A 3-2-1 Backup strategy
for Business critical data to sustain Ransomware attacks:
Three (3) copies of the data
(could be recent) which is stored across two (2) different storage
mediums/locations and one (1) cloud storage provider (encrypted data).
If one of the data backups
becomes encrypted from a ransomware attack, we will have the ability to recover
from a different source, provided a backup is present across different
locations.
Ransomware threats can target
any local backup on the network which include such as local shadow copies or
other network-attached storages, as a result any network resources a user has
access to will become encrypted. To prevent this we should follow strict
air-gap policies, such as:
·
taking
media offline as quickly as possible by physically disconnecting after backup
operation
·
maintaining
up-to-date malware detection tools are essential
·
system
patching
Using air-gapped, off-site media
is best practice, as said below we can use immutable storage like write once
read many (WORM) media such as optical disks, flash storage or tape configured
as WORM. AWS/Azure and few cloud providers offer WORM-format cloud storage. We
also need to be prepared for:
·
the
time to restore systems
·
prioritize
systems for recovery
·
clean
networks for recovery purposes
·
The
frequency of backups also matters.
o
How
often does the data change?
o
How
much does this impact business if the backup data is not current?
And finally securing the end
point:
·
network
policies and protection using antivirus, antispyware/antimalware, firewall etc.
·
limit
execution of unapproved programs on workstations
·
limit
the write capabilities of end users so that, even if they download and run a
ransomware application, it is unable to encrypt files beyond the user’s
specific files
·
file
reputation scoring systems (Symantec)