The WannaCry ransomware that just hit more than 150 nations serves as a sobering reminder of the damage cybercriminals can inflict. Apparently stolen from the National Security Agency, the malicious software shut down government computers from Brazil to Russia, along with hospitals and financial institutions worldwide. It took a 22-year-old British security researcher – puttering around on vacation, no less – to stop WannaCry by tripping a kill switch in its code.
The biggest attack of 2017 follows a year when ransomware – which encrypts an entire company database until a ransom is paid – became a billion-dollar business. Lest anyone thinks this is a big-bank problem, cybercriminals have increasingly put smaller banks and financial institutions in their crosshairs.
While the FBI recommends against paying ransom, banks have reportedly become so concerned with the threat that many now buy cryptocurrency specifically to pay off criminals in case of attack. The reason, most likely, is to avoid the potentially large costs and risks in not paying. These include more than just the temporary or permanent loss of data, but also operations disruption, the cost of restoring systems and files, and harm to the institution’s reputation should word of the attack become public.
Large institutions have implemented technical controls to deal with ransomware and keep an attack from escalating to crisis level. While smaller institutions might not be able to afford as much technology, people and processes, many can probably afford cloud-based Disaster Recovery as a Service (DRaaS) to back up data as part of a complete business continuity/disaster recovery (BC/DR) solution.
Getting back up: In case of attack, you only have your backup
Banks, of course, should take every preventive measure to secure systems and data against viruses and malware. Today’s best practices include the following:
- Employee education
- Anti-virus technology
- Content scanning and filtering on email servers
- Limiting access to mapped drives
- Implementing endpoint security
Working together, these efforts can reduce, though not eliminate, the likelihood of a successful ransomware attack.
Still, as Gartner reported in 2016, “the primary defense for ransomware infections (and potentially future coordinated attacks) is backup. In these types of attacks, the hacker may have compromised or encrypted your production data; therefore, you only have your backups to revert to.”
That is: In case of a ransomware attack, you can take infected systems offline, go back to your last known clean copy, restore from that, and be back in business without paying ransom. The FBI, Gartner and pretty much everyone involved in cybersecurity recommend backing up important data at least once a day.
From disaster to DRaaS: Fighting ransomware
If your bank finds it unacceptable to lose up to a day’s worth of constantly changing transaction data, you will want to contract for a shorter recovery point objective (RPO) with your DRaaS provider. RPO is the amount of time in the past—in hours or minutes—you want to go back following a disaster. You would notify the provider of the attack, declare a disaster to put your BC/DR plan into action, and count on using a sufficiently recent, uninfected backup to restore and resume operations. Your bank could even run the backup as production in the cloud until the primary data center is known to be clean.
Frequent testing, which every good DRaaS provider should allow, can give you confidence in your ability to load the backup into a safe “sandbox” for verifying its integrity and confirming the ability to recover successfully in case of a ransomware attack.
Assuring the integrity of backups requires its own best practices. Organizations should follow the 3-2-1 backup rule:
Three copies of data on two different media, with one copy offsite, preferably stored in systems disconnected from the production environment.
For additional safety, the DR provider should, in turn, store multiple copies of the data.
Ransomware fighter: The right provider
While protection of a bank’s own systems, networks, devices, applications and data against infection is the bank’s responsibility, DR providers can help increase customers’ security by using backup technologies that incorporate anti-malware and anti-ransomware safeguards, or that are structured to reduce the risk of infection. Veeam Cloud Connect is one technology DRaaS providers use that incorporates such a safe design. Its “out-of-band” protection establishes a secure channel to automatically transfer data to and from the cloud repository and offers data encryption to protect data at rest.
In evaluating a DRaaS provider’s ability to help protect you against ransomware, look for use of this backup technology, or solutions with similar capabilities.
More than that, ask what precautions the provider has in place to prevent its own systems or your backed-up data, from becoming infected with ransomware viruses. A provider should use the most up-to-date versions of leading anti-virus, vulnerability scanning, intrusion detection and prevention, log management, and security information and event management tools—from vendors such as McAfee, Alert Logic, Symantec and CommVault, among others.
Do not merely trust a provider’s claims and assertions. Rather, ask to see third-party certifications that the provider in fact has in operation technological and procedural safeguards that meet stringent industry and government information security standards, such as SSAE 16 SOC2; Payment Card Industry Council Data Security Standard (PCI PSS) Version 2.0; FISMA; and FedRAMP. Ask for certification that the provider’s facility meets Uptime Institute Tier III standards for concurrent maintainability, as well. This means that there’s sufficient redundancy in systems so that any element of the physical plant can go offline for maintenance without impact to your contracted backup and recovery services.
A word of precaution …
Banks need to do all they can to implement the physical, technical and administrative precautions to safeguard their data against the ransomware threat and comply with all relevant security requirements. A qualified DRaaS provider can help banks defend against and respond to ransomware attacks by offering the services, systems and technologies to keep their backups secure and provide the space and support for successful recovery.
In the meantime, there is no turning back to a less volatile time. Analysts, media, and cybersecurity experts called 2016 the year of ransomware. In 2017—and in the wake of WannaCry—attacks could well increase to record levels. For many financial institutions under siege, the only going back—and the best way forward—comes from smart backup technology.
Marc Langer is the founder and president of Recovery Point Systems, a company that helps customers resume operations following any interruption in their IT environment. He developed the concept of the Integrated Disaster Recovery Supplier, which enables clients to engage a single vendor to provide an all-inclusive, economical suite of recovery services.
51cd.jpg "Banking Strategies 027")
