Please take some time to read all of the previous articles on the updated Essential Eight Maturity Model; the links are at the bottom of this article.
Nestled at the very end of the ACSC’s Essential Eight list is something that should be far higher on your organisation’s agenda: regular backups. In the battle against cybercrime, a good, recoverable backup is your fallback position when other measures fail to prevent your data from being stolen or held to ransom.
How likely is it that you will need to recover data in an emergency? The Microsoft Digital Defense Report (2021) said that 50% of organisations were impacted by ransomware in 2021 alone. That’s not counting the human error, natural disasters and equipment malfunction that can wipe out swathes of valuable data in an instant. Need another reason that a well-designed backup solution, regularly tested, is essential? Many insurers are now refusing to pay out ransoms.
In spite of that, backups are an aspect of security that is problematic for many businesses. Most think they are doing the right thing, but when we perform security assessments, we often find that backups are not frequently checked, and in some cases have been failing almost from the start, unbeknownst to the IT team. In other cases, the malicious actors who launch the cyberattack have been in the organisation’s environment for some time, maybe even months, and taken the opportunity to compromise backed up data. ‘Air-gapped’ immutable backups are for that reason becoming more commonplace in government and enterprise environments.
The other common shortfall our security team has noticed over the last few years involves cloud apps and services. It is a common misconception that anything in the cloud is already backed up by the cloud service provider, but this is far from true. Some service providers do offer backup as a value-add, but you must consider how you will retrieve data if the provider goes out of business, if you accidentally delete something that is replicated across their backups, or any other misfortune befalls your data.
Now that we’ve reminded you about why backups are a big deal, let’s take a closer look at the ACSC’s controls.
“Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.”
The starting point to getting backups right is to have a plan that is built on business requirements, and that includes understanding the business impact of losing different types of data. If you need access to data as close to 100% of the time as possible, work to the highest level of availability and fastest recovery possible. If you can manage without data for a day or a week, you can choose a lower cost model. Prioritise according to need.
“Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.”
So, you’re diligently backing up data regularly, but unless you also perform regular tests, how do you know if you are backing up what you think? One major European company had been backing up to DAT tapes for four years after implementing its backup system. After a pre-arranged time, those tapes were destroyed when they were no longer necessary. It turned out, no data at all had been backed up from day one, and the business was throwing out blank, unused tapes.
The lesson here is to test as the business needs, at a minimum quarterly, and use one of the many reporting tools available from backup vendors to check your backup success rate. While you’re at it, make sure you can recover that data in a usable state, and can retrieve what you need.
“Unprivileged accounts can only access their own backups.”
Imagine the type of sensitive data your users work with – and then imagine if anyone could retrieve their emails. If everyone could access company secrets, or information about their colleagues’ health and salary information, it wouldn’t take long for all hell to break out. Aside from maintaining confidentiality, restricting access to other users’ data can help slow the progress of a malicious attack.
“Unprivileged accounts are prevented from modifying or deleting backups.”
As per above, if we don’t want users to have the chance to see other users’ backups, we certainly don’t want them to modify or delete that information.
“Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.”
(As above, ML1) The starting point to getting backups right is to have a plan that is built on business requirements, and that includes understanding the business impact of losing different types of data. If you need access to data as close to 100% of the time as possible, work to the highest level of availability and fastest recovery possible. If you can manage without data for a day or a week, you can choose a lower cost model. Prioritise according to need.
“Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.”
(As above, ML1) So, you’re diligently backing up data regularly, but unless you also perform regular tests, how do you know if you are backing up what you think? One major European company had been backing up to DAT tapes for four years after implementing its backup system. After a pre-arranged time, those tapes were destroyed when they were no longer necessary. It turned out, no data at all had been backed up from day one, and the business was throwing out blank, unused tapes.
The lesson here is to test as the business needs, at a minimum quarterly, and use one of the many reporting tools available from backup vendors to check your backup success rate. While you’re at it, make sure you can recover that data in a usable state, and can retrieve what you need.
“Unprivileged accounts can only access their own backups.”
(As above, ML1) Imagine the type of sensitive data your users work with – and then imagine if anyone could retrieve their emails. If everyone could access company secrets, or information about their colleagues’ health and salary information, it wouldn’t take long for all hell to break out. Aside from maintaining confidentiality, restricting access to other users’ data can help slow the progress of a malicious attack.
“Unprivileged accounts are prevented from modifying or deleting backups.”
(As above, ML1) As per above, if we don’t want users to have the chance to see other users’ backups, we certainly don’t want them to modify or delete that information.
“Unprivileged accounts, and privileged accounts (excluding backup administrators), can only access their own backups.”
Most administrators with privileged accounts are good corporate citizens, who can be relied upon to show up at the company barbecue, contribute to the retirement gifts of colleagues, and use the correct recycling bin. They are human, though, and whether maliciously or unintentionally, could find themselves in possession of information not intended for them. The fewer people with access, the lower the chance of unauthorised access to sensitive information.
“Unprivileged accounts, and privileged accounts (excluding backup administrators), are prevented from modifying or deleting backups.”
