The Ransomware as a Service (RaaS) model explained

If you have been following the recent posts on our LinkedIn page, you will have seen several articles discussing the industrialization of cybercriminal activity and the new term ‘Ransomware-as-a-Service (Raas)’. This is the name that has been given to an evolving ecosystem of threat actors that work together to provide the tools, network access, and transaction services to undertake successful ransomware and extortion attacks.

What exactly does RaaS mean and what if anything has changed in the way cyberattacks are structured under this new model?

RaaS describes a subscription-based arrangement between operators and users (also known as affiliates) to use ransomware tools developed by the operator, such as ransomware payloads and portals for communicating with victims to execute attacks. As opposed to typical ransomware, RaaS is effectively a set of ‘ransomware tools in a box’ for subscribers who pay to be an affiliate of the program. Just like the common Software-as-a-Service (SaaS) model, RaaS affiliates are paying for the ongoing use of tools such as malicious software, portals to facilitate payments, leak sites to share snippets of data exfiltrated from victims, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services.

This model is allowing more criminals, regardless of technical expertise, to deploy ransomware that has been built or managed by someone else, therefore the rate of incidents is only set to increase from this point forward. In fact, the 2022 Threat Report from security firm Sophos reported that RaaS based attacks had risen by 60% in the past 18 months1.

RaaS popularity is bringing more threat actors to the table making tracking cybercrime even harder

Historically ransomware attacks were named after the malware code that delivered the payload and generally a handful of key cybercriminal gangs were behind the development and delivery of each virus strain. Certainly, malware codes have been presented in the public or dark web domain for many years for other likeminded groups or individuals to deploy, but most high-profile attacks were undertaken by a handful of well-known operating groups. The RaaS model significantly complicates matters when it comes to tracking the criminals behind specific attack vectors as it presents a unified appearance of the payload or campaign being from a single ransomware family or set of attackers.

However, with this new model the RaaS operator sells access to the ransom payload and decryptor to an affiliate who is then responsible for the deployment of the actual ransomware attack. The operator and affiliate then share the profit from any successful deployments. In addition, RaaS developers may also just develop malware payloads for profit, sell them, and run their own campaigns with other ransomware payloads further complicating matters when it comes to tracking the criminals behind these actions.

Access Brokers complete the cybercriminal triad

When used properly, triangles are the most stable and rigid shapes used in construction today, so unsurprisingly there is a third piece supporting the RaaS model. So far, we have mentioned the RaaS affiliates who subscribe to the tools developed by the RaaS operators. Access Brokers complete the RaaS cybercriminal triad by selling access to corporate and government systems to affiliates, or indeed any threat actor who has an interest in activities such as identity theft, data exfiltration, ransomware, obtaining state secrets or intellectual property. The list of fraudulent end goals could go on, and it would shock many C-level executives to see their corporations appearing in lists of networks with detected vulnerabilities. Access brokers will in certain cases infect systems with malware or create a network of computers infected with malware that are controlled by a bot herder (a botnet) and then sell them as a ‘load’. A load is designed to install other malware or create backdoors onto the infected systems for other criminals. Certain access brokers scan the internet for vulnerable systems, for instance, unpatched systems or exposed Remote Desktop Protocol (RDP) systems with weak passwords, and then compromise them all together for future potential prosperity. Some advertisements for the sale of initial network access will specifically state that a system is not managed by an antivirus or endpoint threat detection and response solution. Some infiltrations may even advertise the availability of a highly privileged user account that can edit information in Active Directory servers to fetch an even higher price. Figure 1 illustrates the main functions within the RaaS cybercriminal pyramid.

RaaS is driving widespread opportunistic ransomware, but also underpinning highly sophisticated human-operated attacks

It is true that most ransomware attackers opportunistically deploy ransomware to whatever network they can get access to, and this has formed the main pattern of deployment for many years. In contrast to this however, there are more focused attackers that prioritize organizations with higher revenues or target specific industries that will cause the most disruption (for example, transport networks and banking systems), or the type of data they can exfiltrate, (for example, hospitals for medical records or intellectual property from technology companies). It is a common misconception that the threat actors who have encrypted your data, stolen your backups and exfiltrated sensitive information are the same individuals who infiltrated your network. In many cases, the RaaS affiliates making ransom demands simply bought a botnet ‘load’ from an Access Broker and may not even know or care how your network was compromised in the first place. Any corporation whose name appears on an Access Broker’s list of vulnerable networks is a ransomware victim waiting for the moment to happen.

In summary
The RaaS model clearly shows that cybercrime is now truly an industry with many attack resources becoming commoditized, extending their availability to a much wider audience. Cybersecurity as always must strive to stay ahead of the game with a holistic approach combining key elements such employee education, zero-trust architectures, and immutable data stores. For most organizations it is not a question of ‘if’ an attack will happen, it is a case of damage limitation when it happens. Employee education and architecture hardening are ongoing tasks that take time to implement, immutable storage technologies however are the quick wins that any organization can and set in place. Speak to the Blocky team to learn how to secure your Veeam backups on Microsoft platforms and more about the many other immutable technologies that are now available.

1. https://www.sophos.com/en-us/labs/security-threat-report


Veeam backups targeted by the Conti ransomware group

Conti ransomware first appeared in late 2019 and has steadily grown to become one of the forefront ransomware-as-a-service (RaaS) operations. A recent report from ransomware incident response firm Coveware1, based on thousands of cases investigated during Q2 2021, showed Conti V2 to be the second-most-prevalent ransomware encountered, trailing Sodinokibi, also known as REvil by just 2.1% for the top position.

