Protect your Backup against Ransomware

Regular backups of all data, including data on file servers, infrastructure, and critical business applications should be performed. Keep in mind that these backups can also be affected by ransomware. Protect your backup against Ransomware. Indeed, more and more cybercriminals seek to attack backups to limit the possibilities for the victim to find his data and thus maximize the chances that he pays the ransom. These backups, at least for the most critical, must be disconnected from the Information System to prevent their encryption, like other files. The use of “cold storage” solutions, such as external hard drives or magnetic Tapes, can protect backups from infection of systems and preserve critical data upon recovery. In this regard, it is important to note that “backup-less” architectures (snapshots) effectively protect against the destruction of isolated data, when it is due to a hardware failure. However, they do not protect against targeted ransomware attacks because the attackers work to encrypt data on all servers.

 

Important things to protect your Backup Server:

First, your backup servers should never ever be accessible from the Internet. Outbound connectivity from a backup server is usually not a problem and is often required unless you are willing to sacrifice functionality like product update check, license auto-update, licensing usage reporting of Veeam service providers, and such. However, there’s simply no good reason to allow inbound connectivity from the Internet to your backup servers period.

Second, make sure the account used for RDP access does not have “Local Administrator” privileges on the jump box. There is simply no good reason for it to have such privileges, except if you want to help the hacker out. It easy is to fetch and decrypt passwords protected with the machine key from Veeam (or any other management software) if you can log in to the management server, and this is what jump box does solve. However, having “Local Administrator” privileges on the compromised jump box also allows a hacker to steal various LSA secrets, or even powerful domain credentials from some service account that you missed (or added later). Not to mention this also enables the installation of key loggers and advanced hacking tools, because having penetrated into your network perimeter, smart hackers always take time to collect additional information before executing the actual attack.

Third, never use saved credentials functionality for RDP or other remote console connections on your jump box because if your access account gets compromised, you don’t want the hacker to be able to immediately access other environments under some almighty credentials conveniently saved by you.

Finally, build your architecture “Secure by design”: Hardening, let your backup server and repositories outside the domain, Flow matrix, governance, sensibilization, Perimeter Defense (Gateways, Firewalls, Proxies, etc.), Access Management, Active Directory monitoring (alert in real-time), deliverables, etc. .


Christopher GLEMOT

Data Protection & Governance Team Leader | Technical specialist around Data, Security, Backup, Disaster Recovery, Cloud, Virtualization and Storage | Veeam Vanguard 2016-19 & VMCE | Founder of ArmoricanCloud.com | Owner of original-network.com
Please follow and like us:
Advertisement

Leave a Reply

error

Enjoy this blog? Please spread the word :)