Black swan event: Preparing for a dual ransomware attack
While a black swan incident shut down Code Spaces, IT service providers and their customers can avoid a similar outcome, if they devise a comprehensive data protection plan.
Make no mistake: A black swan event can take your company and your clients down.
Every person involved with enterprise risk management knows what a black swan event is. But what about a black swan ransomware attack where your company, as well as your backup vendor or cloud service providers (CSPs) -- such as Amazon Web Services or Microsoft Azure -- are hacked, resulting in your being locked out of both your data and your data backups?
In the world of disaster recovery (DR), the idea of a dual ransomware attack is terrifying.
According to the Ponemon Institute's 2017 Cost of Data Breach Study: Global Overview, the odds of a company experiencing a data breach are as high as 1 in 4.
Just because you have a DR plan and your data is backed up does not mean you can defeat a ransomware attack. Your vendor's ability to secure your data, along with its own infrastructure is critical to your business's survival.
Make sure you're prepared.
Consider the misfortune of Code Spaces, a company that hosted application development work in Amazon Web Service's (AWS) cloud. Three years ago, the company faced a black swan event and within days, the company shut down its operations.
While highly prepared for a conventional DR event, the company's fatal mistake was that its business and its business's data were both hosted in the same cloud, accessible via the same credentials. The company experienced a DDoS attack, which occurs when multiple systems flood the bandwidth of the company's servers.
Unknown to Code Spaces, the perpetrators had hacked into their AWS EC2 management console. When a ransom was denied, the perpetrators deleted the entirety of the company's files, including both its production data and backup copy, and the company was finished.
Don't let the same misfortune befall your company. It is possible for your company and your clients to mitigate the risk of a black swan ransomware event.
Create an air gap
Encourage your clients to maintain periodic "air gap" copies of their data on tape or other offline media and store it offsite where it is inaccessible via your network. You should do the same for your company. Code Spaces evidently prided itself on having a rigorous and frequently tested DR plan, but it was all for naught when the attackers simply followed the trail across the AWS network to where both the original and backup data resided and deleted everything.
If data can be accessed on a network, a hacker can attempt to ransom it.
Test your backups
There's a truism when it comes to backups: They're no good unless you test them. In my experience, very few companies follow this basic best practice. Whether your clients store backups with a CSP, another type of vendor or use any combination of your own disk or tape services, you should periodically restore and test a sample of your backups to assure their integrity. Improper retention settings, software failures, media corruption or even a flaky host bus adaptor can compromise your backups and compromise your clients.
Don't assume that your backups are valid just because you created them. Verify a periodic sample of your backups to avoid a potentially nasty surprise if you lose your data to a ransomware attack and then find your backups are defective.
Don't go it alone
You certainly can set up, manage and operate a DR plan yourself, but are you doing it correctly? Utilizing a "go-it-alone" approach can often increase your company's and your client's risks from a security and cost standpoint. The problem with preparing for the unexpected is just that, you don't know what will happen. Major breaches frequently happen when you least expect them and often when you're in a situation where you're without the necessary credentialed resources and technical knowledge. Your biggest risk in a go-it-alone scenario could be that you do not have the experienced staff in place with the know-how to recover your services from a ransomware or other black swan event.
Data security at your backup site
When companies back up to a CSP, they typically back up to a multi-tenant environment. How do you provide assurance to clients that their data will be stored safely? There's a simple, yet powerful answer: independent certifications. Companies should look for audited controls, processes and facilities. Evaluate against what standards your vendor sets its security services and how they can demonstrate that to you. If they cannot answer your questions, it's difficult to understand how your vendor will respond in the event of a disaster.
Ask about the following certifications:
The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The intensive FedRAMP accreditation process is generally considered to be the "gold standard" of cloud security accreditations and is very difficult to achieve. While only government agencies are required to use accredited CSPs for cloud products and services, non-government customers can be more confident in a FedRAMP accredited CSP's approach to security when compared with CSPs with no independent accreditations.
The Federal Information Security Management Act (FISMA) defines a framework for managing information security using standards and guidelines developed by the National Institute of Standards and Technology and a multifaceted, risk-based process to establish minimum security controls. A risk assessment validates required security controls by identifying potential threats and vulnerabilities and mapping implemented controls to those vulnerabilities. The system's security controls must then be independently audited to validate their effectiveness and deficiencies. While FISMA exists to provide a foundational level of security only for federal information systems, providers with FISMA-compliant services typically extend these independently verified protections to their commercial customers.
ISO/IEC 27001 is a standard published by the International Organization for Standardization (ISO) that describes best practice for information security management systems. This certification helps service providers to manage, monitor, audit and improve their information security practices by utilizing regular risk assessments. Service providers that meet the standard may be certified compliant by an independent and accredited certification body upon successful completion of a formal compliance audit.
Ongoing data protection
You want a vendor that can provide you with the safety that your data needs. This must include a myriad of defenses built into their service infrastructure, including encryption in flight and at rest, two-factor authentication, antivirus and antimalware protection of their infrastructure, continuous penetration testing, vulnerability scanning, log analysis and remediation. Your vendor should constantly test its infrastructure to see where its weaknesses are and remediate them so you do not experience a "second disaster" when you call upon them.
You can mitigate both your company and your client's risk against a black swan event by employing an integrated approach to data security. Unfortunately, these days nothing is 100% secure. However, you can safeguard your company and your clients from being compromised by placing an emphasis on zero-day attack defenses.
Marc Langer is the founder and president of Recovery Point Systems, a company that helps customers resume operations following any interruption in their IT environment. He developed the concept of the Integrated Disaster Recovery Supplier, which enables clients to engage a single vendor to provide an all-inclusive, economical suite of recovery services.