Likewise, Veeam had the fastest revenue growth in the worldwide Data Replication & Protection market, both sequentially (+21.5%) and YoY (+17.9%) in 2H’20 among the top 5 vendors, all other vendors combined, and overall market average, according to the IDC Semi-annual Software Tracker, 2H20.  In 2020 Veeam became the #2 provider worldwide in terms of overall revenue with YoY growth more than 17.5 percentage points above the market average2.

Ransomware gangs know that having secure backups of critical files massively reduces the likelihood of a ransom payment being made, so it comes as no surprise that the rising star of the cybercrime world is targeting Veeam, the fastest growing and widespread backup platform for virtualized infrastructures

The anatomy of a Conti attack

The Conti ransomware group has made headlines around the world causing a great deal of damage during their relatively short tenure. Of course, they have not appeared from nowhere, the same group is believed to have been behind Ryuk ransomware, known for targeting large, public-entity Microsoft Windows networks which first appeared in 2018.

A Conti attack will typically start with some very carefully designed spam email messages based on specific research of prospective targets. Messages could be based on topics presented in media regarding company executives and employees, a technique used to ensure that the attack emails containing the malware, known as Cobalt Strike beacon backdoor, are opened and the attached payload is executed.

This emphasises the importance of training on spam and phishing email identification, a subject often overlooked in many staff training programs. Useful resources regarding Security Awareness Training & Anti-Phishing Simulators can be found in our earlier article The Blocky for Veeam ® – 5 Step Guide to a Safer Network

A high-profile attack will not be something rushed into, instead it is a complex operation, prior to deploying the Cobalt Strike beacon backdoor, the Conti attackers attempt to infiltrate the network and move laterally throughout the organization. The group will try to extend their reach beyond the initial infected machines using communications protocols such as Server Message Block (SMB) to encrypt as many remote machines as possible.

Once the Cobalt Strike beacon has been deployed, this signals Conti’s team of experienced network intruders known as “pentesters” to get to work, seeking both local and cloud-based backups within the target network.

The pentesters search specifically for Veeam privileged users and services and which they can then leverage to access, exfiltrate, remove and encrypt backups to ensure their ransomware demands are not hindered by this last line of defense.

Of course, backup files are not just a security policy against ransomware attacks, they are also a potential mine of customer data and other Personal Identifiable Information (PII), hence exfiltrated backup files will most likely contain PII for data breach double extortion.

The entire process is very much a manual operation culminating in the deletion of Veeam Backups (.vbk) simply using the Windows ‘rm’ command followed by encryption of Veeam-designated local domains using the Conti locker.

Steps to mitigate Conti Veeam backup removal attacks

An effective cybersecurity policy will always need a holistic approach presenting as many hurdles to prospective attackers as possible. Here we outline 5 key areas that should be addressed to reduce you attack surface and ensure your Veeam backups are a safe as possible.

Security education

The importance of regular and evaluated staff training around IT security cannot be stressed enough. Improving your internal security education will greatly reduce the success rate of social engineering campaigns against your organization.

Endpoint protection

With the recent increase in remote working endpoint devices have increased in number and likewise additional remote network access facilities have been set in place by organizations to accommodate this. Second to social engineering, remote access protocols such as VPN and RDP have known vulnerabilities regularly exploited by pentesters, therefore expert advice regarding endpoint and access protocol vulnerability is vital.

Implement Application Fingerprint (Whitelisting) technology

Whitelisting technology can be used at many points within your Veeam backup infrastructure. The most direct and effective place is at the backup volume level. Blocky for Veeam® uses application fingerprinting techniques which make it practically impossible for malware code to masquerade as an approved application and gain control of backup volumes. It will also block any manual attempts to alter the contents of backup volumes using commands such as ‘rm’ from the windows command line. At a more general level tools provided by the Microsoft operating system, such as AppLocker, can help you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

Early detection is paramount

Stopping an attack in its early stages will of course limit the amount of damage caused and elevate your chances of a rapid recovery. The Conti gang has released multiple new revisions of the ransomware, improving, and expanding the capabilities in each version. For this reason, detection tools such as anti-virus which are based on blacklists of ‘known’ threats are always on the back foot. New ransomware variants are called ‘zero day’ attacks when they first appear on the scene, however, whitelisting technologies still have the potential to stop them in their tracks. Blocky for Veeam® not only works in this way, but it can also be configured to alert administrators of any access attempts to backup volumes by unauthorized executables. Alerts can be delivered by email, SMTP and through logs files. Identification of unauthorized attempts to modify backup volume contents can provide early warning of a zero-day attack unfolding.

Veeam account security

There are a multitude of account security measures for Veeam which should be implemented to prevent Veeam account takeover. These can be found in the excellent online best-practice resources provided by Veeam, many of which are referenced in our previous article Quick tips for Veeam® Backup Security

For any questions, please get in touch through our contact form, the Blocky team are always ready to help.

(1). https://www.coveware.com/blog/2021/7/23/q2-ransom-payment-amounts-decline-as-ransomware-becomes-a-national-security-priority

(2). https://www.veeam.com/blog/idc-2h20-revenue-growth.html


gt500 eleanor ford mustang in silver

Could Your Password be Cracked in 60 Seconds?

 

Could your Password be Cracked in 60 Seconds?

If your password is 7 characters long and uses a mixture of numbers with uppercase and lowercase letters, then the answer is YES(1). This is based on analysis undertaken prior to August 2019, so the situation is probably even worse today as the processing power in the hands of cybercriminals continues to increase. Passwords have been used with computers since the earliest days of computing. The CTSS operating system introduced at MIT in 1961 was the first recorded computer to implement a password login. Likewise, tools designed to crack passwords have been evolving alongside for many decades.

Here we will look at why some password ‘best practices’ are actually detrimental to information security and suggest some methods for creating strong passwords that are easy to remember but hard to guess.

