Defense in Depth
Protecting Your Backups from Ransomware

For the past few years, the focus of cybersecurity has increasingly been shifting to resilience. Core to a resilience program are backups... a safety net that's also highly vulnerable. How do you make sure your backups are ready when the time comes?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and DJ Schleen, former distinguished security architect, Yahoo. Joining them is our sponsored guest Heath Renfrow, co-founder, Fenix24.

Get creative

Threat actors aren’t going to play by your backup scripts. You need to think with the same level of creativity as your adversaries. As Mike Elkins reminded, “In your scenario planning, be imaginative, and assume an ‘everything, everywhere, all at once’ event. Assume your data centers and/or factories may cease to exist tomorrow. Pull cables and power cords and see how resilient your strategies truly are. Do this to identify your gaps, risks, and unknown vulnerabilities." This kind of creativity needs to be extended to admin controls. Backups are only as good as your ability to access them. If you put all your access eggs in a single basket, you’re asking for trouble. "Attackers will poison the backup system if possible. You can do all the right things but if the means to access the backup admin system is functionally the same level of authorization as other admin functions in the org, it is at risk. What I've advised in the past is to ensure that the administrative access, either via the credentials or MFA, is substantially different from other administrative user accounts," said Duane Gran of Converge Technology Solutions.

Shift the focus of backups

Backups used to be solely the purview of your IT storage admin. However, the emergence of ransomware as a common threat has changed its value and place in cybersecurity. "Backups must be reimagined as the cornerstone of resilience, not just recovery. To maintain business continuity, organizations should embrace the 3-2-1-1-0 rule: three copies of data on two different media, one offsite, one immutable, and zero untested backups. Immutable backups, segmented from your production environment, are critical to thwart ransomware attackers. Restoration speed and precision depend on well-documented, frequently tested recovery playbooks that account for worst-case scenarios—like rebuilding domain controllers from isolated sources," said Teri Green-Manson of KIPP SoCal Public Schools. Securing and operationalizing backups goes beyond prevention, we also need certainty they haven’t been weaponized themselves. Howard Holton of GigaOm laid out the challenge, "If an attacker is in and compromising accounts, how can you know you are protected post-restore? Data protection is about type 1 and 2 recovery. Type 3 requires cyber resilience, which is not part of traditional backup."

Failing the test

Even as we recognize backups as the bedrock of resilience, most organizations aren’t doing the basics. Teri Green-Manson of KIPP SoCal Public Schools voiced frustration, saying, "I have done tons of consulting work and can count on one hand the number of people that tested if they could restore their backups. I have also done IR, and rarely did the backups restore. If you don’t regularly test and restore your backups, you don’t have backups." Even testing doesn’t give the complete picture of what you need for a restore. "We must consider the available compute resources needed to restore backups at scale. Most organizations only test a small subset of systems to validate the backup process and reliability. Still, this approach falls short in scenarios where 75% or more of the environment needs recovery due to a ransomware attack," said Jerich Beason, CISO at WM.

Moving beyond false hope

If attackers can easily delete backups, all your testing and validation won’t matter anymore. "I would emphasize the importance of offsite immutable backups. In one incident, I witnessed attackers actively deleting backups from the backup server as we worked to stop them; the server was within the domain, which shows how important it is for it to be in a completely separate location," said Sara Wolpin of Tel-Arm. Organizations must be realistic about the value of their backups. Without the proper legwork, you’re just tilting at windmills "Backups that are not regularly tested are worthless. Probably less than worthless, as they give false hope for recovery and may in fact, delay a true recovery,” said David Ratner of HYAS.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the full episode.

Thanks to our podcast sponsor, Fenix24 and Conversant Group

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Fridays!
Join us NEXT Friday [02-21-25], for "Hacking Metrics That Matter"

Join us Friday, February 21, 2025, for “Hacking Metrics That Matter: An hour of critical thinking about finding what you need to measure to improve your security program.”

It all begins at 1 PM ET/10 AM PT on Friday, February 21, 2025 with guests Frederico Hakamine, technology evangelist, Axonius and James Killgore, sr. mgr., information security, WideOrbit. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Axonius

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Doug Mayer, vp, CISO, WCG.

Thanks to our Cyber Security Headlines sponsor, Vanta

LIVE!
Experience the CISO Series Podcast at Convene in Clearwater, FL 3-3-25

You’ve listened to the CISO Series Podcast for years but if you’ve never joined us for a live show, you haven’t gotten the full experience. We’ll be recording an episode on March 3, 2025 at the Convene conference. You’re got to join us for the fun!

Here’s what you need to know:

WHAT: Convene Conference, organized by the National Cybersecurity Alliance. You can see the full agenda here.

WHERE: Sheraton Sand Key, 1160 Gulf Blvd Clearwater Beach, FL 33767 [MAP]

WHEN: Two-day conference from March 3 through March 4, 2025. Our recording begins at 3:45pm ET on March 3rd.

Joining me on stage for the recording will be Christina Shannon, CIO, KIK Consumer Products, and Jim Bowie, CISO, Tampa General Health System.

If you’re interested in attending, get your tickets here.

Huge thanks to our sponsors, Cofense, KnowBe4, and Proofpoint

Cyber chatter from around the web...
Jump in on these conversations

"On a call with my VP of global services, and they're saying the quiet part out loud." (More here)

"What are in demand skills to be developed to get into blue team or in general managerial position?" (More here)

"What If There Was a Massive Credit Freeze Movement?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [02-21-28] Hacking Metrics That Matter

• [02-28-25] Hacking the Modern Audit

• [03-07-25] Hacking the Commodification of Cyber Crime

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.