Cybercriminals are having a field day targeting business and government IT infrastructures. You can no longer assume that these criminals only go after weak or poorly secured targets because it’s simply no longer the case.
In order to keep your business, your customers, and your employees safe from the prospect of ransomware attacks, you need to fully understand the threat and implement a sophisticated solution that reduces the risk to your business. That solution must also provide a sure path to recovery should you find that your best efforts to avoid an attack have still failed. (WEBINAR INFORMATION BELOW)
The New Era of Ransomware
How many news stories will be watch before the message of how this new era of ransomware is different sinks in? Cybercriminals are patient and intelligent, and they use increasingly sophisticated techniques.They’re not just lazily sending out links and seeing what works for them; they learn about the companies, or the government entities, they target and their specific networks. They price out the ransom in the same way an ordinary IT vendor might. After biding their time, they strike when the company or municipality is most vulnerable and least able to respond competently or decisively. This increases the pressure on the victim to pay the ransom because they’re caught entirely off guard. And furthermore, once one ransom has been paid, that entity becomes a bigger target for future attacks.
How to Protect Your Employees and Business from Ransomware Attacks
Let’s look at some of the specific steps your business can take to address the threat of ransomware using a combination of best practices and Enhanced Data Protection. We’ll start with the low-hanging fruit, the basics, and then detail how our next level of DRaaS and cyber security solution provides you with the confidence to know your data is safe with a quick video recap of a conversation our CEO and CIO recently shared with Petri at VeeamON 2019.
Adopt a ‘Not If, But When’ Mentality
The scale of threats to every company’s biggest asset, its data, is now undeniable. Your business is going to be targeted at some point. While you can’t stop a hacker from trying to penetrate your systems, you can stop the attacks being successful or impactful. Making your employees aware that the business is likely to be targeted should help to keep them more alert to the threat.
Restrict Abilities and Privileges
Restricting your systems to least privilege access can be helpful. Assess user roles and evaluate who needs access to platforms and data. Limit admin roles to only the most highly trained and reliable staff.
Employee Training on Cybersecurity
The first and perhaps the most important thing for you to do is to educate and train the entire organization on how to recognize a phishing attack or other suspect online activity. When they understand how to spot and avoid these pitfalls, you’ve already raised your shield.
Patching and Keep Devices Updated
Outdated devices or software creates vulnerabilities so a routine update for all company and personal devices connected to your network is imperative. Devices less exploitable when they have the newest version in place. Those annoying software updates incorporate fixes and patches that relate to security. Having a proper patching program is critical.
Undertake a Security Checkup
A routine threat assessment should be part of every IT department’s SOP. Examine where your own vulnerabilities may be, internally or with suppliers, and spin up your recovery environment to ensure that it contains all of your company’s data. Having an assessment by an external company provides a fresh set of eyes to see where insider threats exist or a hacker’s point of entry may be.
Backup and Recovery Plans
If you’re confident that you have a clean backup and recovery plan in place, there’s considerably less pressure to pay a ransomware demand. Here’s how Global Data Vault utilizes Veeam and Enhanced Data Protection to provide a fully managed defense against today’s cybercrimes.
If you’d like to learn more about the threats to your business and how to protect it, join us for our webinar on June 4that noon CST where we will discuss:
What is the “insider threat”?
What the current malware threat is and how insider access is used against targets
How to protect against insider attacks effectively
Register HERE or contact us at firstname.lastname@example.org
Ransomware attacks are becoming more common and more sophisticated, so be sure to stay up to date with how the tactics of cybercriminals are changing and developing over time if you can. That way, you’ll be able to stay ahead of the curve and get better at protecting your business and its employees.
It’s not a matter of IF your business will succumb to hackers, a natural disaster, employee theft or other mismanagement of data. It’s a matter of WHEN. Naturally, it’s become common practice to keep safe backups of anything business essential, but how companies keep those backups varies considerably. Disasters are inevitable, and a disaster recovery plan is essential to business continuity. What is missing from many of those recovery plans however, is a fundamental understanding of air gap backups. They provide a final means of defense that can make a significant difference when recovering from a data disaster.
What Is an Air Gap?
An air gap, also called an “air wall” or “air gapping,” is a security measure that protects data from intrusion. The concept is simple: any device that isn’t connected to a network cannot be attacked remotely. The very name is derived from the principle. If the circuit is broken — or air exists between items in a network — then only a physical attack can threaten the data. In terms of disaster recovery, the idea is to place backups behind air gaps. This protects them from malicious software, direct cyberattacks and other corrupting threats. Typically speaking, air gaps are thought of as a final layer of protection for data integrity. More accessible backups are used more often, but if everything else fails, the air-gapped backups should provide a preserved copy and be capable of restoring the whole networks system.