Password management: typically, a painful necessity

It is no secret; passwords are a pain for everyone. They cause frustration for employees, customers, and the support staff who must manage them. Who can remember the 11-character combination of letters, symbols, and digits that are prescriptive of strong passwords, let alone devise them in first instance? When a password gets lost or stolen, which they frequently do, it places a burden on the support desk. According to Gartner Group, 20-50% of support calls are for password resets, with an average cost to the organization of $70 per call, according to Forester Research.

Hackers have developed a wide range of tools to infiltrate your personal data. The main impediment standing between your information remaining safe, or leaking out, is the password you choose. Ironically, the best protection people have is usually the one they take least seriously.

From a password cracking perspective password complexity certainly improves password strength as can be seen in the diagram reproduced below from Hive Systems, but enforcing ‘strong’ password rules upon users that are difficult to remember can reduce the security of a system in the following ways:

  • Users may need to write down or electronically store the password using an insecure method
  • Users will need more frequent password resets
  • Users are more likely to re-use the same password
  • Similarly, stringent requirements for password strength, such as "having to mix uppercase and lowercase letters with digits" or "changing the password monthly", increase the degree to which users will try to subvert the system (2).

Asking users to remember a password consisting of a mix of uppercase and lowercase characters is like asking them to remember a sequence of bits: hard to remember, and only slightly harder to crack (only 128 times harder to crack for 7-letter passwords, less if the user only capitalizes one of the letters). Asking users to use both letters, digits and symbols will often lead to easy-to-guess substitutions such as '3' in place of 'E', '1' instead of 'l', and '@' in place of 'A'. All of which are well known to hackers. Similarly typing the password one keyboard row higher is another commonly known trick.

image showing the time it takes for a hacker to brute force your password
Easy to Remember but Hard to Guess

Users rarely choose passwords that are easy to remember but hard to guess. A study in 2004 entitled "The Memorability and Security of Passwords (3)" set out to determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice. Some of their results challenged the established wisdom.

They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "algorithm" for generating obscure passwords can easily build strength upon these examples. One way to create an easy-to-use algorithm could be to take the unrelated word example but separate each word with a choice of symbols. Three random words with three different symbols could certainly create a strong password with the user having just 6 password elements to remember.

More recent research undertaken in April 2015 by several professors at Carnegie Mellon University revealed that people's choices of password structure often follow several known patterns. As a result, passwords may be much more easily cracked than the mathematical probabilities, as illustrated in the diagram included here, would otherwise indicate. Passwords containing one digit, for example, disproportionately include it at the end of the password (4).

How are passwords compromised

Passwords represent valuable corporate assets that can be targeted by cybercriminals. Passwords can be compromised on the move as they transit networks, but they are more vulnerable as sitting targets when static as they are stored in databases and backup files which can be easily found and hacked. In some cases, passwords are shared among colleagues, and are reused across multiple applications making them easy targets for malware, phishing attacks, and other credential-stealing techniques.

One of the simplest ways for hackers to gain access to your information is with a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to systematically check all possible passwords and passphrases until the correct one is found that matches your credentials. Other cracking techniques you may hear include dictionary attacks, lookup tables, reverse lookup tables, and rainbow tables. Free password cracking tools can be easily obtained through any internet search, so do not assume that it is just within the realm of sophisticated cybercriminal gangs.

When passwords are stolen, either individually, or as part of a corporate database, they are usually shared online and offered for sale on the dark web. Cybercriminals buy these lists and use automated credential-stuffing attacks that run through the username and password combinations until a match is found for the online account they are trying to break into. This could be an online shop where they attempt to purchase goods using your stored payment methods or in the worse case accessing your financial institution accounts to transfer money. Of course, once hackers have gained access to any online account, there may be much more Personal Identifiable Information (PII) readily available to them, paving the way for broader identity theft.

Education and encryption are your best weapons

So often, cybersecurity education is the most powerful weapon any organization can deploy to help keep their systems secure and sensitive information out of cybercriminal’s hands. Even the simple password management tips here could make a big difference. One other action we always promote is the encryption of sensitive data and in particular backup files which are not only your lifeline in the event of a disaster, but they are also sitting targets for data mining by criminals searching for password tables or other forms of PII. In addition, always secure your backup volumes with an immutability function such as Blocky for Veeam® to ensure threat actors cannot encrypt your vital files.

For any questions, please get in touch through our contact form, the Blocky team are always ready to help.

(1). Data sourced from HowSecureismyPassword.net online: https://www.hivesystems.io/blog/are-your-passwords-in-the-green?

(2). Managing Network Security. Fred Cohen & Associates. All.net. Retrieved on January 31, 2013 online: https://web.archive.org/web/20110126220702/http://all.net/journal/netsec/1997-09.html

(3). Yan, J.; Blackwell, A.; Anderson, R.; Grant, A. (2004). "Password Memorability and Security: Empirical Results" (PDF). IEEE Security & Privacy Magazine online: https://ieeexplore.ieee.org/document/1341406

(4). Steinberg, Joseph (April 21, 2015). "New Technology Cracks 'Strong' Passwords – What You Need To Know online: https://www.forbes.com/sites/josephsteinberg/2015/04/21/new-technology-cracks-long-complex-passwords-what-you-need-to-know/?sh=1f430ed162df


Veeam Backup Protection for Branch & Remote Offices

Cybercriminals look for multiple routes to infiltrate a network, so accordingly cybersecurity measures need to be equally as comprehensive. In the context of protecting Veeam backup files and the storage volumes that hold them, there are many recommended best practices. Unfortunately, some of these measures may not be practical for branch or remote office deployment due to resource limitations or other logistical challenges. Having multiple remote offices broadens the attack surface available to hackers, so we will look here at some common challenges and how application fingerprinting technology can offer a cost effective and easy to deploy security solution for remote office installations.

