Backing up data is an essential part of data security and data security is essential to the functioning of every digitally-enabled data-driven organisation. Data security ensures Confidentiality, Integrity, Availability – the CIA triad i.e., data hasn’t been accessed by unauthorised users, hasn’t been modified without authorisation, and is available to access by authorised users.

When Data Backups Work

Data backups protect against accidental deletion/modification, hardware failure, natural disasters, and cyber attacks. Frequent data backups ensure that the enterprise can restore a recent copy of data and resume normal operations quickly, minimising the impact of any form of disruption on customer experience. Backing up data is critical for Business Continuity Management (BCM) and Disaster Recovery (DR) strategies.

When Data Backups Don’t Work

While backing up data is often projected as the ultimate defence against cyber attacks and especially against ransomware attacks, as any data lost to the attack can be restored from backups, real-world cyber attacks expose the limitations of relying on backed up data:

• A dental chain with over 130 branches paid over 2 million euros as ransom as their backup servers did not include all their data
• A pollution control agency permanently lost data, and wrote off £2 million in fees due to lost records, as the attack also affected online backups
• Threat actors stole encrypted backups of customer data along with encryption keys from a SaaS company

Clearly, merely having a data backup is insufficient protection against cyber attacks. The specifics of the data backup strategy also matter. This blog will discuss some of the issues faced in using backups to protect data against determined adversaries, and how they may be overcome.

When Data Backups Don’t Work – Issues and Solutions

Issue 1: All Data Is Not Backed Up

In the first instance listed above, the victim had backed up data but still paid a ransom as the data backup was incomplete and therefore they had to get a decryption key from the attacker to regain access to critical data.

Solution: While it is easy to state that all data must be backed up, a full backup may not be feasible due to resource and time constraints. If only some of the data can be backed up, the enterprise must ensure that all critical data forms part of the backup. As new critical data may be constantly generated, a mechanism must be put in place to identify creation of critical data and to include this new data in the backup.

Issue 2: Cyber Attacks Target Backups

Cyber attackers are aware that a business may not pay a ransom if they are confident of restoring necessary data from a backup. To counter this, attackers are known to target backups as part of their campaign, to prevent the organisation being able to restore data from backups.

Solution: Follow the 3-2-1 backup strategy by maintaining 3 copies of data, 2 of which are in different forms of media (to avoid a problem that affects one form of media from impacting all copies) and 1 copy should be stored offsite (to prevent an attack that targets onsite backups from spreading to offsite backups). Immutable backups (read-only copies of data that cannot be deleted or overwritten) may also be used if resources permit, with precautions followed to ensure immutability is maintained (e.g., cyber attackers shouldn’t be able to access the credentials that control deletion/overwriting of digital immutable copies).

Issue 3: Cyber Attacks May Target Offsite Backups

In the second instance listed above, the victim organisation had an offsite copy of their data which was stored online but the threat actor targeted the online backup as well, negating the benefit of having an offsite copy.

Solution: The offsite backup should not be stored online, or stored only online, as a threat actor may be able to obtain the credentials to the online storage in their attack and gain access to the online backup. Online backups may not be safe even if credentials are not compromised as cyber attackers can target cloud hosting providers as well and destroy the providers’ customers’ data. Instead, a copy of the backup should be air gapped to prevent threat actors gaining access to the data.

Issue 4: Data Can Be Breached By Targeting Backups Rather Than Primary Data

Threat actors may not wish to prevent access to the data and may, instead, choose to exfiltrate the data either to be sold or to threaten to leak the data if a ransom is not paid. In such cases, the attack may focus on stealing backed up data rather than primary data, as accessing and transferring a data backup is less likely to be noticed as businesses may focus on monitoring activity surrounding primary data.

Solution: Data backups must be encrypted just as primary data is encrypted, at rest and in transit. The encryption algorithm must be strong enough to prevent decryption by threat actors. Attackers are known to follow a Harvest Now, Decrypt Later (HNDL) strategy of exfiltrating and storing encrypted data to be decrypted in future when they have access to quantum computers; Post-quantum Cryptography (PQC) encryption algorithms should be chosen if there is no time limit on how long the data should be protected. Regulations like HIPAA and GDPR, and SEBI’s Cyber Security and Cyber Resilience Guidelines, may require backups to be protected by encryption. A service like K7 GRC can be used to maintain compliance and ensure use of appropriate technology and protocols to secure the backups.

Issue 5: Attackers Target Encryption Keys

In the third instance listed above, threat actors stole encrypted backups and the encryption key to some of the backups, negating encryption of those backups.

Solution: Safe storage techniques for encryption keys, including encrypting the encryption keys, should be implemented to keep backed up data safe.

Issue 6: Backed Up Files May Be Infected

The primary data may have been infected by malware before backing up, resulting in infected files being backed up. The backup, in such cases, is useless if the infection cannot be cleaned.

Solution: Use endpoint protection, like K7 Endpoint Security, to prevent malware entry and to identify and stop malware already present in endpoints or connected devices like USB drives to ensure backups do not contain malware. Use K7 VAPT to identify vulnerable areas and close gaps in cyber defences before they can be exploited by threat actors.

Issue 7: Backups May Be Compromised By Internal Attacks

An employee or any stakeholder with access to enterprise IT infrastructure may compromise backups directly, by deleting, modifying, or infecting them; or indirectly, by making immutable backups mutable, reducing the duration for which backups are retained, and other similar methods.

Solution: An internal attack is difficult to defend against as the attacker has legitimate access to business systems. Preventing internal attacks requires a mix of defensive measures:

• Implement maker-checker processes to ensure critical tasks require action by more than one individual, preventing lone rogue employees from interfering with backups
• Follow the principle of least privilege when granting access to ensure users have only as much access as they require to perform their tasks, and ensure access is revoked as soon as no longer required (including on employee exit)
• Deploy solutions like K7 InfiniShield that incorporate
  • User and Entity Behaviour Analytics (UEBA) to identify anomalous user behaviour that should be investigated for malicious activity
  • Utilisation analysis to identify abnormal activity and transfers
  • File Integrity Monitoring to monitor creation, deletion, movement, and modification of files
  • Automated response, including isolation of devices suspected of being compromised

Data Backups and Compliance

Data privacy regulations impose severe penalties for data leaks. A data backup can restore lost data, but does not stop data being exfiltrated and therefore does not avoid regulatory action and penalties even if regulations mandate backing up of data. Backups also do not avoid the loss of customer trust and deterioration of brand value that follow data breaches. Cyber attacks that involve only data theft comprise 57% of attacks, indicating that backups are not a panacea for cyber attacks.

Data backups are required to maintain compliance when stipulated by regulations, and protect data against accidental deletion/modification, hardware failure, and natural disasters. In the context of cyber attacks, however, data backups can be considered to be necessary but not sufficient. Data backups may not be available as the cyber attack may compromise backups, and even if available may not include sufficient data for operations to resume. The process of restoring data from backups may also be resource intensive and extend the recovery period. Rather than relying on data backups to recover from cyber attacks, enterprises should focus on preventing cyber attacks by creating robust cyber defences.

K7’s portfolio of cyber security solutions include the K7 InfiniShield XDR platform, K7 Endpoint Security, K7 VAPT, and K7 GRC to help enterprises maintain compliance and prevent external and internal cyber attacks. Contact Us to learn more about how we can help you strengthen your organisation’s cyber defences.