Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Don't wait until <i>after</i> a disaster, DDoS, or ransomware attack to learn just how good your backups really are.
November 14, 2019
6 Min Read
(image by leremy, via Adobe Stock)
They're the first questions you might be asked in the heat of a disaster, DDoS, or ransomware attack: How soon before we're back up? How good are our backups? Have the wrong answer to those questions, and it will feel like getting kicked while you're down.
Good backups are essential to business continuity, but how do you know yours are "good"? And how do you know they'll be ready when you need them? Start by finding answers to the following eight questions.
Why Am I Backing This Up?
There's a difference between backup for archival purposes and backup for recovery purposes. If you want long-term records storage, you need a different set of solutions than if you need quick restoration of business operations after an attack, disruption, corruption, or disaster.
Even if your backups are intended to help you recover from a total system failure, that doesn't necessarily mean every single IT asset will need to be backed up to the last nanosecond.
"What it comes down to," says John Pironti, president of consultancy IP Architects, "is what are the [business] values and requirements, how does it align with your recovery time and recovery point objectives, what are the business value and business expectations for the availability of your data, [and] what are your regulatory obligations and requirements?"
What's the RPO and RTO?
Before backing up assets, experts advise that you identify the "recovery point objective" (RPO) and the "recovery time objective" (RTO) for those assets.
RPO is the maximum tolerable amount of data to lose: Can your business survive intact if it loses all the data from the past week, or will it entirely collapse if it loses all the data from the last hour? RTO is the maximum tolerable amount of time to recover. Maybe you'll be fine without any access to your data or applications for a full day, or maybe major catastrophe will occur if this application is down for 10 minutes.
Oussama El-Hilali, CTO of Arcserve, gives the example of transactional data at a stock exchange. It's critical information that changes so quickly that it loses value in moments. The RPO and RTO for such data require that "if there's an interruption, I want to be back immediately without any loss of transactions," he says. "Once these parameters are determined, then you look for the solution that can meet those parameters."
Am I Using the Right Type of Solution?
For your business purposes, a scheduled full-volume weekly backup, plus daily incremental backups that capture all the changes from the previous day, might be perfectly fine. However, if you simply cannot tolerate a momentary lapse, then a continuous or real-time backup solution might be necessary.
Arcserve's El-Hilali poses the example of an online retailer that may not be able to last long if its shop can't take payments during the height of holiday shopping season. For this retailer, a continuous cloud-based backup solution that enables the recovery of applications as well as files and databases -- sometimes known as a "disaster-recovery-as-a-service (DRaaS) solution -- would be in order.
"If you want to be able to recover surgically individual files [and] individual capabilities, then it's more efficient to do it at a file level [rather than at a volume level]," IP Architects' Pironti says. "But it takes longer, and it takes more processing power, and it takes more storage theoretically, so you have more storage costs. A volume-level assumes you're taking a whole database, versus a file-level might be for a user environment," he says.
Can I Restore to a Known-Good Version?
Some backup solutions will replicate a mirror image of your current data but will not store earlier versions of your environment. The drawback of that is it makes you less resilient to malware infections, such as ransomware.
Pironti and El-Hilali advise considering a backup solution that allows you to store several versions so you can restore from a "known-good" version free of the malware that got you in trouble to begin with -- rather than restoring from a mirrored image, which will be identical.
Are My Backups Backed Up Far Enough?
The standard 3-2-1 rule still applies (three copies, on two media types, with one copy offsite). For disaster recovery purposes, you'll want to have one set of backups stored well outside the same physical area as your primary set of data. Make sure you're not in the same evacuation zone as the backup provider.
Are My Backups Secure?
The backups themselves can, of course, be a target of a theft or cyberattack -- by criminals trying to extract data or by ransomware attackers going the extra mile to pressure victims into paying. So how can you ensure they're safe?
Store backup tapes or drives in a physically secured location. Use whatever security services are provided by the backup provider. For example, Arcserve recently partnered with Sophos to provide endpoint security protection on the Arcserve backup appliance.
"As long as I encrypt the data, I don't care where it goes," says IP Architects' Pironti, adding that encrypting it first and managing your keys properly gives him the confidence to save money on cheaper storage.
Pironti and El-Hilali both caution against storing keys in the same place the data is stored. (If the backup location is compromised, you don't want the attacker to have the decryption key, too.) So while some backup providers will manage your keys for you, Pironti and El-Hilali recommend keeping copies of the key in escrow yourself. Make sure, however, this key is somewhere you can get to in an emergency.
"Some [backup providers] will manage the keys for you, some will let you manage the keys, and if you've lost them, that's just too bad," says Arcserve's El-Hilali.
Adds Pironti: "Keep a local escrow of the key because the adversary can disable the organization just by killing off the keys."
Can I Retrieve My Backups When I Need Them?
"One of the things that a lot of people forget ... how can I make sure that the integrity of that backup is maintained for the duration of its storage?" Arcserve's El-Hilali says. For example, he says, if the backups are stored to tape, has the tape been damaged and is no longer readable?
"One of the biggest mistakes I've seen people make," adds Pironti, "is people don't test recovery. They test backup, but they don't do recovery in advance of a need." Just recover something from time to time to make sure you can, he suggests.
I NEED THE BACKUPS! Are They Going To Make Things Worse?
"If you have a security incident," IP Architects' Pironti says, "you have to go back and do a root cause analysis and say, 'At what point do we believe we have a clean backup?' Because if I recover an infected backup, I'm just going to reinfect the environment."
He advises to recover into a quarantined environment and test for malicious activity first.
Hopefully your backups will never be needed after a calamitous malware infection. But if they are, be careful.
About the Author(s)
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.
You May Also Like