Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
This blog post ‘CMMC – Backup Systems Assurance’ is the fifth in a series on Cybersecurity Maturity Model Certification (CMMC) – a US Department of Defense (DoD) initiative that imposes requirements on contractors and subcontractors to help safeguard information within the US defense supply chain.
This post looks at the ‘Recovery’ domain, the security disciplines surrounding backup systems and how organisations can follow the CMMC guidelines to achieve a more robust approach to ensuring their backup systems function as expected, and can be relied on, when needed.
We know the importance of backups in the recovery of failed systems and in retrieving information when things go wrong. An essential lesson in backup management is ensuring the backups are frequent and complete, and the recovery process works. Regular testing of the restore process helps prevent unexpected problems when you are dealing with an incident, since a failed backup procedure might result in you not being able to recover the data you thought you’d safely stored offsite.
Two types of attacks – those that affect availability and those that affect data integrity – are also mitigated through good backup and restore capabilities, which is why system recovery is such a critical control highlighted by the CMMC. The Australian Cyber Security Centre (ACSC) also cites backups as one of the Essential Eight critical security controls all organisations should have in place. So, what should you consider when designing a backup solution as a security control?
Many organisations follow a daily backup routine, but for information changing more frequently, interim differential backups are also a good idea, since each iteration of the backup means you potentially lose less of the work your organisation has undertaken since the last restore point.
Some organisations perform continuous backups where all changes to critical data are stored incrementally in a backup location so that every change can be recovered in the event of a failure. Transactional financial data (banking and stock market trades), along with vital health information from monitoring systems are two examples of the kinds of data that might require continuous backup, so for these solutions, cloud backup services are by far the best approach, since they are always-on and always accessible.
Frequent backups of critical business data, along with important configuration settings, should be retained for at least three months.
After a cybersecurity incident occurs – such as a ransomware attack – if you have a full and recent backup of your organisation’s most critical business data, you don’t need to consider paying the criminals for the decryption keys. Yet for many organisations, the first time they verify whether their backup solution works is when they attempt to restore it during the incident management process.
Traditional best practice ICT systems management recommends that backups are be stored offline. However, the alternative of storing data online, but in a non-rewritable and non-erasable manner, also works well. Backup solutions that run in the cloud can be both online and offsite plus have the bonus of being easily accessible.
Testing should occur as frequently as makes sense to your specific business operations. It should ensure a full recovery is possible after infrastructure changes occur, since a change could introduce something into the enterprise that results in the recovery process not working. The first time you discover this error should not be during an incident.
The CMMC suggests that users should be encouraged not to store data on their PC’s local hard drive or removable USB media since that data is rarely included in the business’s backup regime. For critical business data – the information the user and the business absolutely does not want to lose – should be stored in an enterprise-provided storage solution that is guaranteed to be included in the backup regime.
Testing is vitally important in any recovery plan; verifying backups have been successful and recovering systems or data even partially helps assure the process and provide guarantees that the recovery process will work in a real situation.
You should look for ways to monitor the backup system to ensure it works, passing logs back to the security team to keep an eye on the solution’s utility over time. If the approach you use is a custom backup design, where you might just be copying essential files to an online storage location, you can still create scripts to verify the copy process worked and whether all the data (and even their details) have been successfully stored in the target location. This data can also be sent to the SOC to monitor for issues and deal with failures.
Once you have confirmed your backup process works and you can recover data, there are a few security requirements you should consider to further protect the confidentiality of the data stored in those backups.
Some backup systems use encryption to safeguard the confidentiality of data since backups are often targeted by criminals who know that in many cases, businesses forget that the security of storage locations needs to be as strong as the primary locations within production systems.
The backup systems need to be hooked into your incident management process to ensure it doesn’t try to overwrite the last known good backup during a cyber security incident. There have been many examples of businesses falling foul to ransomware attacks where a properly working backup solution has overwritten good business data with the encrypted information, making recovery impossible.
When you take full backups of all files, so that servers can be recovered, you should be aware that those backups could already contain the malware you are trying to avoid, depending on how long it’s been within your environment. Some organisations have recovered their systems and started working again only to find that they have been reinfected. The way you store full backups and incremental backups of critical information should always be considered in these use cases. The Center for Internet Security (CIS) offers three tips to help you mature your backup process:
Backups capture your business’s operation at any one point in time. They form a vital aspect of your security architecture, protecting both the integrity and availability of your services, systems and critical business information. To keep your business safe, don’t leave it to chance…. back yourself.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.