Summary
What we will cover in this session and discuss:
- How organisations are affected by phishing attacks and what we can do to prevent them
- Malicious Threat Types of Attacks – compromised accounts, clickbait, new domains, etc.
- Difference between Malicious & Suspicious Emails and how to handle these
- What can be learnt from 2022’s headline data breaches – eg Uber (Sep 22 – 57m Customer Data Stolen, Optus (Oct 22 – 10m Customer Data stolen), etc.
- The benefits of training your staff to identify phishing emails, ransomware and other threats
- With many businesses now moving to the cloud – why email security needs to adapt for this environment
- Greater sophistication in phishing attacks for mobile devices – What to look out for
- Future Email Security Analytics – systems metrics, trust modelling, detection threats analysis
- Value in remote compliance penetration testing – malware & phishing security working together
Air Gap and immutability – the latest trends in backup. The idea of a physical or logical gap between production systems and backup data, combined with additional security to those backups so they cannot be modified. It’s not a new idea, it has existed for decades with tape backups. Eject the tape from the tape drive, and put it in an offsite firesafe. It is now air-gapped and immutable. This concept is now being applied to every backup solution as the latest measure against malware. Unfortunately, it’s often presented as the last stand and in some cases a silver bullet. It is neither of these.
Air-Gapping and Immutability
Used in isolation, air-gapping and immutability are pointless. All the effort is aimed towards securing the backup data, only placing it online during the backup process. Often bold claims are made on how ultra-secure the backup device is. However, little emphasis is placed on securing the backup data in the first place and this leaves us with some problems.
Regardless of how much security we put around the backup device there is one thing that always has access to both the source data and backups – the backup software. By design it has to be able to read new data and add it to the backup storage. Malware writers and hackers don’t need access to the immutable, air-gapped backups, the backup software does it for them if the malware has gone undetected and infected the source data. Having an air-gap when the source data is already infected is like closing the gate after the horse has bolted.
Backup Strategy
A typical backup strategy is based on two main factors, recovery point objective (RPO) and recovery time objective (RTO). That is the amount of time between backups, or more correctly how much data is the organisation prepared to lose, and how quickly does that data need to be recovered. In most cases recovery to the latest backup (usually no more than 24 hours old) and within a few hours is the desired outcome. Backup retentions are typically quite short because it is expensive to keep everything for long periods and recovering entire systems back more than a few days would have limited value to the business and might even be fatal. Any long-term backups, or archives, are often of a subset of the data that needs to be kept for regulatory or compliance purposes. It is not often a requirement to keep long-term copies of the functional components of servers, operating systems, applications, etc. This means the ability to recover entire systems from backups that are more than a few days old is almost nil, there would be some element of redeployment involved too.
Regardless of how much security we put around the backup device there is one thing that always has access to both the source data and backups – the backup software. By design it has to be able to read new data and add it to the backup storage. Malware writers and hackers don’t need access to the immutable, air-gapped backups, the backup software does it for them if the malware has gone undetected and infected the source data. Having an air-gap when the source data is already infected is like closing the gate after the horse has bolted.
Undetected Malware
In contrast to the backup strategy, malware is designed to remain undetected for as long as possible and has a very long retention period. Malware writers know most organisations do not have very long backup retentions and attempt to remain undetected, for months or even years. The goal here is to make backups irrelevant so there is no way of recovering the data, or at the very least make the data very difficult and time-consuming to recover. This is exasperated when we consider how most backup solutions are sized and the cultural attitudes towards backup in most organisations.
Typically, a backup solution is sized to be able to process the amount of changed data each day, with full backups of a handful of systems at a weekend. To provide sufficient resources to run a full backup of all data within the daily backup window is prohibitively expensive, and as we move towards petabytes being a normal data quantity it may also be an impossible task to achieve. However, when it comes to recovery it is these very large amounts of data that we are trying to transfer in a relatively short time period, when using traditional backup applications. Very few organisations size their backup solution for restore, and very few IT managers will seek financial approval to do so as they know the requirements and cost for restore are much higher than those for backup.
Backup Retentions
It’s a similar tale with backup retentions. It’s a subject rarely discussed across the business, as it’s seen as an IT problem. So long as there is a backup nobody cares, or perhaps they do, but IT assume they don’t. This culture often permeates its way through the IT department too as backups are seen as unexciting and a junior job so there is very little input into backup retentions and recovery. If retentions are factored into the design of a backup solution they are used primarily to keep the costs down and for justification of a budget – we can hold a 30-day backup retention with ‘x’ amount of backup resource. However, it’s not uncommon for backup retentions to be decided by backup administrators during the implementation of backup software with zero input from the business. And when backup policies are created by the IT department they are only visible to the IT department. It is safe to say most backup polices and strategies do not match the requirements or expectations of the business.
The Age of the App
We live in the age of the App. Our experience of mobile phones has become the IT norm for anyone not technical and there is often an assumption when it comes to backup that data can be retrieved from any point in time almost instantly, and at zero cost. Senior management are often living in ignorant bliss thinking they have a backup so everything is okay without understanding the true capabilities of their organisation to recover from a serious incident and what the threats are to their IT infrastructure. Disaster recovery testing is almost non-existent, and budgets for backup services are minimal because the organisation has other priorities. Even legal obligations have a limited impact.
In short most backup solutions are not fit for purpose when it comes to protecting organisations against malware threats. We have too much data now and moving all of it from one place to another in a short amount of time is simply impossible. Either technically, commercially or both. Given the increasing probability of a successful malware attack and the need to recover massive amounts of data, we need to rethink backup and its role within the organisation.
This leads us back to the start – the air gap and immutability. These aren’t terrible ideas at all. On the contrary, increasing backup security through segmentation and controlled access is a good idea, but it is only part of the solution and part of the wider security landscape when protecting organisations against malware attacks.
We must first start with good IT security and practice:
- Adopting a ‘zero trust’ approach to security
- Regular reviews of security processes and procedures
- Awareness, training and communications
- Regular patching
- End-to-end encryption
- Continuous threat and malware protection
- Separation of devices and services, through network segmentation and adaptation of micro-services such as containers
- Automation and running devices (containers) with short leases
- Backup auditing and reporting
- Continuous testing of disaster recovery and adaptation of backup and recovery processes
- Regular reviews of backup strategy, RPO/RTO and backup server capacity / performance
Above all else we need open discussions between the business and IT regarding business continuity and disaster recovery to fully understand and appreciate the requirements and the capabilities of any implemented solution. We also need to accept this is not a ‘set it and forget it’ service. It’s a continuous journey as new threats will appear all of the time. It’s also an opportunity to modernise and optimise IT services as a whole to better serve the business.
Don’t know where to start? Why not get in touch with Claritas Solutions who can help you with the following services and solutions;
- Backup and Recovery audit and health check
- Security audit and penetration testing
- Hosting, cloud and automation services
- Software and design services
Email- sales@claritas-solutions.com
Phone- 0330 333 88 33
Or complete the online contact form