On-premises backups have become the primary target

It is now an everyday occurrence that a company falls victim to a cyber-attack only to find that their backups have been compromised along with other files essential to business operations. Backups should serve as an insurance policy to enable operations to be restored following an attack but of course cybercriminals know this and set out to locate and encrypt backups first.

There are many best practice recommendations available to secure a Veeam Backup & Replication architecture. The objective being to place as many hurdles in the way of attackers as possible. We have covered these in our previous article Quick tips for Veeam® Backup Security so will not repeat them in detail here, but instead highlight those practices which may prove difficult at remote locations or cost prohibitive to many companies.

Object storage and OS hardening

The usual practice set in place for a corporate headquarters backup process is to have an on-site Veeam backup repository which may store 14 to 30 days of backup data locally. The system administrator then has several options available to protect this backup information. One option is to send copies of the primary backup data to S3 based object storage in the cloud which can then take advantage of object-lock technology. This could be an immediate copy of the backup data or alternatively use an aging out process where, for example, backup data greater than 14 days old is copied to the object store.

Object storage is typically deployed in the cloud, but on-premises solutions are becoming more popular. While both are certainly solid security options, for many organizations the cost of these services will be prohibitive.

With the release of Veeam V11 the option of replicating backups to a hardened Linux based backup repository became available. This is a very popular option for organizations who already use Linux within their infrastructure and have the appropriate skills in-house. Unfortunately, with Linux having less than 2% worldwide coverage as a desktop operating system, many organizations are reluctant to undertake the learning curve, or add the skills required to introduce Linux into their Windows dominated architecture.

In the context of branch and remote offices the prevalence of Linux is even lower. Additional challenges may include less than optimal network connectivity for the use of cloud-based backup solutions, and a general lack of on-site technical resources.

Hardening a Windows based system is far more difficult as it is a much vaster OS than Linux and unfortunately a victim of its own popularity. The security of an operating system will depend to a large degree on the size of its installed base. For malware authors, Windows provides a massive playing field therefore concentrating on it gives them the biggest return for their efforts.

Hardening a Windows® Veeam Repository for remote offices

Veeam offer some great best practice resources for securing a backup environment including tips for Hardening a Backup Repository running on Windows however these steps will never result in a truly hardened Windows platform. If these steps are followed the environment will certainly be harder for cybercriminals to infiltrate, but Veeam backup volumes will still be vulnerable.

Remote sites typically use local storage as a staging area for backups of up to one week in age and having backups reside on local storage provides the fastest possible recovery time. While cloud-based object storage is effective, the network bandwidth limitations at remote sites may make this unpractical to meet recovery time objectives in the event of a cyberattack, or any other disaster recovery scenario.

Blocky for Veeam® offers a solution for both remote and head office Windows based backup repositories using local storage which will prevent any unauthorized system process from modifying the content of designated backup volumes or folders.

The system administrator would select which storage volumes or first level folders that need to be protected, and then instruct the Blocky for Veeam® filter driver utility to perform an application fingerprint analysis of the required Veeam Backup & Replication application processes. Once protection has been enabled then only those fingerprinted processes are able to write to the protected volumes. No Malware code could masquerade as a Veeam application process as it would not match the application fingerprint that has been created from the genuine Veeam processes.

Early detection is vital to limit the damage of a Cyberattack

Malware payloads and subsequent ransomware demands are typically launched after the hackers involved have worked undetected within the IT infrastructure for quite some time. This happens when ‘zero-day’ vulnerabilities have been exploited to gain access the network. This can come in the form of new loopholes in the OS or network hardware, or simply from the development of new Malware codes that are unknown and therefore do not exist within current antivirus definition files.

Even though deploying a hardened Linux based Veeam backup repository will be effective in stopping backup files from being compromised, the Linux repository itself will not alert of any unauthorized access attempts or other suspicious network behaviours.

Blocky for Veeam® by contrast can send alerts of any unauthorized access attempts via system log files, email, SMTP and through the Blocky for Veeam® logging panel when an administrator has the GUI open. Early detection of suspicious activity especially from ‘zero-day’ threats can go a long way to limiting the damage caused by a cyberattack.

Branch & remote offices are a key entry point for cyberattacks. Due to on-site challenges security solutions using cloud technologies, tape archives or a hardened Linux OS may be impractical. For any questions, please get in touch through our contact form, the Blocky team are always ready to help.

Considerations for a Cyberattack Crisis Communications Plan

In our earlier article The Blocky for Veeam® – 5 Step Guide to a Safer Network we highlighted the importance of creating a Cyber Security Policy and Disaster Recovery Plan. A key element of this should be a communications plan which can be easily overlooked during the turmoil of containing a cyberattack and the restoration of IT systems.

Keeping stakeholders informed is an area where organizations often stumble especially when a cyber-attack has resulted in a data breach. Performing this task well requires having plans in place long before any breach of your security, but also important is rehearsing and updating this plan to ensure the most appropriate communication channels and spokespersons are always primed.

In this article we will offer some guidance on establishing a cybersecurity communications plan and outline some of the pitfalls that can be avoided.

Identify your audiences

One of the primary steps of building a crisis communication strategy is identifying and understanding the audiences that the organization needs to reach during a cyberattack. Many potential audiences need to be informed during the event and recovery period. These may include employees, IT staff, customers, vendors, suppliers, investors, government officials, industry regulators and of course the media. The communications plan should set out the needs of each of the entities that require contact and identify who within the organization is best placed as a spokesperson to communicate with each audience.

Media interaction can be a vital component in the event of a cyberattack. Communicating with the media has the potential to positively affect stakeholder reactions, but this of course depends on how well the message is composed and delivered. A prompt and well-calculated announcement to the media can go a long way to reduce speculation and rumor and let your stakeholders know you are in control. If possible, work with your PR agency professionals who should be experts in crisis communications.

