The Feasibility Of Tape Backup Against Ransomware
As ransomware continues to become complex year-after-year, there is only one weapon to overcome the challenge raised by cybercriminals – backup system. We are in the age of cloud-storage services ranging from corporate-level to free package supported by advertising. Of course, there is always the traditional NAS and hard drive backups which vary in cost per gigabyte. Given the increasing sophistication of attack methods, there is a concern that the future damage from malware to increase, hence a reliable and effective backup plan should exist for all organizations. Therefore, what is required of the IT departments in various organizations worldwide is a preliminary measure to contain, if not fully reverse ransomware damage. The two pillars are “prevention” of infection through introduction of anti-virus software and “protection” of data by backup in case of emergency. These should have been implemented as part of information security measures before a firm officially starts its day 1 of operations.
However, in the case of ransomware measures, the latter is actually said to be more important. The former is, of course, important in preventing infection, but it is difficult to cope with attacks that use unknown methods, zero-day exploits. If damage occurs due to an infection, no one can reliably use the PC or files contained in the local hard drive, which will have a huge impact on business continuity. Given the possibility that infection cannot be avoided, it is clear that the backup issue needs to be settled early.
The first requirement is “data storage destination.” Companies back up systems and data to various media, but in recent years the adoption of NAS has also increased, driven by lower prices. Hard drives are dirt cheap compared to a decade ago. However, their use is not suitable for ransomware measures because ransomware spreads the infection over the network. Network-aware attacks also makes online NAS and external drives vulnerable. It is likely to be encrypted since the backup is connected live on the network and its contents fully accessible by the operating system’s shell. Given this point, it is necessary to select a medium that can be completely isolated from the network as the backup destination.
The second point is “backup target.” A large amount of data exists in PCs and various applications in companies, and in the past, backups have been performed focusing on those with high business importance in consideration of operation time. However, from the viewpoint of protecting information assets, the entire system must be recovered quickly in the event of an emergency, and not only some applications and user data, but also data related to the system must be included in the entire backup target.
The last requirement is “frequency of backups and retention period of data.” Backup is a highly effective measure, but it is not all-around. In order to reduce the impact on the business at the time of recovery, it is necessary to make the time lag between “now” and backup time as short as possible. To do so, you should increase the frequency of backups, while some ransomware will start working after several months of infiltration. Long-term data retention is also required to ensure data security. As in the past, backups such as 1-2 weeks daily or monthly are not enough, and a fundamental review of backup methods and operation methods is required.
The reason that ransomware infection has spread so much is that storage connected to a network such as NAS or DAS can be recognized as a storage location of data from the OS. The only way is to use a system that is not always online, but only connects to the workstations and servers every time a backup or restore process needs to run. This can be accomplished by tape backup systems, operating systems does not mount these ancient media directly. These days, the property of tape backup is not a disadvantage, but an advantage. A safe and reliable backup which cannot be accessed by the ransomware code provides the greatest protection against malicious data encryption.