Doron Pinhas

What’s Wrong with Storage and Backup Ransomware Protection Capabilities? (An Overview of Immutability, Snapshots, Air-Gap & Data Recovery)

  • September 6, 2022
  • 5 min read

About Continuity™

Continuity™ provides the industry’s ONLY storage & backup security solution, to help you protect your most valuable data.

Read more

Storage is becoming a prime target of cybercriminals as they attempt to infiltrate the enterprise.

Faced with a wall of perimeter defenses, security safeguards, and well-patched operating systems and applications, storage and backup systems are now front and center in the fight against ransomware.

Why? It turns out that backup vulnerabilities and storage misconfigurations are handing hackers a relatively easy passage into organizations. From there, they can cripple backups, lock users out of systems, and hold the organization to ransom.

Existing Solutions to Ransomware

Due to the ransomware scourge, the backup and storage vendor community has responded with a great many potential solutions.

Ransomware protection

Various kinds of ransomware protection capabilities have been developed for backup systems. These include: The use of artificial intelligence (AI) to detect ransomware by monitoring data usage patterns for unusual activity like file name or extension changes, data transfers, or permissions updates; alerts about potentially threatening user behavior or known-bad file signatures; large scale file content alteration or deletion, and anomaly detection that can identify configuration changes in backup environments. All of these are worthwhile, yet ransomware attacks continue.

Immutable storage

Immutable backups are a great idea. Once backed-up, the data is fixed and unchangeable. It can never be deleted. Organizations gain an always recoverable and secure backup despite unforeseen events such as ransomware.

Yet many organizations fail to configure immutable backups properly – possibly the result of insufficient understanding of the technology and its limitations.  Allowing adversaries to compromise backup. 

For example, immutable backups should be configured with “retention lock” – a parameter that prevents their deletion for a minimum period of time – even if the backup pools the store them fill up (say, “X” years).  If retention lock is not configured, a hacker can attack backup by modifying large amounts of data, thereby quickly filling up the backup pools which results in deletion of all existing backups to free up space.  Even when retention lock is enabled, care must be taken to make sure hackers can’t fool the backup devices to believe time is passing more quickly than intended (“time zapping” attacks – where the attacker manipulates insufficiently secure time sync configuration to trick the storage devices into thinking that “X” years have passed).  

Another threat is “data poisoning”. If cybercriminals can access backup systems, they can tamper with backup jobs, poison data before it is immutably backed-up, and render it useless when it comes to recovery.  If they manage to keep the attack running unnoticed for sufficiently long time (say, several months), and then initiate a ransomware attack – organizations are left with no current backups to restore from.

But there are other errors that can contribute to backup challenges. Too many times, organizations don’t find time to test backups to ensure their systems are recoverable. It is also common for them to fail to log unauthorized entries into backup and storage systems. Thus, they don’t spot compromised backup jobs. To make matters worse, some organizations purchase immutability features and then either don’t activate the necessary licenses, or don’t turn on the retention lock feature.

Snapshots & replication

These are sensible mechanisms for data protection: A complete storage hardware-level copy of the data is made at certain points of the day (snapshots) or the data at one location is replicated entirely to another location. Very often, such copies are not secured and isolated well enough.  For example, a server admin role should not be allowed to manipulate storage copies – but many organizations fail to observe this best practice.  This allows hackers that gain access to servers, to also delete their storage-based copies. If the data being snapshotted or replicated is corrupted, recovery won’t be possible.

Air-gapped and offline copies

Air gapping is a great way to safeguard data. You retain a copy of the data in an environment that is completely inaccessible from your network (and from the Internet, for that matter), or offline (i.e., not connected to your compute devices, or completely powered off).

A time-tested way to do this is via tapes that are either physically removed from the network or sit offline in a safe. There are cloud and disk-based systems, too, that claim air-gap capabilities. However, such systems are almost never fully offline. There is always a danger that a misconfiguration, vulnerability or human error will expose the data to the network – or allow hackers to interfere with the data unnoticed

Filling the Gap

Comprehensive vulnerability management ensures you have “eyes & ears” on your storage & backup environments at all times. This prevents cybercriminals from leveraging those security misconfigurations and vulnerabilities to penetrate storage and backup systems. Traditional vulnerability management systems focus mostly on OSes and software. They don’t do a good job at spotting storage and backup risks.

The automated risk detection engines within Continuity’s StorageGuard check for thousands of possible security misconfigurations and vulnerabilities at the storage system and backup system level that might pose a security threat to enterprises data.

StorageGuard analyzes block, object, and IP storage systems, SAN/NAS, storage management servers, storage appliances, virtual SAN, storage networking switches, data protection appliances, backup systems, storage virtualization systems, and other storage devices.

StorageGuard divides these security risks into four main categories, and scans all backup and storage systems to detect them all:

  • Violations of vendor security configuration guidelines
  • Violation of compliance framework requirements (CIS, NIST, PCI DSS and others)
  • Identified storage Common Vulnerabilities & Exposures (CVEs)
  • Deviation from community-driven best practices

Find out today how many potential backup vulnerabilities and storage misconfigurations are present in your environment.

Talk To An Expert

It’s time to automate the secure configuration of your storage & backup systems.

Join Our 10-Minute Quick Demo - Wednesday, June 5 at 12 PM ET

We use cookies to enable website functionality, understand the performance of our site, provide social media features, and serve more relevant content to you.
We may also place cookies on our and our partners’ behalf to help us deliver more targeted ads and assess the performance of these campaigns. You may review our
Privacy Policy I Agree