Spokesperson and communication team assignment

Spokesperson selection is one of the most crucial aspects of a crisis communications plan. A cyberattack will induce panic across the organisation, not just within your IT support team. This creates a high chance of blunders and mistakes under the pressure which emphasizes the need for a solid crisis communication plan with specific spokesperson responsibilities set in place. Smaller organizations may decide to have just one person in charge of communicating both internally and externally, often the CEO him/herself.

It is important that the spokesperson for a cyberattack crisis should be both technically knowledgeable and an authority figure in the business. If your spokesperson is the CEO, ensure he or she is able to speak accurately and intelligently about the technical details of the attack. You would not want your spokesperson to lose credibility by accidentally misstating factual elements of the event. People need to know that top leadership is in control and in command of the situation.

However, it may be preferential to assign a point of contact and a backup for each department with the assigned members forming part of a tightly coupled group. Additionally, a team should be identified to oversee all external communications, and that team should include the CEO. During the crisis period, a team should be on hand to answer external phone calls, check voicemails, reply to emails, provide support, and manage social media accounts.

The diagram below illustrates some of the common stakeholders and likely spokesperson alignments.

 

 

Communication channels, templates and rumor containment

After establishing the audiences and spokesperson alignments it is essential to decide how communications will take place. Companies should not rule out the possibility that their email and telephone systems could be targeted as part of an attack, so other communication options such as mobile phones or social messaging channels should be considered within the crisis communications plan. It is beneficial to have pre-created communication templates available prior to any cyberattack as they will make it easier and faster to get your message out to different groups at the right time. One way to control communication slip-ups with employees is to establish a ladder of communications within your communications plan. This chain of communication should describe who is mandated to inform who, and in what sequence. It is vital to caution unauthorized staff to not discuss the situation externally. The rumor-mill is dangerous, especially when it originates from staff. They should be well cautioned in advance to not discuss details of any cyberattack publicly, not even with friends or family, and certainly not with the media. Instead, they should refer any inquiries to the appointed spokesperson or teams.

Media management

It is certainly advisable to break the story of any major cyberattack before the media does. There have been many instances of the media reporting a cyber incident even before the CEO had been made aware. If the attack has impacted operations, it is best to own up to the issue with as much accurate information as you have at the time. Determine the size and scope of the problem before making any definitive statements. If you report inaccurate data, such as the magnitude of any data breach, you run the risk of having to backtrack on previous statements and admit the problem was far worse than expected. Sharing accurate figures regarding the scope of the incident in the face of tough questions from media will be more beneficial for you and all stakeholders in the long run. In order to stay in control of your story, know your facts and stick to them. You will need to quickly retain control of your processes and information and ensure that each line of business is aware of the crisis recovery plan and is sending all status updates and issues encountered through the appropriate channels.

Communicate a clear recovery path

Your company must demonstrate accountability and communicate a clear and timely plan for remediation. Data loss is not only harmful and expensive, but it is also becoming increasingly less acceptable to the public, so you must do everything possible to limit the damages of data loss and interruptions to business continuity. Ensure that your communications make it clear what remedial actions your company is undertaking, so your key stakeholders can rest assured their data is in safe hands. Customers are a number one priority. Monitor the situation closely and communicate regularly. Communicate both the good news and the bad. Attempting to conceal information will backfire, your stakeholders and certainly the media are not going to react well to anything but the truth.

Learn from any mistakes and make corrections

The importance of communicating the impact of any cyberattack rapidly to all key stakeholders cannot be overstated. When any cyberattack has been contained and rectified, be sure to hold a leadership debrief to review the crisis communication plan and how the company held up. This is a vital time to make any adjustments to the plan to reinforce what worked well and determine how to improve in any areas that fared poorly. It may also be valuable to share a high-level summary from the debrief with your key stakeholders so they can rest assured the company is in good hands. Hopefully, this outline has provided some useful checkpoints to consider in your crisis communications plan, and food for thought for those of you who are yet to set a plan in place.

Remember that clean and secure data backups are your best defense in the event of any cyberattack. For any questions, please get in touch through our contact form, the Blocky team are always ready to help.

 


Ransomware attack - Who should you contact?

If you have fallen victim to a ransomware attack you will certainly have a lot of decisions to make. Like many other crime situations it can be very easy to make that ‘knee jerk reaction’ without taking a moment to step back and consider the options, or indeed look for help.

Following the shock of losing access to files, there is the towering dilemma of whether or not to pay the ransom in order to get them back. In most cases reporting the attack to relevant authorities probably doesn’t figure high on the priority list. Many organizations operate without a cyberattack incident plan, so most are unlikely to know which organization(s) they should they contact in any case.

Unfortunately, we have become conditioned to believe that incidents of online fraud and ransomware are problems to be sorted out by the victim, or with any relevant banks or financial institutions involved. There is a lack of confidence in that reporting the incident will offer no benefit. This is probably justified in some countries, with victims of cybercrimes often simply advised to go to a local police station and hope that someone on duty will be sympathetic enough to help them complete a crime report.

However, faced with the massive increase in online crime, governments and law enforcement bodies have realized that in order to have any chance of containing online crime, it needs to be treated in the same way as any other type of law breaking.

Thankfully many countries have taken this challenge seriously so that reporting ransomware and other forms of online crime has become a lot easier in the US, UK and several parts of Europe. To start accumulating better intelligence regarding cybercrime, government agencies need to persuade the public and businesses to overcome years of conditioning and start telling law enforcement what has happened to them. These investigations are vital; without real-time reporting, gathering evidence quickly enough to catch perpetrators becomes impossible. Knowing which cybercrime gangs are operating and their mode of operation is essential to improve defenses, and make informed decisions following an attack.

Where can you report cybercrime and look for help?