Updating the 3-2-1 Backup Rule
You’ve probably heard of the 3-2-1 backup rule. It goes like this: replicate to at least 3 copies of your data, local hardware, cloud, backup cloud. Some companies store these copies on 2 different media (tape/disk/Cloud), and place at least 1 copy off-site/off-premise. This is a great start to a DR plan, but what if ransomware compromises administrative passwords or domain info that allows that backup copy to be corrupted? Adding the “1” step insulates the data from further damage. The backup rule is now 3-2-1-1. That extra “1” accounts for an air-gapped copy of your data.
Are Cyber Attacks Really a Risk?
Yes. Cyber attacks are a reality. Large companies will suffer a data breach of some type, and small companies are certainly not immune to a hacker’s interests. Every year new names are added to the long list of compromised data sheets. Any collection of employee, customer or user data is potentially worth attacking, and the frequency of attacks is on a meteoric rise.
According to a poll by CSO, the rate and variety of attacks is growing every year, and it is already the largest financial threat to most businesses. Estimates suggest that by 2021, the total cost of cyberattacks will hit $6 trillion. Clearly hacking has become big business. That additional air-gap “1” is critical in preserving a clean set of data from their meddlesome ways.
Challenges of Air Gapping
While air gapping can provide an ultimate line of defense, it comes with it’s own challenges. At the top of those costs is labor. When devices are completely disconnected from a network, they have to be physically accessed. This limits automation and requires man hours to do. Automated solutions do exist, but any device that is automatically connected to and disconnected from a network could potentially become compromised. There really is no way around this trade-off.
The other great challenge of air gapping is ensuring security. The walled devices are safe when they are disconnected, but at some point they have to communicate with other devices in order to update the backup. Hidden malicious software can be transferred during those updates. Global Data Vault minimizes this risk by providing enterprise-level security measures that detect any unusual data movement within the network.
By utilizing BitLyft on your networked account, we are able to monitor, detect and neutralize threats in real-time. BitLyft also provides automated incident responses to detect and neutralize future threats based on information gained from previous attacks, further offering a higher level of data protection. Ultimately, air gapping is part of a holistic approach to network security. IT professionals have been following the golden rule of triplicate backups for decades, and air gapping remains a key component to maintaining a fresh data set.
According to a recent article in the Wall Street Journal, concerns are escalating over one of North Korea’s three major hacking organizations because of both their adeptness and sheer brazenness. APT37 aka, “Reaper,” is the hacking group is well known for attacking South Korea, but has since decided to attack companies in Japan, Vietnam and the Middle East. What is especially noteworthy about its recent slew of attacks is the heightened level of sophistication — and that they have made little effort to disguise their bad deeds.
Cybersecurity company FireEye, Inc. monitors Reaper’s attacks and in a report issued earlier this month reveals that Reaper is utilizing a toolset that includes access to zero-day vulnerabilities and wiper malware. Reaper has shown preference to hacking information within companies involved in automotive, aerospace, chemicals, and health care industries. They also recently attacked South Korea when they discovered a vulnerability with Adobe Flash which was then able to install malware on infected computers who opened the corrupt Adobe Flash files.
FireEye squarely points the finger at the North Korean government as the true face of Reaper due to malware development artifacts and targeting that supports state interests. FireEye claims to easily trace these attacks back to the Pyongyang IP addresses that Reaper has been using.
Reaper is just one of a growing collection of hacking groups linked to North Korean leader Kim Jong Un’s regime, including “Lazarus,” which the US blamed for the Sony pictures Entertainment data theft in 2014. Bloomberg Technology posits that North Korea has been widening its cyber-operations to gather cash and intelligence to offset the penalties of international sanctions. The sanctions against North Korea have been on the rise, yet North Korea seems unconcerned and continues to ramp up attacks on foreign countries.
Whether your company is a Reaper target or potentially attractive to another cyber-criminal, attacks are on the rise. Being vigilant within your own company is mission-critical to prevent losing data. The best defense to a cyber-attack is to have a comprehensive and tested disaster recovery plan in place that include an air-gapped backup. You may still be vulnerable to cyber threats, but your day-to-day impact is significantly minimized.
