Data centers are on the front line of the growing battle to control and prevent ransomware attacks. Attacks on data centers have evolved into triple extortion threats -- which involve accessing data, encrypting it and threatening to release vulnerable IP -- because they have specific vulnerabilities that individual PCs do not.
In the past, ransomware attackers targeted individuals with links sent via email, enabling them to encrypt a PC. Attackers have now discovered they can move up the food chain -- to the data center, which contains a greater quantity of valuable information.
Prevent ransomware attacks
Because hackers have moved from "spray and pray" methods -- which essentially amount to sending emails containing links to download malware and hoping recipients click -- to highly targeted attacks, every aspect of cybersecurity must consider ransomware defense.
"Essentially, ransomware [forces us to consider] all the [same] things we had to think about before -- protecting usernames and passwords, whether to do multifactor authorization, whether to segment the network or implement zero trust, and how to better protect sensitive data," said Frank Dickson, program vice president of security and trust at IDC.
To protect your data center, you must look to the fundamentals of cybersecurity. Identify critical assets, protect those assets, scan for malicious behavior and respond to that behavior when it arises.
Keep all applications in the data center to ease security operations. However, digital transformation increasingly moves data to the cloud, or even multiple clouds. Even though data lives in the cloud, management remains on premises. This setup opens up new vulnerabilities as points of attack.
"There is a direct correlation between the number of clouds and the number of breaches; it is a function of complexity. Anything you can do to reduce complexity and reduce your attack surface can help," Dickson said.
Popular cloud providers AWS, Azure, Google and Oracle each have different configurations, which can make implementing resilience difficult. If you use four separate clouds, you must also learn all their different access rules and tools to protect them.
After the attack
Ensure your backups are as secure as possible with multifactor authorization, role-based access controls and allowlists to only accept logins from specific locations.
You can make your backup more secure by enabling your backup system to directly "own" the storage rather than using another device on the network. Ideally, your backup system should make data immutable in ways that can't be overwritten just by accessing the root system. If you do your job right, you should have an unencrypted backup for recovery after a ransomware attack.
"[However,] you might not have an uninfected backup because the attackers may have been in your operation for weeks or months. [They] could well have placed malware and remote access tools that compromise your whole approach to security," said Nik Simpson, research vice president at Gartner.
That means if you just go ahead and restore, you might encounter the same problem all over again.
Use air gaps as part of the solution. Physical air gaps can help, especially off-site copies stored on tape, but this can make a large-scale recovery process slow and painful. You can also implement logical air gaps, for example, with a cloud provider. The ultimate goal is to rebuild both operations and applications from well-maintained "gold-standard" copies.
After an attack, you can also attempt to recover data in an isolated environment where you can run malware tools and probes. With this approach, you can implement tight configuration controls to support a thorough analysis.
"Vendors have promoted solutions that are easy to use," said Christophe Bertrand, senior analyst at Enterprise Strategy Group. "Criminals even attack the infrastructure so you need to have copies that are reasonably fresh and aren't easily accessed by an attacker."
As a result, backup systems increasingly focus on including air gapping.
Organizations must also prepare for cyber recovery that includes assessing the viability of network, applications and infrastructure, as well as the data itself. A normal recovery might involve restoration of a modest number of files or some database records, but after a severe attack, you might need to recover everything.
In a large-scale recovery, think about your minimum viable business in terms of applications, data sets and users. Then make sure critical users have a clean endpoint both they and you can trust. Limit access to everyone else until you have the situation under control.
Is your data center at risk?
SMBs are often more vulnerable because they might use consumer-grade backup tools and devices in their data centers, which simply aren't up to the standards you require in the ransomware era. But even large organizations with advanced, highly secure data centers can become a target.
The number of clouds you use increases your infrastructure's complexity. The more you can consolidate and simplify, the better. Reduce your footprint and the applications and tools you use to help reduce the attack surface.
Find your critical assets and focus on them first for protection. If you try to protect everything, you often end up protecting nothing.
"Find what is valuable to the company then move on to the secondary things," Dickson said.
You also open yourself up to threats by not patching systems in a timely manner. Replace systems that are no longer supported, such as a Windows 2003 machine.
Finally, think carefully about recovery point objectives and recovery time objectives. After a ransomware attack, it could take days before you can fully recover.
Enterprise Strategy Group (ESG) is a division of TechTarget.