The report also stated that ransomware continues to top the attack category list, representing 38% of cyber intrusion events. In May, a ransomware attack on the largest fuel pipeline in the U.S. shut down 40% of the U.S. East Coast’s fuel supply and was labeled a national emergency.
Ransomware will generally withhold access to data or an entire system until a ransom fee is paid. Generally this is achieved by encrypting drives, in addition to changing system passwords and permissions.
However, paying the ransom fee is no guarantee that your attacker will honour their side of the transaction. It also reinforces the profitability of such attacks, and may increase your likelihood of being targeted again. Major security organisations, including the FBI and the Australian Signals Directorate, do not recommend paying ransomware demands for these very reasons.
Security software is an important piece of the puzzle. But there is no such thing as a completely secure system.
Still, there’s no reason to get fatalistic about it – individuals and organisations should still take preventative actions to greatly reduce their risk. For those who fall victim to ransomware, there are grassroots community efforts such as No More Ransom to turn to, which offer free tools to assist those impacted by ransomware.
There is of course, no guarantee that a decryption tool will get your data back in one piece. But with a sound backup and disaster recovery plan, you might not even need them.
#1 – Maintain a register for tracking vendor vulnerabilities
Your solution is only as secure as the weakest link in your supply chain. Create a vendor product register with zero trust principles front and centre.
- Is the software you use auditable? Does it rely on a mixture of vendor and third party code? If so, does your vendor review and test this third party code and monitor it for security risks?
- Can your hardware vendors provide a forensic chain of accountability for what components were made in which factories? Hardware trojans will go completely under the radar of your security software, so it’s important that you have insight over both aspects of your solution.
By creating and maintaining a detailed register of your software and hardware products, you will be better equipped to quickly respond to news of a compromised component before it impacts on your own organisation. Hopefully, you won’t need to create this from scratch – instead, extend your organisation’s asset register to track as much of this information as possible.
Secure provenance and the zero trust approach is something we take very seriously at SoftIron. As a full stack manufacturer, we have authorship, ownership and total responsibility for all code that goes on our appliances. Any code we don’t write we read line by line – we know every single instruction and why it needs to be there. SoftIron will never install a binary file without taking it back to the source code for a forensic check. And all manufacturing, including surface-mount assembly, is done in-house.
#2 – Follow the 3-2-1 rule for backups
The 3-2-1 rule is simple, but very effective.
- Maintain three copies of your data
- On two different types of media
- With one copy off site
Having at least one copy offsite can be particularly invaluable when a network is compromised by malware. Its physical separation reduces the likelihood of being exposed to the malware before the intrusion is detected, allowing restoration of your critical data from a ‘clean’ copy.
Of course, if malware lurks undetected for some time in a system, it may be included with your backups as well. Deciding how to handle this is a matter of balance. You might choose to maintain a number of historical snapshots of your data over time, so that you can restore part or all of it from months earlier if need be. Or you might decide to increase investment in security monitoring software and business practices that increase your chance of detecting an intrusion early.
Another way to avoid your most critical backups from being tainted by malware is to implement data immutability on your backups. SoftIron support for data immutability (also known as S3 Object lock) provides WORM (write once, ready many) capability that also provides protection from ransomware attacks by “locking” a known data set from change. Combine this with a data protection technology such as Veeam to fulfill the ‘two different media’ part of the 3-2-1 rule.
In our eBook, Veeam + HyperDrive® Quick Start Guide for Scale-Out Repository, we provide a straightforward, illustrated guide to implementing a scale-out backup repository with SoftIron and Veeam.
# 3 – Have systems in place to check and maintain the integrity of your backup data
Avoid the heartbreak of restoring from backup only to discover your copies are corrupted and completely unusable, by having systems in place to ensure data remains pristine and free from bit-rot.
Avoiding bit rot (where the ‘0’s and ‘1’s flip in parts of your data due to brief non-critical storage media hiccups) is partially addressed with the 3-2-1 rule; the more copies of your data, and the more locations it is stored in, the less likely all copies will be corrupted at the same time.
However, particularly if you count your production data as one of the copies of your 3-2-1 implementation, we recommend implementing additional ways to maintain your data integrity.
Ceph, which offers unified object, block and file storage and space-saving erasure coding replication options, offers inbuilt protection against bit rot through ‘data scrubs’. Schedule normal scrubs to catch OSD (Ceph’s storage daemons) errors and issues within the file system, and deep scrubs to do a bit-for-bit comparison of your replicated data to detect errors (the latter is I/O intensive, so keep that in mind when planning your scrub schedule).
Combine these with the easy-to-use cluster health monitoring features of SoftIron HyperDrive Storage Manager to ensure your backups stay intact and usable for when you need them most.
# 4 – Reduce single points of failure at every step of your backup solution
If you have five copies of your most critical data, but it all becomes unavailable at once, it’s no different than if you’d been maintaining a single copy. Whether that single point of failure is a power supply, a network connection, or a storage device, in the end, it’s just as critical as maintaining an adequate number of copies of your data.
Yes, this is another extension of the 3-2-1 rule: one that prioritises data availability along with its durability. Maintaining an off site copy and using two or more storage media is a start, but when downtime is not negotiable, be sure that your backups will remain available.
This can be achieved with more than a single off site backup location, hardware fault monitoring, and planning for performance bottlenecks that could occur should a failure domain become unavailable.
This is where Ceph can again make your life easier. Ceph’s CRUSH (Controlled Replication Under Scalable Hashing) map allows for complete configuration of where data is replicated – at the site, rack, device, and even storage drive level. Ceph uses the CRUSH rules to automatically back up data across failure domains, and will immediately respond to the absence of a lost storage location – again, whether it is a storage drive, device, rack or entire data centre – by re-distributing the replicated data stored in the failed site to the remaining available storage locations.
Add to the mix HyperDrive Storage Manager, which enables administrators to quickly identify drive and device failures, and SoftIron’s patented ‘Ceph’ button that enables on-the-fly replacement of faulty drives without a dip in cluster performance, and you have a strong foundation for a failure-resilient cluster.
#5 – Ensure you know the true cost and duration involved with restoring from backups
We’ve focused on ways to ensure your backups are auditable, intact and available, but one other aspect of preparing your backup and disaster recovery solution against cyber attacks remains: that tricky ‘recovery’ aspect.
Depending on how you have chosen to implement your backup solution, the time it will take to restore from backup (and the potential expenses) can vary considerably. It’s for this reason that your backup testing plan not only involves the how, but also the how long, and how much.
As a starting point – if you have to restore your critical data over a WAN connection, how long will that take? How long can you afford it to take? (In 2014, Gartner estimated the cost of downtime at an average of $US5,600 per minute). Are you likely to incur excess network traffic expenses from your internet provider?
If restoring from backups does incur additional expenses, then this needs to be factored into your operational budget, to ensure that backup testing is fully accounted for. Commit to a regular backup restoration test schedule for predictable performance.
For smaller teams, backup testing can seem like a daunting and time consuming task. In these cases, it may be worth budgeting for extra support from data protection companies, who can assist with automating the restoration process.
Planning a backup solution with Ceph?
If you’re working with backups in Ceph, whether or not your organisation uses SoftIron HyperDrive, our HyperSafe Ceph support program is available to offer advice and guidance on creating and maintaining a reliable Ceph backup solution that works for your organisation.
And if you’re currently considering your options for a new backup solution, stay tuned for the next article in this series, which will examine why open source SDS is ideal for data backup and recovery.