Whether you have completely migrated to Office 365, or have a hybrid Exchange and Office 365 deployment, your business objectives remain the same. You must remain in control of your data and you need Office 365 backup and recovery at your fingertips.
One of the most vulnerable situations for an IT Admin is when their only option is to send a support ticket and wait. Don’t let this be you.
Backup for Microsoft Office 365 mitigates the risk of losing access to your Exchange Online email data and ensures Availability to your users.
With Office 365, it’s your data
Microsoft Office 365 enables you to work anywhere, anytime, without the need to maintain your own email infrastructure. It also provides a great way to minimize your on-premises footprint and free up IT resources. Even though Microsoft takes on much of the management responsibility, this doesn’t replace the need to have a local backup of your email data.
With Office 365, it’s your data — you control it — and it is your responsibility to protect it. Utilizing Backup for Microsoft Office 365, allows you to:
Empower your IT staff to take control of your organization’s Office 365 data
Reduce the time and effort needed to find and restore email data
Protect against data loss scenarios that are not covered by Microsoft
Facilitate the migration of email data between Office 365 and on-premises Exchange
Backup Office 365 email
You need to securely backup Office 365 email data back to your environment for a variety of reasons (i.e. to follow the 3-2-1 Rule of backup, to facilitate eDiscovery and to meet internal policies and compliance requirements). The most important reason being — for the peace-of-mind that comes from knowing you’ll be able to restore your users’ data when needed!
With Backup for Microsoft Office 365, you can retrieve Office 365 Exchange Online mailbox items (email, calendar and contacts*) from a cloud-based instance of Office 365 and uniquely back up this mailbox data into the same format that Microsoft Exchange uses natively — an archive database based on Extensible Storage Engine (ESE), also known as the Jet Blue database.
Restore Office 365 email, calendars, and contacts
Never settle for less than fast, efficient recovery of Office 365 mailbox items with best-of-breed granularity.
Veeam Explorer™ for Microsoft Exchange allows for quick search and recovery of individual mailbox items residing in either archived Office 365 content or on-premises Exchange backups. Mailbox items can be restored directly to an Office 365 mailbox, an on-premises Exchange mailbox, saved as a file, emailed as an attachment or exported as a PST.
eDiscovery of Office 365 email archives
Without a local copy of your data, retrieving emails for regulatory or compliance reasons can be costly and time consuming, and can ultimately present a major disruption to normal business operations.
But, not with Veeam! You can leverage the familiar, advanced search capabilities and the flexible recovery and export options of Veeam Explorer for Microsoft Exchange to perform eDiscovery on Office 365 email archives — just as easily as you would today with your on-premises Exchange server backup.
To start a free trial of Office 365 Backup, contact email@example.com
Yep. That’s one headline I saw this weekend about the WannaCry attack. And I guess we can understand that sentiment, maybe. Our view at Global Data Vault, is our job is to be ready to help any of our customers hit by this outrageous attack. Our customers use our services to recover from Ransomware attacks quite regularly and this one is far from over, and I suspect we’ll help our customers perform more than a handful of recoveries. We may all know this by now, but here is some background on the subject.
Ransomware is malware that encrypts and sometimes later deletes files from computers, smartphones, and other intelligent devices – now even including TVs. Ransomware is operated by organized crime gangs, many of whom are based in Russia. The proceeds of these attacks are being used to fund terrorism, human trafficking, drug operations and other nefarious activities.
The first known Ransomware attack occurred at a World Health Organization AIDS conference in 1989. At the time, the intent was to extort small amounts of money. Another early implementation posed itself as antivirus software which the victims were encouraged to purchase in order to eradicate malware that was planted by the same code.
Today, with attacks from so many sources, and with the advent of untraceable virtual currencies like Bitcoin, and through the existence of sophisticated encryption algorithms, ransomware has become a billion-dollar industry.
There is even a market that supplies tools to build ransomware and tech support for implementing attacks. The encryption is often now 256 bit RSA grade and is too sophisticated for even large technical organizations to solve. Citrix reports that many large companies are keeping Bitcoin available as a last-resort.
Even further frightening are cases where remote access trojans have been used to monitor a potential victim to determine the scope of the organization and assess its ability to pay a given ransom.
CryptoLocker was the first wideapread attack and first appeared in 2013. It was supported by a large network of malware bots (together called a botnet) which is used to distribute the actual attack. Cryptolocker extorted over $3 million before being shut down by the Department of Justice who took control of the botnet and issued a warrant and a bounty for Russian hacker Evgeniy Bogachev for his involvement.