The good news is that in the US, UK and many parts of Europe reporting ransomware and other forms of cybercrime is getting easier. In fact, the UK launched an online cybercrime reporting system as early as 2009 in the form of Action Fraud. In 2016 the European Union Agency for Law Enforcement Cooperation, better known as Europol, in conjunction with the Dutch police and several leading cybersecurity firms launched a portal, No More Ransom, which is intended as a single point of contact and advice portal for victims who are unsure about what to do next. Also in 2016, the FBI in the US set out its first ever note encouraging ransomware victims to report attacks in some detail through the Agency’s Crime Complaint Center (IC3).

Laudable though these reporting platforms are, awareness of their existence and importance among the public remains low, hence we have taken the opportunity here to list the relevant regional reporting sites and other online resources.

Cybercrime Reporting Resources by Region

Depending on your country of operation, you have the following options available to report ransomware and other forms of cybercrime:

For the UK, visit the Action Fraud website
For the USA, visit the FBI Agency’s Crime Complaint Center (IC3).
For Germany, go to the Bund website and also the Polizei pages.
For France, go to the Agence Nationale de la sécurité website and the Le Ministère de l'Intérieur pages.
For Ireland, go to the An Garda Síochána website.

Details for other European countries can be found on the Eurpol website and the No More Ransom Report A Crime page.

In Australia, visit the Australian Cyber Security Center website.
In Canada, use the Anti-Fraud Centre website

Of course, some preparation before embarking on a cybercrime report will save time and hopefully provide advice agencies with some information to help them advise you of the appropriate next steps.

 

The following details may be required by them:

    • Date and time the attack was first noticed
    • Details of the Ransomware variant if known
    • Victim company details
    • How the infection occurred if known
    • Scope of the attack, e.g. localized or global throughout branch offices
    • Requested ransom amount
    • The perpetrator’s bitcoin wallet address
    • Any ransom amounts already paid
    • Overall losses associated with the incident
    • Details of any Personal Identifiable Information that may have been taken and threatened for exposure.

 

A cyberattack can be a stressful and difficult time for any organization. Protected backups are a vital defence mechanism to help avoid having to meet ransom demands. For any questions please get in touch through our contact form, the Blocky team are always ready to help.

Common Cyber Threats and How To Avoid Them

Cyber threats come in many forms so for that reason a holistic approach is required in order to tackle them. Cybersecurity is of the utmost importance to all organizations, so the responsibility should not fall to just one department. Everybody within the organization has a role to play, so we will kick off here by addressing some of the most common internal threats to data security.

Internal data security and employee blunders

Often the biggest security risks are not from cyber criminals, but from the staff we put in charge of data management. Employees with access to business critical and Personal Identifiable Information (PII) have the ability to either expose or damage that data maliciously, or in most instances, unintentionally.

To limit the risk of damage the principles of ‘least privilege’ should be applied to ensure that employees only have access to the data sources that are relevant to their job roles. In additional to user level access control, data volumes can also be protected against unwanted alteration through application control. Blocky for Veeam® provides application fingerprinting technology which permits only authorized system processes from writing to protected volumes. Users are unable to make direct modifications or delete files within protected volumes unless they are doing so through a permitted application. In the case of a protected volume containing Veeam Backup and Replication backup files, a user could manage backup files if they have login permissions to the Veeam management console; but direct modification of files within a protected volume by any other process such as the Windows file explorer would be blocked.

Employees are also one of the leading causes of data breaches as they routinely make mistakes which can expose sensitive information to the public, or provide useful resources to cyber criminals. Common examples include emails sent to the wrong people externally and companywide internal emails that copy recipients in the Cc field instead of using Bcc, which can result in a full company email directory falling into the wrong hands if the email is exposed externally. This type of internal email exposure provides hackers with a great database of contacts for targeting an organization with fake emails known as phishing.

Education is the key to minimizing these types of threat through the provision of email best practice guides, training and regular assessments.

Social engineering

In our earlier article The Blocky for Veeam® – 5 Step Guide to a Safer Network we highlighted that 98% of cyber-attacks rely on social engineering. This is a type of attack in which criminals imitate a trustworthy entity such as a person or an organization.

Phishing is the most common form of social engineering usually conducted over email. These are fake messages which contain urgent requests, typically highlighting a problem within an organization’s service delivery or the user’s login details.

Depending on the method of attack, the intent is to convince the user into handing over sensitive data, downloading a malicious file attachment, or providing access to a restricted network or physical location.

Some phishing scams contain links that direct users to a recreation of the legitimate site, enabling the criminals to capture the individual’s username, password and banking details. Others contain malicious attachments that infect the recipient’s computer with malware.

Although most phishing attacks are email messages, similar tactics are also common on social media, by telephone and in SMS text messages.

Malware

Malware refers to ‘malicious software’, which are pieces of code that are planted on computers and networks to perform certain activities.

Types of malware include adware which uses pop-up adverts in an attempt to generate revenue through clicks, spyware which monitors the activity on an infected device and viruses which attach themselves to programs, script files and documents with the intention to spread as far and wide as possible.

However, one of the most notorious types of malware is ransomware.

Ransomware

Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again. It has the ability to lock a computer screen or encrypt important predetermined files. Ransomware attacks are based on a simple premise: organisations need access to their files in order to operate and generate revenue. When those files are locked a ransom payment is often the most affordable way to get the business operational again.

However, those files are only valuable if they are the only copy. You can avoid criminals’ demands if you have a backup plan for when your organization is infected. Backups should be taken regularly based upon your risk analysis and recovery point objectives, but more importantly, backups should be made secure and immutable.

DDoS Attacks

DDoS (distributed denial-of-service) attacks occur when hackers use a network of compromised computers, known as a botnet, to overload a target site with traffic. The site is then unable to process such a high volume of requests and either crashes or becomes unusable.

