To understand how to protect yourself, we need to realize how ransomware ‘gets in’ or infects our machines. Computers were created by humans for humans. They are designed to trust by default to support us in our actions. You plug in a keyboard, and your computer recognizes the device and allows you to use it almost instantly.
At the core of it, all ransomware is made up of is code. All software, applications, and websites are lines of code that tell the computer what actions need to happen to satisfy what the human requires. Ransomware is no different. It tells the computer, “I want this action to take place” – such as encrypt this file – and that action is done. Whilst ransomware is unwanted malicious code, the computer only knows to listen and respond to requests by authorized sources.
Working within Cyber Security, I am often accused of being a pessimist because my first view is “what’s the worst-case scenario?” However, I don’t see it that way. I’m looking at “what’s the worst thing that could happen, and therefore, how do I prepare to reduce the risk?” That view is a vital piece for protection against ransomware.
Secret Weapon: Backups
In this two-part series, we are going to cover preparing for the ‘worst case’ through PureStorage’s FlashBlade solution, along with built-in options for responding to infection. Whilst this will not cover all aspects of preparing for ransomware, done right, this can support responding to a ransomware infection without paying. We will look at:
- Backup scale: All data is not created equally; some things are simply not worth restoring in an emergency. Making note of the crown jewels to the organization, along with privacy considerations. Many employees store private family photos on their local drives for example. What happens when the employee leaves? Will someone be going through these images and validating they aren’t business-critical? Most environments I have seen, make it clear to the employees that local storage is not backed up – however, they continuously remind them of this, because if that’s the case any business-critical data cannot be stored there.
- Backup frequency: It’s great to want to back up your entire environment, but to do this cost-effectively, maybe it’s only done once every 12 hours. In some environments that might be okay – a bit of work duplication, but not life-threatening. Other environments, that might mean massive financial loss. Or within a hospital, it might mean you overdose a patient you’re trying to help.
- Backup restoration speed: Pretend all systems and data are lost. Backups are safe but will take two business days to recover. Would the organization survive two days where nothing can be done? That might seem a bit extreme, but realize as we increase the data stored, especially offsite, identify the bandwidth coming into the environment, limitations within our backup software and devices, along with the size of our backups, this starts to sound less crazy. Plus, for some organizations, simply being offline for half a business day is too much.
Preparing for Disaster – Proper Proportionate Backups
Looking within your organization it might seem challenging to identify the scale and frequency needed for the backup program, but questions you can ask to help direct that decision are:
- What data is the crown jewels?
- How much data can the organization stand to lose?
- What impact would repeated work have?
As you likely have heard, it’s the three-year anniversary of WannaCry. Within this massive attack, the malicious actors originally required $300 USD equivalent of bitcoin, to be paid within a maximum of 3 days or data was permanently locked. That means each and every device infected required payment for recovery. As you can imagine in large enterprise environments, that adds up quickly. The Department of Health quoting a financial cost to the NHS, from WannaCry at £92 million due everything required responding to the infection.
The cost to the NHS was not just financial, however. According to the latest article by Andy Greenberg The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet, there were more than 600 doctor offices affected and 20,000 appointments canceled. I remember reading how many A&E’s were returning to paper-based files whilst the infrastructure was being restored. This ultimately caused delays in response, “sometimes forcing patients with life-threatening conditions to wait crucial minutes or hours longer for care” writes Andy. Essentially, a cyber incident very well could have led to long-term or permanent damage to some patients, and possibly the death of others. In 2018, Professor Harold Thimbleby and Professor Martyn Thomas estimated that more than 900 NHS deaths yearly may be caused by IT failings.
What this means to us is not all data is created equally. Some data has more value to the organization and/or its consumers. Taking the example of the NHS, loss of data could mean missed steps or overdose of medication. The cost and impact of restoration being delayed could also mean loss of life. Just like when we discuss the Cyber Triad – confidentiality, integrity, and availability – whilst all are important pieces of our security program. Different industries will need to prioritize based on their risks. The financial industry will likely need to prioritize integrity; gaining or losing a few zeros on the left side of the decimal is no small loss. Whereas gambling might focus on availability, and the pharmaceutical industry will want confidentiality due to the level of priority information they hold. Backups are no different, whilst no data is designed to be lost, sometimes an organization simply cannot continue without, where other data loss may be an inconvenience.
Pure Storage FlashBlade Solution
Whilst not the only solution, Pure Storage does approach this resilience and proportionate backup through their FlashBlade solution. This is configured to be extremely efficient to backup, meaning increased frequency without the toll of device bandwidth being completely overrun. This also leads to reduced restoration latency; even as the storage size increases over the lifecycle of the business. This is due to making use of all-flash storage, instead of the traditional flash/disk hybrid.
IT debt is a common struggle in all organizations, small offices to enterprise, due to a variety of reasons from incorrectly identified requirements, limited solutions on the market at the time, and the continuous improvement of technology. Which is why making use of existing backup software or database tools, simply for trying to add into this protection against ransomware and provide specific speed requirements, isn’t going to cause this debt to be overwhelming. FlashBlade also addresses this as it can be added into existing implementations.
An incident response plan is perfect, until the incident hits. Properly tested and validated plans go a long way to reduce confusion and mistakes, but things will always happen. This is why the frequency of backups is so vital, protection against both malicious attack and human error – with the ability to restore from current versions. FlashBlade approaches this through a full backup and then incremental snapshots – meaning minimal impact to the business bandwidth with consistently updated recovery versions.