The threat of cyber-attacks is something with which many businesses are familiar. The sad truth is that they are not going to go away any time soon and, if anything, they are getting more sophisticated and more difficult to prevent.
One of the most damaging is the ransom attack, in which an organisation’s data is compromised and only released on payment of a ransom. In a widely reported case, Sony Pictures’ internal network was taken down, business critical data was leaked, and untold reputational damage was done in the media fallout that followed. In the US there are other documented cases of ransomware attacks affecting organizations like hospitals. The number of reported ransoms being paid is probably only the tip of the iceberg as it is widely agreed that many organizations that have paid ransoms will not have disclosed the fact, in order to protect their reputations.
No organisation wants to be in a position where they are vulnerable to such an attack, and soon there will be even more of an incentive to take strong measures to protect data from all kinds of breaches. The European Parliament recently adopted its Directive on Security of Network and Information Systems, which presents a framework under which critical infrastructure providers will need to report incidences of ransomware and so-called ‘hacktivist’ attacks, and detail their responses. Given the damage such disclosures could cause, organizations are likely to look for ever more robust ways to protect their data.
One such solution is to maintain safe copies of critical data ‘off grid’, where they are entirely inaccessible to potential hacktivists. This evolves a more familiar anti-malware protection, which relies on the ‘backup and restore’ principle, in which corrupted data is overwritten with a clean copy. In a ransomware attack, both the live and backup data can be compromised by encryption techniques, so there is no clean copy to restore, making this method ineffectual. Restoration is only possible on payment of the ransom, which generates decryption of the data.
By taking the backup instance of critical data off grid, organizations can be assured that it can’t be reached by intruders who access the network with the malicious intent of encrypting data and holding it to ransom. The mechanism for doing this is what we call an Isolated Recovery Solution (IRS). In this scenario, the organization identifies its mission-critical data and this data is backed up to storage that is only connected to the network for very limited periods – purely for the purpose of making a ‘gold copy’ of key data. During these short connected periods, there are strict security monitoring systems in place, and oversight is limited to a small number of trusted technicians.
In this way, a copy of all mission-critical data is maintained outside of the usual network. Its existence is not publicised – even within the organization. It is accessible by just a very small number of highly trusted, security-cleared personnel. Think of it as a sort of ‘panic room’: if the network perimeter is breached, there’s a secret inner sanctum that is separate, secure and reliable. When the data stored in an IRS is needed, it can be scanned and verified as safe, before it’s easily restored. This means criminals perpetrating a ransomware attack will have no leverage – the encrypted data is simply overwritten in the restore process and there’s nothing that the victim company needs to pay for.
For those organisations required to comply with the European Parliament’s recently adopted Directive on Security of Network and Information Systems, this solution minimises the likelihood that they will suffer the damage to their reputation and sales pipeline that comes with reporting the losses from a ransomware or hacktivist instance. If there is a breach of the firewall this will, of course, still need to be reported. But rather than recording massive instances of compromised data, the organization can report its successful protection of its data and its reputation will remain intact. And, of course, they won’t be forced to meet the financial demands of a ransomware attack.
