airgapped backups - follow-up

[alesovodvojce]

Following the excelent Gostev's post this week about Ransomware as a service
here: https://www.veeam.com/blog/ransomware-a ... hreat.html

At the end of this post there is a proposed solution to this threat: air-gapped backups.

But what if the problem is not in remote vs local access to backups? What if the problem is in trust we put in one person?
How about putting more (different) people in the scheme.
The temptation of money in Ransomware as a service scheme, and hence morally failing IT administrator, can be mitigated by putting the responsibility for backups onto more people:
Primary backups administered by one person, but secondary (or every second backup) administered by different entity (outsourced / Veeam partner / etc.). This way there has to be too many different people involved in troubles, not just one person from IT department with bad day.

For some environments backing up 10's of TB's daily this would be much more practical solution than air-gapped backups. What do you think?
Don't hesitate to share your proposals too.

[Andreas Neufert]

You speak about segregation of duty.
Many customer do this today even with their normal backup targets.

Group 1 runs the backup software and administrate the primary backup targets, group 2 the secondary backup targets. Group 2 create storage snapshots so that Group 1 can delete all backups on primary and secondary, jobs, VMs whatever by mistake or willful, there is a copy of the data protected in the snapshot. Even if ransomware encrypted the data. Some of our Cloud Connect Partner offer such services as well.
As well a good idea is to offload to tape and vault them to a external organisation by manual movement.

We have a customer that had a huge fire and fire service capped all power connections. He was not able to open the tape library. Luckily he was able to take the disk backup storage out of the rack before the flames destroyed everything to not loose all data. A external copy is pretty important even if you have 2 fire sections. If the fire is big enough...

[Gostev]

How about putting more (different) people in the scheme.
The temptation of money in Ransomware as a service scheme, and hence morally failing IT administrator, can be mitigated by putting the responsibility for backups onto more people:
Primary backups administered by one person, but secondary (or every second backup) administered by different entity (outsourced / Veeam partner / etc.).

Correct, and this is exactly what I have proposed as the solution in my post too have your off-site backups sitting at a partner, with a copy of them air gapped - isolated from your IT staff so that they cannot delete them without obtaining physical access to the service provider infrastructure.

[tqmbill]

Any thoughts on including an auto-eject USB drive feature in Veeam B&R, like this? --
"Veeam Endpoint Backup FREE 1.5 includes:
CryptoLocker protection for USB Storage: Protect USB-based storage targets from potential CryptoLocker threats by automatically ejecting them after a successful job run"
And would it be possible to then reconnect prior to the next backup? Maybe even automatically alternate between 2 USB drives that remain physically connected but only one at a time would be logically online.

This wouldn't help with the single IT person vulnerability, but it would avoid the hassle of physically swapping out drives.

[Mike Resseler]

Hi Bill,

If we would be able to "reattach" the USB device, after that it was ejected, wouldn't that mean that the attackers can do the same and still erase the backups from disk?

[tqmbill]

I guess so. Does this mean the Endpoint functionality is not effective, or is there a way to avoid the attackers reattaching the drive?

[Gostev]

There's no reliable way to do this (we actually had the feature request to automatically reattach storage before next backup and so investigated/tested the process before). And in any case, ransomware would have to know the drive is actually there before trying to re-attach, but it cannot know this.

is there a way to avoid the attackers reattaching the drive?

There's one 100% reliable way that will work no matter what just pull the storage out of the computer, air gap ftw!