Backups are a crucial ransomware defense, but restoration is just as important
One of the most common refrains about defending networks against cyberattacks like ransomware is to ensure the existence of regular, secure and preferably offline backups. But, speakers said during a Tuesday webinar, a backup image is only as good as the efficiency with which it can be used to restore a compromised system.
Fully restoring data to a network that’s suffered a ransomware attack can take weeks or sometimes even months, said Nick Psaki, the principal engineer for public sector at Pure Storage, a manufacturer of flash-storage hardware.
“Backups are your last line of defense,” Psaki said during the webinar, which was hosted by the Center for Digital Government. “Due to the nature of legacy infrastructure, everybody practices backups. But the nature of backups is to recover something. Backups have been very efficient in saving data, but not restoring.”
Some of the victims of the biggest public-sector ransomware incidents have found that full recovery is a long and costly process. The March 2018 attack against the City of Atlanta took several months and $17 million to remedy; Baltimore braced for an $18 million tab after being hit in May 2019.
One reason that some network restorations may take so long is that the backup systems themselves need lots of attention, said former New York State Chief Information Security Officer Deborah Snyder, who led the discussion.
“They also require maintenance and might not be robust enough to offer that quick restoration,” she said.
While not downplaying the importance of robust system backups, especially those saved in off-premises solutions like a cloud environment or an offline physical format like tape drives, Psaki said enterprises like government agencies should put resources into technology that can make recoveries speedier.
“We put so much focus on the backup strategy and not the restore strategy,” he said. “Modernize your technologies to do primary data operations, tier two operations, protect against malefactors. If you approach it holistically, you realize there are options today to satisfy all those needs that are affordable.”
One measure Psaki recommended are data-protection mechanisms capable of “near-synchronous” data replication in the event of an attack.
Data, he said, is “where the value is” for ransomware attackers, who are increasingly employing a tactic of publicly threatening to publish data they’ve stolen from victims who do not pay up, including cities like Torrance, California, or schools like Michigan State University.
And ransomware is an increasingly costly experience for the victims who don’t pay. According to research from the cybersecurity research company Emsisoft, state and local governments, schools and health care institutions spent about $7.5 billion dealing with ransomware in 2019.
Beyond the need to improve restoration times, Psaki and Snyder hit some of the other familiar notes about cyberdefense, especially implementing multi-factor authentication and limiting user access to sensitive systems, like data storage.
“Not everyone needs access to storage,” he said.
Still, he concluded, “there are two things you can’t defend against: Trusted insiders, and there’s no such thing as too much human stupidity.”