DDoS attacks are therefore not cyber-attacks designed to steal data but rather to disrupt the target organization. As such, they’re normally conducted when the hacker has a political or personal reason to attack.

However, there have been instances of DDoS attacks being conducted to distract an organization while hackers conduct another attack, so it is very important to assess the damage following any DDoS attack once you are back online.

Hopefully the tips and trends outlined here have given you some new areas for consideration on your cyber security journey. For any questions please get in touch through our contact form, the Blocky team are always ready to help.

wanted software applications, protocols and unnecessary application features as possible to further reduce your attack surface.

Removal of all non-essential applications and features within your Veeam deployment is part of the Infrastructure Hardening process and should be applied to Veeam Backup & Replication installations.

While many utilities may offer useful features to the backup administrator, if they provide ‘back-door’ access to the system, they should be removed. Also consider additional software such web browsers and Java on your Repository servers. Elements which do not belong to the operating system or to active Veeam components should be removed. This will also make software patch level maintenance much easier.

For the Veeam Backup & Replication Server the following hardening procedures should be considered at a minimum:

    • Remove the Backup & Replication Console from the Veeam Backup & Replication server. The console is installed locally on the backup server by default.
    • Switch off the Veeam vPower NFS Service if you do not plan on using the following Veeam features: SureBackup, Instant Recovery, or Other-OS File Level Recovery (FLR) operations.

Be aware that the Backup & Replication Console cannot be removed through the installer or by using Add/Remove in Windows. You must also first de-install all Veeam Explorers before removing the console. Refer to the Veeam help centre documentation for your current version of Veeam Backup & Replication for more information.

Another target for the hardening process is The Veeam Backup Enterprise Manager (Enterprise Manager) which is a management and reporting component that allows you to manage multiple Veeam Backup & Replication installations from a single web console. Similarly, when Enterprise Manager is not in use de-install it and remove it from your environment for added security.

Cyber security can seem a daunting task with so many loop holes to plug, but with a systematic approach you can achieve a great level of protection for your backup environment. For any questions please get in touch through our contact form, the Blocky team are always ready to help.


Quick tips for Veeam® Backup Security

Cyber-attacks typically have two high level objectives, the first being to cripple business operations by encrypting vital production data, and the second more recent trend is the capture and breach of Sensitive Personal Identifying Information (PII). Backups play a key role in defense against cyber-attacks, potentially allowing systems to be restored to a known safe operational point in time; yet they also present a ‘one stop shop’ for the acquisition of PII.

The definition of PII is broad but can be summarized as information that if lost, compromised, or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. In addition, exposed PII can used by criminals to conduct identity theft, blackmail, stalking, or other crimes against their victims.

Often incidents involving data breach are significant enough to make the front pages, causing irreparable reputational harm to the organizations involved. In this article we will look at some key areas for consideration to ensure backups are kept secure, and to avoid them becoming an easy source for any data breach campaigns.

Veeam Backup Encryption

Encryption is the key tactic employed in most ransomware attacks, so let’s start by looking at Veeam encryption opportunities to beat cyber criminals at their own game.

Veeam Backup & Replication offers inbuilt encryption to protect data in backups so it is important that organizations consider using this feature. Encryption within Veeam Backup & Replication operates at the following levels: Backup job, Backup copy job, VeeamZIP and for Tapes in media pools. However, there are some caveats and nuances that need to be understood before enabling backup encryption.

One important point to realize is that encryption in Veeam Backup & Replication is not retroactive. If encryption is enabled for an existing backup job, Veeam Backup & Replication does not encrypt the previous backup chain created with this job. You may therefore wish to start a new chain so that the unencrypted previous chain can be separated and secured by other means. Also, if you enable encryption for an existing job, during the next job session Veeam Backup & Replication will create a full backup file.

Encryption also has a negative impact on deduplication ratios if you use a deduplicating storage appliance as your target. A different encryption key is used for every job session therefore encrypted data blocks sent to deduplicating storage appliances appear as different even though they may contain duplicate data. Disabling data encryption will achieve a higher deduplication ratio but at the cost of reduced security. Organizations therefore need to conduct their own risk assessments in order to make informed decisions regarding their cyber security.

Veeam provide best practices here for enabling encryption in Veeam Backup & Replication.

Veeam Database Configuration Encryption

Another source of security risk is the Backup & Replication configuration database which stores credentials to connect to virtual servers and other systems in the backup & replication infrastructure. All passwords stored in this database are encrypted, however, a user with administrator privileges on the backup server could decrypt the passwords, which presents a potential threat.

To secure the Backup & Replication configuration database, follow these guidelines:

  • Check that only authorized users can access the backup server and the server which hosts the Veeam Backup & Replication configuration database (if the database runs on a remote server).
  • Enable data encryption for configuration backup to secure sensitive data stored in the configuration database.

For more information visit the Veeam resource:Creating Encrypted Configuration Backups.

Network Data Encryption

For complete security, data needs to be protected both ‘in transit’ and ‘at rest’. Backup data which is encrypted and written to a backup target volume is secure and considered data ‘at rest’, but that data may also need protection on its journey in transit from the source to the backup repository server. Intercepting data in the middle of a transfer is a common tactic used in cybercrime, so encryption of data in transit is also vitally important.

Veeam Backup & Replication encrypts data transferred between public networks by default. However, this is not the case for data in transit within the same network. If you wish to encrypt your internal network traffic you must create a network traffic rule for this network and enable the data encryption within this rule.

More information regarding Veeam Network Traffic Management including encryption can be found here.

Physical Security

Physical access security to company IT assets and networks is of course a huge topic and the techniques available will depend on the size of the organization and the physical real estate available to store equipment. Here are some guidelines that can be implemented across most scenarios:

If you are using equipment racks whether in a datacentre on onsite within your office, lock these racks by default.

