I get the intent and we do some things similar. Will have to bring that up the next cyber security meeting. If a restore or testing backups is happening can enable the ports manually and disable after, but not sure it is worth the extra complexity and loss of alerting from the appliances for majority of the time. I can think of a couple of ways to increase the security by creating partial air gap by running timed scripts on the infrastructure to disable LAN ports for the Veeam repository appliances or network switches and only enabling for the time when the replication of new backups is scheduled to happen. Though I agree that an attack that can breach the Veeam software itself to use its methods of accessing those repositories may be able to scramble them, as Veeam does have the access credentials and methods in its credential manager. We know none of those are air gaped, however they are 3 separate methods of authentication and storage not accessible for general or even admin accounts on the domain, so the attack needs to be very sophisticated and targeted to the specific repositories and systems. This is not accessible with domain credentials either, but access to its credential strings is available with Azure tenancy Global Admin credentials. We also have a slightly less poor mans option in use as an extra layer to keep 2 weeks worth of backups on Azure block blob. others let's just say.īesides our main domain connected backup servers, we use a poor mans Linux equivalent repository, that is just a home/small business grade NAS box with only local auth and no domain integration and have a copy replica of all backups copied there on cheap SATA drives. Not impossible things to control, but harder for some vs. Yes you're right, it's easy to miss something in bigger ones, and this usually comes from phishing (poor email security, poor user training), weak passwords to open RDP ports, or careless admins infecting themselves with full domain admin rights. But there's no way you could know this of course. I'm not exaggerating when I say that the only way they're getting into the backup server is if they find out who I am (not an employee), know where I live, break into my house, and manage to get on my screen before it locks. I get all that, but it's a little bit irritating that everyone just assumes that "it's just a matter of time before you get hit." I see marketing like this, and even the higher ups say things like "If and when" - just because it's in the news so often. ![]() I remember seeing something about some remote physical network switch, but I don't recall the details, but it seemed like a great thing - you press a real button and there is a physical disconnect somewhere, which I like the idea of, but not sure how reliable or easily implemented it can be. Tape, physically disconnect the server, rotated drives, these are all fine and they're the best way to do this. ![]() But, if we study how previous ransomware attacks have gone, then we see this is not an insurmountable obstacle for attackers by any means, which is why the redundant off-site copies and air-gapped copies are properly secured. Your strategy of removing from domain is a great one, don't get me wrong, it should be done. It's been shown by lower quality ransomwares that the ransomware community is well aware of backups and even has some detection to catch various backup products backups/services (Veeam included), and they enter it into their strategy. "Smash and Grab" runs of course happen, but ransomware attackers happily sit for weeks, months, and in huge cases, year+ to wait to get the environment in a situation where they can introduce the highest amount of pain when the attack is launched. I wouldn't really accept this definition to be honest, since remember, the model for ransomware is get in, and sit. It's still "air gapped" in the sense that the rest of the network cannot access the files, only the backup server. If it‘s a very small company, capacity tier in public cloud is not that expensive. Is it worth to spend some more money to secure the company and the people who work there?Ī tape solution or rotated usb disk solution doesn‘t cost to much. If it‘s for a company, then ask yourself, how much can you loose, if someone attacks your company. My personal recommendation from me: „a backup solution should not be a poor solution“. There are tools to read out the credentials. Or are you talking about Veeam Backup Copys to Tape, rotated disk or Capacity Tier.Ĭredentials - If you have used windows to access the backup server, then the credentials could be cached somewhere. Veeam Replica Job? If yes, then there reachable over network and therefore in the reach of ransomware. ![]() And no one can steal the admin credentials of the backup server. I'm fully of aware of everything you have raised, there are also replicas in place (which are completely out of the reach of ransomware).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |