Anti ransomware protection, TOP 8 errors related to backups

Regular backups are a key element of a ransomware protection strategy. But it's not enough to make backups, you need to do regular testing to ensure they’ll be accessible and usable. In this article, we look at the top 8 backup mistakes we see in the field. And any one of these mistakes can be fatal!

Here are the 8 top mistakes we see in our ransomware incident response cases.

1. Backup server directly connected to the live servers

In SMBs, it’s common to see backup servers directly connected to the servers they are backing up, especially via the USB port. This is a fatal mistake because when ransomware runs on a computer, it encrypts the data on the local hard drive, but also on any drive physically connected to the computer. So, if your backup server is directly connected to servers via USB you aren’t really backed-up.

Some ransomware is even able to encrypt the contents of shared remote directories connected to the computer. So it’s not recommended to do your backups on a shared directory accessible to everyone.

In other cases, we find that the backup server is installed in the same network zone as the servers and this is a bad idea. When the hacker takes control of a server, he’s often able to discover the others available in the zone, including the backup server. This explains the fact that in many cases of ransomware, the hacker is able to encrypt data and backups, which puts organizations in an extremely difficult situation. Don't make it easy for hackers, they won't be grateful.

Solution: The backup server should never be directly connected to a server or be available in the same network area. Ideally the backup should be done remotely and you should strictly limit the types of communication between the network and backup servers.

2. Rely only on confirmation messages from backup servers

At the end of a data backup, you almost always get a message confirming whether the operation was successful or not. However, the fact that a backup was successful does not guarantee that you can restore the data. Very often it goes well, but sometimes only a part of the data can be restored. In our experience, in 25% of the cases, the backups couldn’t be restored in full. The IT teams received messages confirming that the backups had been successful and yet.

Solution: Test your backups to make sure they are restorable. Do not take the backup system’s word for it.

3. Putting all your eggs in one basket

What would happen if your backup solution provider experienced a major incident that makes all your data inaccessible? What would you do if this happened at the time you needed to restore your data in a hurry? These questions seem extreme, but they are relevant and you need to ask them, so you can plan your business continuity strategy properly.

Solution: Identify your most critical business processes and make sure that the data they process is not backed up to the same provider. In this case you could be strongly impacted, if by any chance it would experience a major incident such as the one of OVH in France in March 2021 (fire), of WHC in August 2021 or Facebook in October 2021.

Remember also that your backup solution provider could be hacked and that the hacker could exfiltrate your data. In such a case, it will be better for you if some of your data is exfiltrated than all of it. Even if you haven't been hacked, the hackers could still come back to you and demand a ransom. And the longer they hold your data, the more pressure you'll be under to pay a ransom.

4. Not clearly identifying the dataset to be backed up

If you don't have a clear data backup plan, you might forget to backup data from some applications that are important to you without your knowledge. First of all, your corporate website! Have you thought about the impacts if your corporate website was not available for 1 week?

In one case, the organization had forgotten to make backups of a project management application because it didn’t seem critical. After a ransomware incident, several developers in the organization were only able to work partially for several days. The organization was surprised to discover that the application had become mission-critical. Over time, the application's usage had been expanded by the development team. The application now contained information about bugs that need to be fixed and the developers had included a chat to facilitate their requests and communications. All this information had been encrypted by the ransomware.

Solution: Carry out a business impact analysis and identify all applications that are critical to your organization, and make sure to take a backup copy. Involve all business units to ensure you cover all applications in the organization. Don't overlook any application, it could be that a seemingly trivial application is vital. Update your list at least once a year to make sure you don't forget anything.

5. Backups not tested regularly

Many organizations do not regularly test the backups they take and assume that the data will be recoverable when needed. This is a mistake.

Solution: Only regular testing will ensure that you can restore your data if needed. We recommend that you set up a test schedule and perform data recovery tests at least once a year. Testing can be done in isolation or as part of your incident response plan testing.

6. Not considering bandwidth when choosing an online backup solution provider

How long will it take to recover my backups in an emergency? Always ask this question when choosing a cloud backup solution provider. The answer to this question includes an important factor that affects you personally: your network bandwidth. The lower your bandwidth, the longer it will take to recover your data.

For example, in one incident we managed, the backups were several Terabytes in size and the estimated time to download them was 1 week! It was easier and faster to find a courier who went to pick up a copy of the backups at the hosting company (in Ontario) and have it delivered to Montreal on the next flight.

This case may seem extreme? For us, it's just one example among many. Your bandwidth can be your enemy.

Solution: before you consider doing your backups at a hosting company, make sure that if you need to, your data will be downloaded in an acceptable time frame. Agree with your provider on the options available in case for various reasons the download does not work or takes too long. Make sure you can drive to pick up your data in the worst case scenario.

7. Not keeping a copy of offline backups

In several cases of ransomware found, the hacker was able to encrypt data on servers, as well as online backups. Unless you have done tests that have confirmed otherwise, always consider that there is a possibility that the hacker may encrypt your online backups as well.

Solution: we recommend you always have an offline copy of your data backups. If your backups are done at a third party, also make sure that they keep an offline copy of your data. Also discuss with your provider how long it will take to access this data offline to make sure it is acceptable to you.

8. Underestimating the time it takes to restore backups

When we run a data backup, we usually give very little thought to the time it takes to complete the operation. Whether it takes an hour or a day, it is generally acceptable because the backup process does not affect business continuity.

On the other hand, when a data restoration is launched, it is generally because there is a problem and services are interrupted. In such a context, there is always an emergency and the time required for the restoration is of paramount importance. You must therefore ensure that data restorations will always be done within an acceptable time frame.

Solution: Identify reasonable SLAs for your data recovery and test them periodically to validate them. Also test the following extreme case: you need to access data offline at your backup provider during the vacation season, the Christmas holidays or during a long weekend. You may be very surprised at the results.

Need Help? StreamScan is Here.

Whether you need help conducting a security audit, developing a security plan, or implementing a Managed Detection and Response solution, StreamScan has experts with years of experience in the manufacturing sector who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.