Computer & Network Security

An Argument for Increased Focused on Data Backups

The necessity for backups has always existed, but the reason for backing up has changed significantly in recent years. Today, backing up data is just as important for cyber security reasons as it ever has been for disaster recovery. But our architecture must be rethought with this new emphasis.

When did we start conducting data backups?

A long time ago–in a galaxy far, far away…–backups we’re theoretically designed to mitigate against the risk of a disaster: fire, flooding, equipment failure etc. In reality, they were used primarily to correct bad decisions (we updated the server and it crashed, now we must go back to the previous version). A long standing practice of any IT change process I have been a part of has been “Back it up before you do that.” With the prevalence of virtual machines and the ease of taking a “snapshot,” back ups became very easy to do. Software and converged infrastructure have also made this increasingly robust and convenient as well.

However, with convenience comes a price. Many of our backup systems are on shared storage. We back up to the same place logically that our files are stored. And this is the underlying fallacy in our new cyber security reality. Our backups used to go to tape and get stored off-site. A return to this complexity needs to occur.

Backup Best Practices

Backups need to be on a completely separate storage volume that is not accessible to anyone or any bot, except that backup software. The credentials need to have strict complexity and policy to prevent access. Traffic should only be initiated from the backup network to the backup target and no traffic allowed to be initiated from the client network. Additionally, this information needs to be taken offline with regularity, removing it from the network.

Data Backup Illustration
Data Backup Best Practices

Here’s a scenario: Organization X is performing backups and test restores according to their risk management profile. Some info is backed up daily, some hourly. Everyone is happy with the results. Suddenly, ransomware attacks the network and begins encrypting any data that is exposed, including backup files on a shared drive. This renders the backups useless for recovery from this attack.

Finally, this needs to be an executive level discussion. If you were the CEO of an organization, you would immediately be informed if the network was “down.” Being operational and ensuring your employees are productive is the most important piece of information you can receive from your IT team. The second most important piece of information should be “the backup process didn’t work last night.” The amount of risk this puts you in, potentially having to replace work from an entire day or longer, should be a risk you are aware of and constantly guarding against.

Computer & Network Security

Do you really need a smart toaster?

Even though you CAN buy it, you need to ask yourself if you really SHOULD you buy that Internet-connected appliance……..

Very few people would seriously consider this question before purchasing a brand new appliance or item that has all sorts of nifty and exciting ‘up-sell’ features, such as network or direct Internet-connectivity.

But for those of us who work in the computer and network security fields, this question is neither academic nor trivial.

It’s easy to understand why Internet-connected gadgets are tempting. Who wouldn’t want a dog collar with a GPS in it, in case Fido runs away? Who would turn down a tracking unit you could put in your child’s backpack in case they get lost or something more sinister happens? And who wouldn’t find some convenience in a video-capable home security system that was able to be monitored while you were at work?

The problem is that the security of these gadgets is questionable at best. Multinational, experienced software companies, such as Microsoft and Apple, have entire divisions devoted to securing their software and hardware, and yet potential and actual compromises are announced almost on a weekly basis. Most corporations have IT security teams who monitor and test systems on a regular basis but we read about corporate breaches almost daily.

In light of those observations, can we really trust the manufacturing company that creates a product that allows you to keep track of your child or pet via an Internet-based website? How do we know they’re performing due diligence to keep the location of your child safe? How can you be assured that a potential burglar isn’t watching for the next time you kennel your pets, giving them a good idea when you’re out of town? And who’s monitoring the log data to be sure that your home security system wasn’t shut down remotely for a brief period today and then reactivated? Or who’s making sure that your “private” video feed into your house isn’t quite so private after all?

Sometimes it pays to be a little paranoid and cautious. When purchasing a product with a network connection, do some due diligence. First, ask yourself if you really need it. Is it going to simplify your life or bring a reward that’s worth the risk? Second, do a little research. Find manufacturers with a proven track record or maybe those who have partnered with a security-conscious company. And above all, be careful. Be aware of what you have and practice common sense security precautions – change passwords, watch for anomalous behavior, and review and apply software updates.