Backup Blog Bites #1: Is Your Immutable Backup Vulnerable to Time Spoofing Attacks?

What this is about? 

This time-based attack happens when an attacker manipulates insufficiently-secure time sync configuration to trick the backup systems into thinking that “X” number of years have passed, and that the period for immutability has expired. This then allows them to delete, alter or encrypt the data. 

It’s not only immutable backups that are vulnerable, but also storage systems and operating systems relying on snapshots for quick data recovery. Time manipulation can force the systems to discard all “clean” point-in-time copies taken prior to an attack.

8 Urgent Things To Do 

1. Ensure your Backup software and storage are configured with a trusted time source.  

2. Validate the authenticity of the time source.  

3. Restrict administrative access in general and specifically for time synchronization administration.  

4. Employ a two-person rule (dual authorization) for sensitive changes.   

5. Carefully monitor any configuration changes that can directly or indirectly impact time settings. 

6. Upgrade and patch your Backup Software and Backup storage to prevent attackers from exploiting vulnerabilities. 

7. Restrict consecutive attempts to change the system time. 

8. Make sure you’re using at least NTPv4, and prefer NTPv5 where and when feasible. 

In less than 1 hour, assess the security of your backup environment: 
https://www.continuitysoftware.com/assess-the-security-of-your-backup-storage-environment/

Check out Backup Blog Post #2 in the series: To AD Or Not To AD Your Backup System? That Is The Question.