A CISOs Practical Guide to Storage and Backup Ransomware Resiliency

One thing is clear. The “business value” of data
continues to grow, making it an organization’s primary piece of
intellectual property.

From a cyber risk perspective, attacks on data are the most
prominent threat to organizations.

Regulators, cyber insurance firms, and auditors are paying much
closer attention to the integrity, resilience, and recoverability
of organization data – as well as the IT infrastructure & systems
that store the data.

What Impact Does This Have On The Security Of Storage &
Backup Systems?

Just a few years ago, almost no CISO thought that storage &
backups were important. That’s no longer the case today.

Ransomware has pushed backup and recovery back onto the IT and
corporate agenda.

Cybercriminals, such as Conti, Hive and REvil, are targeting storage and backup^[1] systems, to prevent
recovery.

Some ransomwares – Locky and Crypto, for example – now bypass
production systems altogether, and directly target backups.

This has forced organizations to look again at potential holes
in their safety nets, by reviewing their storage, backup, and data
recovery strategies.

CISO Point of View

To get insights on new storage, backup, and data protection
methods, 8 CISOs were interviewed^[2]. Here are some of those
lessons.

Source: CISO Point of View: The ever-changing role of data, and the implications for data protection & storage security (Continuity[3])

CISOs are concerned about the rise of ransomware – not only of
the proliferation of attacks but also of their sophistication:
“The storage and backup environments are now under attack, as
the attackers realize that this is the single biggest determining
factor to show if the company will pay the ransom,” says
George Eapen, Group CIO (and former CISO) at
Petrofac,

John Meakin, former CISO at GlaxoSmithKline,
BP, Standard Chartered, and Deutsche Bank believes that “As
important as it may be, data encryption is hardly enough to protect
an organization’s core data. If attackers find their way into a
storage system (as data encryption alone won’t prevent them from
doing so), they are free to cause severe damage by deleting and
compromising petabytes of data – whether they’re encrypted or not.
This also includes the snapshots and backup.“

Without a sound storage, backup, and data recovery strategy,
organizations have little chance of surviving a ransomware attack,
even if they end up paying the ransom.

Shared Responsibility – CISO vs. Storage & Backup
Vendor

While storage & backup vendors provide excellent tools for
managing availability and performance of their infrastructure, they
don’t do the same for the security and configuration of those same
systems.

Some storage and backup vendors publish security best practice
guides. However, implementation and monitoring of security features
and configurations is the responsibility of an organization’s
security department.

There are, however, a number of cyber resiliency initiatives
that are being carried out. These include:

Current Ransomware Resiliency Initiatives For Storage &
Backup:

Air-gapped data copies

Adding an air-gap means separating backups from production data.
This means that if the production environment is breached,
attackers don’t immediately have access to backups.

You can also keep storage accounts separate.

Storage snapshots & replication

Snapshots record the live state of a system to another location,
whether that’s on-premises or in the cloud. So, if ransomware hits
the production system, there is every chance it will be replicated
onto the copy.

Immutable storage & vault

Immutable storage is the simplest way to protect backup data.
Data is stored in a Write Once Read Many (WORM) state and cannot be
deleted for a pre-specified period.

Policies are set in backup software or at storage level and it
means backups can’t be changed or encrypted.

While immutability is helpful in remediating cyberthreats, it is
certainly not bullet proof.

Immutable storage can be ‘poisoned’, enabling hackers to change
the configuration of backup clients and gradually replace stored
data with meaningless information. In addition, once hackers gain
access to the storage system, they can easily wipe out
snapshots.

Storage security posture management

Storage security posture management solutions help you get a
full view of the security risks in your storage & backup systems.
It does this by continuously scanning these systems, to
automatically detect security misconfigurations and
vulnerabilities.

It also prioritizes risks in order of urgency and business
impact, and provides remediation guidance.

4 Steps to Success

1. Define comprehensive security baselines for all components of
   storage and backup systems (NIST Special Publication 800-209; Security
   Guidelines for Storage Infrastructure^[4]
   provides a comprehensive set of recommendations for the secure
   deployment, configuration, and operation of storage & backup
   systems)
2. Use automation to reduce exposure to risk, and allow much more
   agility in adapting to changing priorities. Storage security
   posture management (also known as storage vulnerability management)
   solutions can go a long way to helping you reduce this
   exposure.
3. Apply much stricter controls and more comprehensive testing of
   storage and backup security, and the ability to recover from an
   attack. This will not only improve confidence, but will also help
   identify key data assets that might not meet the required level of
   data protection
4. Include all aspects of storage and backup management, including
   often-overlooked key components such as fiber-channel network
   devices, management consoles, etc.

NIST Special Publication 800-209; Security
Guidelines for Storage Infrastructure^[5]
provides an overview of the evolution of storage technology, recent
security threats, and the risks they pose.

It includes a comprehensive set of recommendations for the
secure deployment, configuration, and operation of storage
resources. These include data and confidentiality protection using
encryption, isolation and restoration assurance.