data in an environment that is completely inaccessible from your network (and from the Internet, for that matter), or offline (i.e., not connected to your compute devices, or completely powered off).
A time-tested way to do this is via tapes that are either physically removed from the network or sit offline in a safe. There are cloud and disk-based systems, too, that claim air-gap capabilities. However, such systems are almost never fully offline. There is always a danger that a misconfiguration, vulnerability or human error will expose the data to the network – or allow hackers to interfere with the data unnoticed
Filling the Gap
Comprehensive vulnerability management ensures you have “eyes & ears” on your storage & backup environments at all times. This prevents cybercriminals from leveraging those security misconfigurations and vulnerabilities to penetrate storage and backup systems. Traditional vulnerability management systems focus mostly on OSes and software. They don’t do a good job at spotting storage and backup risks.
The automated risk detection engines within Continuity’s StorageGuard check for thousands of possible security misconfigurations and vulnerabilities at the storage system and backup system level that might pose a security threat to enterprises data.
StorageGuard analyzes block, object, and IP storage systems, SAN/NAS, storage management servers, storage appliances, virtual SAN, storage networking switches, data protection appliances, backup systems, storage virtualization systems, and other storage devices.
StorageGuard divides these security risks into four main categories, and scans all backup and storage systems to detect them all:
- Violations of vendor security configuration guidelines
- Violation of compliance framework requirements (CIS, NIST, PCI DSS and others)
- Identified storage Common Vulnerabilities & Exposures (CVEs)
- Deviation from community-driven best practices
Find out today how many potential backup vulnerabilities and storage misconfigurations are present in your environment.
The post What’s Wrong with Storage and Backup Ransomware Protection Capabilities? appeared first on Continuity™.
*** This is a Security Bloggers Network syndicated blog from Continuity™ authored by Doron Pinhas. Read the original post at: https://www.continuitysoftware.com/blog/whats-wrong-with-storage-and-backup-ransomware-protection-capabilities/