ASD Essential Eight Explained – Part 8: Daily Backups

The Essential Eight

The Australian Signals Directorate (ASD) Essential Eight has received considerable attention since it included an additional four strategies to the previously defined ‘Top 4 Strategies to Mitigate Cybersecurity Incidents’. Logan Daley continues the ASD Essential Eight Explained series below.

Daily Backups of Important Data

What is it?

Backing up your data has been a long-standing strategy in safeguarding your information when things go sideways. Servers crash, laptops get lost, files get deleted accidentally, and mistakes are made. Mistakes, accidental or intentional, can have severe repercussions that require recovering your data such as in the event of a Ransomware attack. Whatever the reason, the fact remains you should have a backup copy of your important data.

There are many options at many different price points that will suit everyone from individuals to large enterprises. These include magnetic and optical media, cloud-based storage such as iCloud, OneDrive, and Box, and even all the way up to Disaster Recovery Sites. The latter can be fully functional exact replicas of production data centres with 100% live replication, to warm standby sites, to even cold sites ready to build from scratch and restore your data. The fact remains you have options, but you have no excuses.

Just as critical as backing up your data is the ability to restore it and use it without it being incomplete, corrupt, or completely inaccessible. It’s like a one-way ticket to somewhere you can’t get back from otherwise.

Where do I start?

If you have data, you need to back it up, so the first part is already determined. Depending on service level agreements and who is responsible for your data, either on premise, hosted, or cloud-based, a number of other factors need to be considered. How long can you be down before you have to have your services and data available? How much work can you stand to lose in the event you need to restore? Figuring out your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) may determine your investment in the solution, and it needs to be a business-led conversations and not just technology. If you don’t have a plan, you’ll need to create one. If you already have a plan, it may be time to review it to make sure it meets your current objectives.

Determine what you need to back up in a prioritised order, and how to back it up. Will you do full backups every day or a full backup once a week with incremental daily backups? Will you use tapes, cloud, or replication to a Disaster Recovery (DR) site? Will you rotate media off site on a regular basis and how quickly can you get that media back when you need it?

The backup itself is just a small part of the overall solution. Your Disaster Recovery / Business Continuity Plan (DR/BCP) needs to address a lot of moving parts and remove single points of failure. For example, if John is expected to be the one that kicks off the restore but he’s in Bermuda on a fishing trip without his mobile, someone needs to do his job.

Regular testing, including full-scale DR exercises, are highly recommended. Whether you need to restore a file for someone in HR or recover a 10 TB database, your system HAS to work.

Any pitfalls?

A common pitfall is not adjusting backups to allow for new servers, data stores, or applications, so when new systems and new data come online, they’re not captured in the backup scheme. Also commonly overlooked are device backups such as firewall and router configurations so if a device falls over, its replacement or the device itself can be quickly brought back up to speed. Another common pitfall is backing up everything for no reason. It’s all well and good to capture every tiny bit of data, but not at the cost of bandwidth, storage capacity, or at the risk of over-writing critical information. Plan, execute, review, adjust the plan, repeat.

The ghost in the machine?

The list of things that can go wrong is extensive, but simply assuming the backups will work every time is hazardous. As with all technology, things can and do go wrong. We all have stories about how our backups let us down at the worst time possible. You simply have to stay on top of things, even if it’s feeding the logs into another system so we can quickly check the status of our backups and right the ship, so to speak. Like a good insurance policy, we need it to be there when it matters.

How do I make it work?

Rather than just jumping straight into backing up files, make sure you have a plan in place and ideally this should be a part of your overall DR/BCP. Identify what you are backing up and why, the priority of the data, the recovery time and recovery point objectives, and how it is being backed up. Equally important is how it gets restored and by whom, when, and where. Don’t overlook the value of annual full-scale, live DR testing and regular revisions to the plans. Also remember to include any new systems and their data as well as any storage location movements. Vendor support and even support by a managed services organisation can be worth every penny.

Am I missing anything?

While you’re at it, it’s time to evaluate backing up your personal data. Far too many of us fail to back up our home data and files, so with a wealth of cheap & cheerful options such as personal iCloud, OneDrive and GDrive, we’ve plenty of options. Just be wary of your bandwidth usage and it may be time to look at your ISP options…. you may even save a few dollars!

Bonus Points: Watch out for data stored on local drives of workstations and laptops…. anything business important should be stored on the corporate servers. I’ve seen a few instances of a staff laptop crashing only to lose vital work documents with the online copies several months out of date.

How do I start?

Ask the questions and get informed and if need be, get the right people involved. The ability to backup and restore critical information can mean the survival of your enterprise. Among the essential eight strategies, this one has probably been around nearly the longest but is probably also the one that gets overlooked the most. Make sure that any future changes to your data includes a section in change management to consider the backup and restore impacts.

Read more from the ASD Essential Eight Explained series.

Go to: Part 1: Application Whitelisting | Part 2: Patching Applications | Part 3: Restricting Administrative Privileges | Part 4: Patching Operating Systems | Part 5: Disabling Untrusted Microsoft Office Macros | Part 6: Using Application Hardening | Part 7: Multi-Factor Authentication