How offline storage and air gap solutions secure data against ransomware and other cyber attacks
Developments since the late 2000s and particularly in the last five years have seen a change in how cybercrime is conducted. As the technical capacity to secure networks and data increased, cybercriminals began to implement multiple attack vectors and target users, rather than force their way into the network. The nature of attacks has also changed, from either stealing or destroying data, to ransoming data.
From 2018 to 2020 the financial damage of ransomware attacks has grown from an estimated $8B per year to over $20B per year globally and is on the rise! Further, more than 50% of IT professionals say their company is not prepared for such an attack. And, ransom software is increasingly sophisticated, over 75% of ransomware victims had up-to-date end-point protection in place and still fell victim.
What is Ransomware?
In recent years, ransomware attacks have become increasingly common. Ransomware is a type of malicious software that encrypts files and holds them hostage until you pay a ransom. The encryption means that the contents of the files cannot be read, not even by other systems unless a mathematical decryption key is entered. Attackers are motivated by potential financial gains, included with the encryption software is contact details where the file owners are requested to pay a monetary ransom for the release of the decryption code. Due to the opportunity for major financial rewards, it is a rapidly growing form of cyberattack.
This type of cybercrime can cause massive damage to businesses, and the cost of ransom payments can be crippling. Many companies choose to pay the ransom to get their data back, but this is not always a viable option. There is no guarantee that the data will actually be recovered if the ransom is paid and paying the ransom may make the organization a target for future attacks. According to Gartner in 2020, the average cost of business downtime caused by cyberattacks is $5600 per minute depending on the industry and organization.
How does ransomware differ from other cyberattacks?
‘Traditional’ cybercrime was oriented around malicious damage or stealing of data for various reasons. In some cases, attackers stole data to sell it to competitors, or sometimes the attacker was a competitor stealing secrets or destroying a rival’s systems. In many cases, breaches were launched in foreign states against the companies and governments of others. In addition, it was a common tactic of activists against companies they disagree with. However, most of these motives were generally specific, and the sale of stolen data required a fence or network to advertise the data. Ransomware is much easier to profit from, making it more appealing to a wider variety of criminal enterprises, especially organized crime.
Another key difference is how the attacks are deployed. When stealing data, the connection must remain open long enough for the data to be sent out. The flow of data into or out of the system was easily monitored by IT security applications. With ransomware, the data doesn’t go anywhere. A very small file, once on the target system can work in a very short time to encrypt and cripple the entire system and does not need to communicate with an outside network to do so.
Previous cybercrime methods also used to require dedication and practice of complex coding and hacking. However, general-purpose ransomware software is widely available through the dark web. This puts ransomware attack capability in the hands of anyone able to write a compelling email. This has led to smaller operations appearing and this, in turn, has led to attacks increasingly targeting small businesses and even individuals, rather than exclusively attacking large organizations.
How to defend against ransomware
Defending against ransomware is increasingly difficult. As discussed, the delivery method means that it’s very hard for organizations to prevent malicious code from entering the system. While a number of end-point protections exist that help prevent the deployment of malicious code, it is often too little, too late. Many organizations have strict policies against downloading files, but this once again does not always work. To integrate with the outside world, all organizations must give some staff access to download files and if these staffs are targeted the results can be financially crippling.
A widely used defensive measure against ransomware is data backups, this involves creating copies of files that can be quickly restored if the system is breached. It is important these be real duplicates and clean data copies and not cloud-based data syncing. Syncing platforms always create exact copies of the system, as such they also copy compromised files.
Several types of backups are common, these include online backups such as cloud storage and company-owned data vaults permanently connected to the network including network-attached storage devices such as external hard drives, optical disc archives, thumb drives, and tape drives.
Ransomware has circumvented backups in several ways, the most common is to delay activation of the ransom attack, after successfully infiltrating the network, until a significant amount, if not all backups are infected. This means that once the data is restored, it is immediately encrypted again. The second method is to encrypt online storage at the same time as the attack, rendering network-based backups ineffective. The most effective protection against ransomware and other malware is offline data storage.
What are offline storage and air gap solutions?