If you don’t want every admin in the organisation stumbling across something not meant for their eyes, you really don’t want them accessing private accounts, deleting other colleagues’ information, or perhaps deleting logs and compromising an information trail. Most can be trusted with everything, but attacks can come from bad actors within the organisation and it makes sense to limit potential damage.
“Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.”
(As above, ML1) The starting point to getting backups right is to have a plan that is built on business requirements, and that includes understanding the business impact of losing different types of data. If you need access to data as close to 100% of the time as possible, work to the highest level of availability and fastest recovery possible. If you can manage without data for a day or a week, you can choose a lower cost model. Prioritise according to need.
“Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.”
(As above, ML1) So, you’re diligently backing up data regularly, but unless you also perform regular tests, how do you know if you are backing up what you think? One major European company had been backing up to DAT tapes for four years after implementing its backup system. After a pre-arranged time, those tapes were destroyed when they were no longer necessary. It turned out, no data at all had been backed up from day one, and the business was throwing out blank, unused tapes.
The lesson here is to test as the business needs, at a minimum quarterly, and use one of the many reporting tools available from backup vendors to check your backup success rate. While you’re at it, make sure you can recover that data in a usable state, and can retrieve what you need.
“Unprivileged accounts can only access their own backups.”
(As above, ML1) Imagine the type of sensitive data your users work with – and then imagine if anyone could retrieve their emails. If everyone could access company secrets, or information about their colleagues’ health and salary information, it wouldn’t take long for all hell to break out. Aside from maintaining confidentiality, restricting access to other users’ data can help slow the progress of a malicious attack.
“Unprivileged accounts are prevented from modifying or deleting backups.”
(As above, ML1) As per above, if we don’t want users to have the chance to see other users’ backups, we certainly don’t want them to modify or delete that information.
“Unprivileged accounts, and privileged accounts (excluding backup administrators), can only access their own backups.”
(As above, ML2) Most administrators with privileged accounts are good corporate citizens, who can be relied upon to show up at the company barbecue, contribute to the retirement gifts of colleagues, and use the correct recycling bin. They are human, though, and whether maliciously or unintentionally, could find themselves in possession of information not intended for them. The fewer people with access, the lower the chance of unauthorised access to sensitive information.
“Unprivileged accounts, and privileged accounts (excluding backup administrators), are prevented from modifying or deleting backups.”
(As above, ML2) If you don’t want every admin in the organisation stumbling across something not meant for their eyes, you really don’t want them accessing private accounts, deleting other colleagues’ information, or perhaps deleting logs and compromising an information trail. Most can be trusted with everything, but attacks can come from bad actors within the organisation and it makes sense to limit potential damage.
“Unprivileged accounts, and privileged accounts (excluding backup administrators), cannot access backups.”
Locking down backups to only a chosen few makes sense. This is the ‘get out of jail free’ card you play when ransomware or a big whoops takes down your vital data, so you don’t want to risk it being compromised. Restricting users is even more important when you store immutable backups – this is a pristine copy protected in case of emergency, with potentially an encrypted key pass needed for retrieval, and maybe requires the authorisation of the CIO to release.
“Unprivileged accounts, and privileged accounts (excluding backup break glass accounts), are prevented from modifying or deleting backups.”
Essentially, this is where you lock your backup data so tightly that access to the password is via a metaphorical ‘in case of emergency’ glass box on the wall. If someone gets past other security measures, and compromises the more easily restored backup data, this heavily protected backup is what stands between your organisation and the kind of headlines you wouldn’t wish on your fiercest competitor.
Beyond the Essential Eight framework, an important additional best practice is to spend time on a business impact analysis, so that you fully understand which data is vital, which is moderately important, and which is of lower value. This helps you to protect data appropriately by providing the appropriate resources without overspending.
How long should you keep backups? Microsoft has some handy recommendations on frequency and timeframes for your backup plan, aligned to the Essential Eight framework to make it easier for you.
Some final advice: be realistic. In the current landscape, it is not a matter of if your defences will be breached, but when, how quickly you can detect it, and how well you can limit the damage. When we do security testing, we inevitably find some vulnerabilities, and in many cases find evidence that somebody else has found those vulnerabilities too. Plan, backup, test, review – and ideally, make an independent security review part of your organisation’s routine.
Want to know more about backups, the Essential Eight security framework, and protecting your organisation? Read the other blogs in our Essential Eight series, follow us for more tips and tricks, or chat with a Data#3 security specialist today.
Using the ACSC recommendations as a framework, Data#3 has built an Essential Eight Assessment to help organisations understand and improve their security posture.
The Essential Eight Assessment is a 5-day engagement, conducted by a Data#3 Information Assurance Specialist, including up to 2 days spent onsite with the customer.
This is blog 9 of a 9-part series. See earlier posts on:
1. Your guide to the ACSC’s Essential Eight Maturity Model
2. Essential Eight Maturity Model: Application Control
3. Essential Eight Maturity Model: Patch Applications
4. Essential Eight Maturity Model: Configure Microsoft Office Macro Settings
5. Essential Eight Maturity Model: User Application Hardening
6. Essential Eight Maturity Model: Restrict Administrative Privileges
7. Essential Eight Maturity Model: Patch Operating Systems
8. Essential Eight Maturity Model: Multi-Factor Authentication
9. You are here.