5 Ways Your DR and Backup Solutions May Be Weakening Your Cyber Resilience
Cybersecurity has evolved far beyond protecting passwords and preventing intrusions. Cyber resiliency builds on cybersecurity with measures to not only prevent and detect attacks but also recover from them effectively. Are your disaster recovery and backup solutions up to the task of cyber resilience? Consider these five ways they may be deficient.
1. Not Following the 3-2-1-1 Data Protection Rule
The 3-2-1 rule is a data backup strategy that has become the industry standard for data protection and disaster readiness, and that keeps on evolving.
What is the classic 3-2-1 data protection rule?
3– Copies of the data (including the original copy)
2– Types of media (which mean cloud storage, network storage, tape, etc)
1– Copy of the data stored offsite (preferably far offsite, in another geographical region to protect against regional disasters)
What is the extra “1” in the 3-2-1-1 data protection rule?
1– Copy of the data that is offline or immutable (or both!)
Why is this important? Cybercriminals using ransomware will attempt to hold data hostage, and the ability to recover the data can negate the need to pay a ransom. So, cyberattacks have begun to target recovery data, but they cannot encrypt or delete that recovery data if it is immutable or offline.
Challenges in Implementing the 3-2-1-1 rule
Many organizations struggle with the 3-2-1 rules in first being able to create the two extra copies of the data in a timely manner using a one-to-many data protection capability. If one backup copy must be created before a second copy is created, this significantly reduces the time it takes to get to the three copies.
Secondly, organizations do not always send their recovery data far enough offsite so their “offsite” copy can be impacted by a regional event.
Finally, not having an offline or immutable copy is too big of a risk to a ransomware attack that may encrypt or delete your backups, giving you no way to recover.
2. Slow or No Capabilities for Detection of a Cyberattack
Most data protection solutions have some kind of malware or anomaly detection mechanism to determine if you may be experiencing a cyberattack or if your recovery data has been compromised. The problem is that many of these detection methods occur after a backup has been performed, which can be hours after an attack began: a significant delay with dire consequences.
Why is this important? The longer it takes to detect a potential threat, the slower your response will be, and the more damage the attackers can do before you can take measure to mitigate. Responding quickly gives you the chance to isolate affected systems, stop the spread and blast radius of the attack, and begin recovery and forensics much faster. Not being able to detect a potential cyberattack in real time is going to put an unnecessary delay on the response times and lead to far more damaging attacks.
3. No Clean Room for Cyber Recovery Readily Available
So, you’ve been hit by a cyberattack and you want to start your cyber recovery, but how do you know you can recover without attackers instantly blasting you again? Even if attackers no longer have access to your data, there may be malware lying dormant in the recovered data and systems that will give attackers a new back door into your systems. Unless of course, you recover in an isolated (and preferably air-gapped) clean room environment.
Having an isolated network with dedicated storage and compute resources gives you an environment that attackers do not have access to, and that you can begin recovery and forensics inside of, so you can find any malware and scrub it before recovering back to production. Not having such an environment ready to go and having to wait for one to be built can delay recovery for days or weeks (maybe months).
4. Untested DR or Cyber Recovery Plans
What is a data protection/cyber resilience plan if you don’t test it? Spoiler: It is a second disaster waiting to happen and a good way to be sent looking for another job. And yet, organizations still struggle to perform disaster recovery and cyber recovery testing effectively. Why? Because those tests are too often disruptive and require downtime of systems, data, and personnel.
At the speed of which cyberattacks are evolving, testing should be happening quarterly, at least, but many organizations struggle to perform testing annually because they don’t have the ability to test non-disruptively. What does this mean? It means no systems or data have to be taken offline and recovery can occur in an isolated environment that can be created instantly and removed instantly when the testing is complete.
Whether you want to test recovery of individual systems, applications, entire sites, or multiple sites, being able to do so non-disruptively is paramount to being able to test frequently and effectively and ensure your data protection/cyber resilience solutions are going to work as expected when the need arises.
5. Vulnerable Recovery Architecture
Compromised Recovery Systems and Data
It cannot be mentioned often enough that cyber attackers are coming after recovery systems and recovery data. If an organization has loose security measures in place, such as not following least-privileged access and zero-trust principles, then the recovery solutions can become compromised more easily as part of an attack. Once attackers gain access to recovery systems, they can make recovery far more difficult for you as the victim. Solutions that use agents on each individual virtual machine can be especially vulnerable since those agents can be disabled by attackers, effectively disabling backups and recovery mechanisms.
Access Management and Component Hardening of Recovery Solutions
This means that data protection solutions like disaster recovery and backup solutions need to be secure with capabilities like multi-factor authentication, role-based access controls, and other security policies to protect against unauthorized intrusion. Solution components like virtual appliances should be hardened with small attack surfaces and receive regular security updates to eliminate vulnerabilities.
Avoid these 5 ways to deficiency. Be resilient! Learn more about how HPE and Zerto, a Hewlett Packard Enterprise company, help our customers build cyber resilient solutions for detection and recovery.
Read our Recovery Is the Cornerstone of Ransomware Resilience white paper, or discover our Zerto Cyber Resilience Vault.
For more specific questions, simply get in touch or request a demo.