Offline storage or air-gap solutions provide a separation between data environments and the network, using only temporary connections or ‘doorways’ to allow the system access to the storage. The purpose of air-gap backups or offline archival storage is to protect your data from being compromised by malware or ransomware. Air gap solutions refer to any physically disconnected storage options.
Air gap solutions can still be breached in a number of ways, active transfer methods such as removable hard drives can be infected and encrypted while they are connected to the network. This means that data should be scanned and normalized before entering the archival and preservation storage repositories. Large organizations with large volumes of data, use data-center level hierarchical storage management software to secure and move data between online and offline data environments. Transporting backup or archival data to another physical location disconnected from the network is another way of implementing an air gap solution.
Optical storage archive (OSA) is a permanent backup solution that is particularly effective for a number of industries and applications. Enterprise-grade optical discs can store and protect vast quantities of unstructured data. Optical storage archive libraries use robotics to automate the mounting of the removable optical discs to read/write and store data in an archive and can also automatically retrieve specific cataloged data quite quickly upon request. Further, optical storage archives are inherently secure because data written onto optical discs cannot be altered. Once written, data cannot be modified by anyone or any malware – except by physical destruction. Data retrieved from the ‘golden copy’ is authentic and is easily accessed through random access to the files of the optical storage environment. The media lifespan lasts over 100 years such that data remastering costs are reduced significantly. Power consumption is also the lowest of storage server. This makes optical storage archives the lowest cost profile available for secure long-term high-value data asset backups.
Implementing a strong backup and archival policy
Cyber-criminals are becoming more proficient and mount attacks on the backup infrastructure. Given the prevalence of cyberattacks, especially ransomware and other malware it is important to have redundancy and different approaches to storing data. This is where having duplicates of data that are not easily accessible through the network at all comes in. Businesses need offline storage solutions to augment cyber resiliency and defensive strategies.
Having a one-size fit all – and back-up everything mentality is just convenience and disregard for high standards in IT management especially when policy-based automation tools are widely available. Backup and archival storage topologies must be designed based on the value of the data and the requirements to serve the data to its users. A good practice is to separate the data backup and restore environment from the data archival environment. The purpose of the backup and restore environment is to provide a duplicate set of data in case there is an incident of data loss allowing to quickly reverse the effects of data loss – where uncorrupted recovery is the main goal. Cyclical backup and restore retention periods can range from 1 week to 3 months. The purpose of the data archival environment is to safeguard and preserve high-value permanent data assets for the long-term in which infrequently accessed data can be reused and accessed by its users. This data retention period ranges from 6 months to indefinitely forever. An optical storage archive is also used in organizations that require untampered permanent data protection, often to meet compliance requirements for financial long-term records of data or in law enforcement agencies that must protect against evidence tampering. That data may need to be accessed and distributed in the event there is a question about a past interaction or transaction in which data authenticity is required. Digital creation companies and studios also use optical storage archives to permanently duplicate and store their reusable digital assets for very long periods. Libraries and museums use optical storage archives to permanently store and distribute their collections.
The 3-2-1 policy approach to backup strategy means to have three data backups in total, two backups on different technologies and one that is off-site and is an air gap solution. An example approach would be to create an on-site, air-gap storage solution such that certain applications, storage and computing workloads are not connected to the network and regular backup and archival intervals are implemented. Access to data is isolated to certain direct-attached and local network-attached storage devices. Research and development environments frequently use this architecture to air-gap protect against insider and outsider threats.
Conclusion
Ransomware and cyberattacks are rapidly increasing and costing companies a lot of money. There is no guarantee that data will be released if you pay a ransomware attacker. Paying an attacker will make your company a target again in the future. Because most ransomware attacks come through malicious web links and files clicked on by users, it is hard to secure against ransomware attacks. The best way to prepare is to have multiple backups, including an optical storage archive air-gap solution with non-rewritable optical media in which data cannot be encrypted or modified by an attack. However, be aware that backups may still contain the malicious code, even if they are not encrypted themselves. When restoring data, always be careful not to copy the ransomware code. Implementing these precautions can help protect your business from costly debilitating data loss incidents.