Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
This blog post ‘CMMC – Backup Systems Assurance’ is the fifth in a series on Cybersecurity Maturity Model Certification (CMMC) – a US Department of Defense (DoD) initiative that imposes requirements on contractors and subcontractors to help safeguard information within the US defense supply chain.
This post looks at the ‘Recovery’ domain, the security disciplines surrounding backup systems and how organisations can follow the CMMC guidelines to achieve a more robust approach to ensuring their backup systems function as expected, and can be relied on, when needed.
We know the importance of backups in the recovery of failed systems and in retrieving information when things go wrong. An essential lesson in backup management is ensuring the backups are frequent and complete, and the recovery process works. Regular testing of the restore process helps prevent unexpected problems when you are dealing with an incident, since a failed backup procedure might result in you not being able to recover the data you thought you’d safely stored offsite.
Two types of attacks – those that affect availability and those that affect data integrity – are also mitigated through good backup and restore capabilities, which is why system recovery is such a critical control highlighted by the CMMC. The Australian Cyber Security Centre (ACSC) also cites backups as one of the Essential Eight critical security controls all organisations should have in place. So, what should you consider when designing a backup solution as a security control?
Many organisations follow a daily backup routine, but for information changing more frequently, interim differential backups are also a good idea, since each iteration of the backup means you potentially lose less of the work your organisation has undertaken since the last restore point.
Some organisations perform continuous backups where all changes to critical data are stored incrementally in a backup location so that every change can be recovered in the event of a failure. Transactional financial data (banking and stock market trades), along with vital health information from monitoring systems are two examples of the kinds of data that might require continuous backup, so for these solutions, cloud backup services are by far the best approach, since they are always-on and always accessible.
Frequent backups of critical business data, along with important configuration settings, should be retained for at least three months.
After a cybersecurity incident occurs – such as a ransomware attack – if you have a full and recent backup of your organisation’s most critical business data, you don’t need to consider paying the criminals for the decryption keys. Yet for many organisations, the first time they verify whether their backup solution works is when they attempt to restore it during the incident management process.
Traditional best practice ICT systems management recommends that backups are be stored offline. However, the alternative of storing data online, but in a non-rewritable and non-erasable manner, also works well. Backup solutions that run in the cloud can be both online and offsite plus have the bonus of being easily accessible.
Testing should occur as frequently as makes sense to your specific business operations. It should ensure a full recovery is possible after infrastructure changes occur, since a change could introduce something into the enterprise that results in the recovery process not working. The first time you discover this error should not be during an incident.
The CMMC suggests that users should be encouraged not to store data on their PC’s local hard drive or removable USB media since that data is rarely included in the business’s backup regime. For critical business data – the information the user and the business absolutely does not want to lose – should be stored in an enterprise-provided storage solution that is guaranteed to be included in the backup regime.
Testing is vitally important in any recovery plan; verifying backups have been successful and recovering systems or data even partially helps assure the process and provide guarantees that the recovery process will work in a real situation.
You should look for ways to monitor the backup system to ensure it works, passing logs back to the security team to keep an eye on the solution’s utility over time. If the approach you use is a custom backup design, where you might just be copying essential files to an online storage location, you can still create scripts to verify the copy process worked and whether all the data (and even their details) have been successfully stored in the target location. This data can also be sent to the SOC to monitor for issues and deal with failures.
Once you have confirmed your backup process works and you can recover data, there are a few security requirements you should consider to further protect the confidentiality of the data stored in those backups.
Some backup systems use encryption to safeguard the confidentiality of data since backups are often targeted by criminals who know that in many cases, businesses forget that the security of storage locations needs to be as strong as the primary locations within production systems.
The backup systems need to be hooked into your incident management process to ensure it doesn’t try to overwrite the last known good backup during a cyber security incident. There have been many examples of businesses falling foul to ransomware attacks where a properly working backup solution has overwritten good business data with the encrypted information, making recovery impossible.
When you take full backups of all files, so that servers can be recovered, you should be aware that those backups could already contain the malware you are trying to avoid, depending on how long it’s been within your environment. Some organisations have recovered their systems and started working again only to find that they have been reinfected. The way you store full backups and incremental backups of critical information should always be considered in these use cases. The Center for Internet Security (CIS) offers three tips to help you mature your backup process:
Backups capture your business’s operation at any one point in time. They form a vital aspect of your security architecture, protecting both the integrity and availability of your services, systems and critical business information. To keep your business safe, don’t leave it to chance…. back yourself.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.