New threats exist; Cryptowall is believed to have extorted over $350 million; Locky operated in 30 languages; Petya encrypts entire hard drives. As bad as these are Cerber is the most prevalent, accounting for 90% of Windows ransomware.
Cyber attacks through email attachments. Word, Excel and PDF files containing dangerous macros are sent as bait – usually calling themselves invoices, etc. If the user opens the file and allows the macro to run, the attack will generally succeed. Your inbox has become your most vulnerable point.
Avoidance and Prevention
Patch Everything – as often as possible – patch every application.
Do not allow local admin rights on user desktops.
Desktop antivirus is helpful but not enough because the attackers are continually recompiling their code to escape detection. Secure email gateways also help but are also limited for the same reason.
BACKUP – is the only real protection!
Follow the 3-2-1 rule: Always have 3 backups, on 2 media types and 1 offsite. More on the 3-2-1 rule later.
As a service provider working in this area, we see attacks on a weekly basis. We have performed hundreds of recoveries. The following points are the lessons learned from our own experience and the well-organized thoughts on this subject from Rick Vanover Director of Technical Product Marketing at Veeam Software.
Use different credentials for backup jobs! An attack or attacker with credentials to access your system might also attack your backups.
At some point commit data to offline media such at tape. If it’s offline, it cannot be attacked.
Use Veeam Cloud Connect (we do). It uses a different method of authentication and a different backup API.
Store backups in a different file system.
Take SAN snapshots of your local backup repository.
Expand and master the 3-2-1 rule – use the 3-2-1-1 rule: have 3 copies of your data, on 2 types of media, have least 1 offsite and at least 1 offline.
Test – have 0 errors after recovery is tested! Veeam’s Sure Backup verification is one great way to test.
While this is a good start, there are other many other technical strategies we implement for our customers. GDV employs as many as possible for each of our customers. We’re always happy to discuss how you can leverage these ideas.
We hope this is helpful. Good luck and stay ready.
Knowing and planning for an appropriate level of bandwidth is a key component of every DRaaS solution. In our most common DRaaS implementation, the data is moved from local repositories at the customer site over the internet or WAN to our data centers once per day, even though that data may contain multiple restore points.
Here’s a diagram showing how the data moves.
The key to an effective solution is knowing whether the remote data center is getting the data on a timely basis. We measure this daily, and we call this measurement “quality”. In other words, how current is the remote data. If it’s within the desired restore point objective (RPO) as agreed in the service level agreement (SLA), then we regard it as being “in SLA”.
It’s essential that the bandwidth between the customer site and the remote data center is sufficient to move the data that’s changed every day quickly enough that it’s in the remote data center in time to support the agreed or planned RPO. See our discussion of RPO here. As a general rule for most sites, we find that 4 to 6 hours is “quickly enough”, and this is usually scheduled overnight.
Why not use 8 or 12 hours? in more complex implementations there are other events, like multiple backup jobs, each of which use resources and must finish. So 4 to 6 hours is a conservative window of time. Some sites may be able to use longer windows – and therefore less bandwidth – to move the data. Or simply move more data per day in the longer window.
Getting to the Question
So, how much bandwidth is required to move the data in 4 to 6 hours. To answer this question, we need two pieces of data and a bit of math. First, we need to know the total storage in use. This is your disk storage in use across all servers. If you’re running VMware, one way to get this data is from your vSphere console as covered here.
Second,we need to know the daily data change rate. This is easily measured by Veeam ONE as discussed in a previous post or it can be derived from simply looking at the actual size of daily backup files.
Now for the Math
If R is required speed in Mbps (see note 1), D is data changed each day in Gb (see note 1) and T is 6 hours expressed in seconds, then our formula is: R = D / T.
To save you from number crunching, we’ve prepared this chart showing typical storage sizes and change rates and the required bandwidth result:
So at a site with a 1% daily data change rate (after compression and deduplication), which we find is typical, with storage of 5TB, the required bandwidth is 19Mb.
For a deeper dive, check out this great web based calculator at WintelGuy.com.
Note 1: WintelGuy also defines all of the relevant units of measure you may encounter.
Summarizing this Idea
Start with your storage in use
Find your daily data change rate
and calculate or lookup the required bandwidth here
What if my bandwidth is not enough? There are numerous strategies we employ to deal with slower lines, larger data sizes and higher change rates. The best strategy is developed on a case-by-case basis.
Let us know if you have questions. And we welcome your thoughts and real world experiences.