Ransomware attacks have been in the public eye for quite a while now. Growth is propelled not only by the surge in the number of cybercrime groups specializing in ransomware, but to a large extent by the continual increase in attack sophistication. Ransomware has evolved into a fully-fledged industry, with competing groups that continually introduce new capabilities and techniques. While some of the new trends in data crimes, such as data leaks, threats of data exposure, and shaming techniques have ignited media attention, other, potentially more devastating threats are still not widely discussed, which we’ll attempt to correct here.
A few years ago, very few chief information security officers (CISOs) thought that storage and backups were important. That’s no longer the case. In a security research study published by Continuity and CISO Mag, more than two-thirds of respondents believed an attack on their storage environment would have “significant” or “catastrophic” impact, and almost 60% of respondents were not confident in their ability to recover from a ransomware attack.
Ransomware has pushed backup and recovery back onto the agenda. Cybercriminals like Conti, Hive, and REvil have been actively targeting storage and backup systems to prevent recovery. Regulators are starting to pay attention to backup systems and data recovery, and industry awareness is also steadily growing.
The National Institute of Standards and Technology (NIST) released a Special Publication 800-209 entitled Security Guidelines for Storage Infrastructure that places significant emphasis on securing and protecting data against attacks. This has driven CISOs to look again at potential holes in their safety nets by reviewing their storage, backup, and recovery strategies.
Storage and backup systems may seem relatively minor in the information technology (IT) stack, but size isn’t the best measure of the criticality of storage. Let’s compare storage to the human heart. The heart is modest in size but pumps life-giving blood throughout the body. So to does storage house critical, high-risk data that feeds your applications and devices. Just as shooters aim for the heart, so to do hackers target data where it lives, in your storage systems. Letting cybercriminals leak data from storage and backup systems means that they can sell it or give it away.
Unlike an attack on individual endpoints or servers, which can be highly inconvenient to a large enterprise, one that targets central storage or backup can be truly devastating. This is because a compromise of a single storage fabric can bring down thousands of servers. Furthermore, while recovery of an individual server is relatively straightforward, recovery of a storage fabric is a complete unknown to many CISOs.
Finally, far too often the actual data and its recovery copies are kept without sufficient isolation. Think about storage arrays that keep both the primary data and snapshots, or admin accounts that are used to manage both servers as well as backup. In other words, storage and backup security neglect will take its toll. CISOs must learn the ropes and must stop pushing it off as someone else’s responsibility.
NIST SP 800-209 provides a detailed overview of storage and backup system threats, risks, attack surfaces, and security recommendations. Some of the more sophisticated ransomware tactics include:
By successfully infiltrating these new targets, ransomware gangs can:
Data is a major part of the role of any CISO, and in today’s digitized, data-everywhere world, an organization must make significant investments in data protection and storage and backup hardening. CISOs have the skills to do it; many simply lack a clear view of the problem. The problem needs to be reframed in the minds of security experts, and fast. Analyzing data storage and backup security posture is a new skill that security teams must adopt to deal with emerging cybersecurity threats.
Organizations report that they are now starting to pay much more attention to their storage and backup security than ever before. In a recent study we conducted among CISOs, more than two-thirds confirmed that auditors were recently hired to review their storage and backup systems. I’m expecting to see much stricter national guidance to organizations to tighten their data protection solutions and to avoid negotiating with criminals.
I highly recommend evaluating your internal security processes to determine if they cover storage and backup infrastructure to a sufficient degree. Some of the questions that could help clarify the level of maturity are:
Storage vulnerability management would significantly help security teams get a full view of security risks in your storage and backup systems by continuously scanning these systems to automatically detect security misconfigurations and vulnerabilities, and then prioritizing those risks in order of urgency.
I would also encourage readers to learn more about ransomware resiliency for storage and backups by reviewing the NIST Guide for Storage Security, a report I co-authored with NIST. This guide provides CISOs with an overview of the evolution of the storage and backup technology landscape, current security threats, and practical recommendations.