Be smart about physical equipment placement. For example, do not place the Veeam Repository server(s) in the same rack or racks as your production storage or other hypervisor hardware.

Implement Role Based Physical Access Controls by following the principle of least privilege. Give people the correct physical access rights to do their job. For example, a web development team do not need access to racks containing backups servers and likewise a backup systems administrator does not need access to development platforms.

Of course many organizations are not in a position to have their own datacentre, or want the overhead of maintaining one. Regardless of whether you are renting datacentre space, or just using an Infrastructure as a Service (IaaS) model, always check how the physical security is arranged to ensure it fits with your security policy.

Infrastructure Hardening

The task of reducing the potential opportunity for a cyberattack is known as reducing your attack surface. This involves removing as many of the potential vulnerabilities as possible that exist within your IT ecosystem. This includes physical access as described above, in additional to network and application vulnerabilities.

In our earlier article The Blocky for Veeam® – 5 Step Guide to a Safer Network we looked at the issues around the Microsoft Remote Desktop Protocol and how in some instances this could leave a door open for cyber criminals. In order to improve backup security, it is important to remove as many unwanted software applications, protocols and unnecessary application features as possible to further reduce your attack surface.

Removal of all non-essential applications and features within your Veeam deployment is part of the Infrastructure Hardening process and should be applied to Veeam Backup & Replication installations.

While many utilities may offer useful features to the backup administrator, if they provide ‘back-door’ access to the system, they should be removed. Also consider additional software such web browsers and Java on your Repository servers. Elements which do not belong to the operating system or to active Veeam components should be removed. This will also make software patch level maintenance much easier.

For the Veeam Backup & Replication Server the following hardening procedures should be considered at a minimum:

    • Remove the Backup & Replication Console from the Veeam Backup & Replication server. The console is installed locally on the backup server by default.
    • Switch off the Veeam vPower NFS Service if you do not plan on using the following Veeam features: SureBackup, Instant Recovery, or Other-OS File Level Recovery (FLR) operations.

Be aware that the Backup & Replication Console cannot be removed through the installer or by using Add/Remove in Windows. You must also first de-install all Veeam Explorers before removing the console. Refer to the Veeam help centre documentation for your current version of Veeam Backup & Replication for more information.

Another target for the hardening process is The Veeam Backup Enterprise Manager (Enterprise Manager) which is a management and reporting component that allows you to manage multiple Veeam Backup & Replication installations from a single web console. Similarly, when Enterprise Manager is not in use de-install it and remove it from your environment for added security.

Cyber security can seem a daunting task with so many loop holes to plug, but with a systematic approach you can achieve a great level of protection for your backup environment. For any questions please get in touch through our contact form, the Blocky team are always ready to help.


The Blocky for Veeam ® - 5 Step Guide to a Safer Network

The frequency of cybersecurity incidents is constantly rising. Ransomware attacks, which prevent companies accessing their files and data unless a fee is paid, have tripled over the past 12 months. In addition, we are seeing a new trend emerge, where hackers threaten to leak sensitive information if money is not handed over. This presents the additional risk to companies of heavy fines if data breaches violate data privacy polices such as GDPR.

Like many things in life, it is sometimes easy to become complacent regarding the risks associated with certain events, unless we have become a victim first-hand or have witnessed the outcome as a close observer. Cybersecurity falls into this category.

While most companies and individuals feel they have done enough to prevent a cyber-attack by installing and maintaining a basic network firewall and anti-virus scanners; very few take the time to conduct a true risk assessment of their exposure to cybercrime.

Cybersecurity is a broad and complex topic. While we could never attempt to set out a comprehensive and fool-proof cybersecurity strategy in a short article, what we can offer are some very useful pointers that should go a long way to keeping any organization's vital data and operations safe from unwanted intrusions.

Step 1 Create a Security Policy & Disaster Recovery Plan

Like so many unwelcome situations the best course of avoidance is prevention, but in order to prevent something from happening we must first consider various ways to block the possible paths that lead to our feared outcome.

"By Failing to prepare, you are preparing to fail." - Benjamin Franklin

It is alarming how many organizations fail to create and maintain an adequate security policy, or set in place an incident response plan and disaster recovery procedure.

The increase in home working has placed many more endpoint devices needing access to corporate networks over remote connections which strengthens even further the need for a robust security policy.

For this reason, the UK National Cyber Security Centre (NCSC) have developed a Cyber Resilience Toolkit with support from the British Retail Consortium (BRC) to help the retail industry become more secure. This comprehensive guide can however provide and a solid resource for any company looking to establish or improve their cyber security policy. This guide is aimed at both strategic or Director level roles, who are not technical experts but whose role and responsibilities increasingly incorporate cyber security strategy or practice.

Having an incident response and recovery plan is also an essential step towards limiting the impact of a cyber-attack and restoring business operations after an event. Some of the questions this should answer include:

  • Who should be contacted following a cyber-attack; government agencies, law enforcement bodies, external security contractors?
  • If a ransomware demand is made, who within or outside the organization should be responsible for communication with the hackers; or should contact me made at all?

You may have seen the comical meme circulating on the internet showing a glass fronted IT equipment cabinet with the caption, "In the event of a cyber-attack, break glass and pull cables".

Although this suggests a very blasé and reactive approach, it has some merit whereby any organization should establish and test procedures for limiting further damage by securing vital data assets, and temporarily disabling access to parts of the corporate network.

Password management and best practice is another important element of any cyber-security policy. Many corporate systems rely on user generated passwords which places a burden on staff to both remember multiple passwords, and ensure they are not revealed to others. You may be surprised to hear that many common measures which were indented to improve user password complexity and are actually counterproductive.

These mechanisms place additional burden on staff, encourage password repetition across systems, place extra load on systems administrators when passwords are forgotten, and in some cases can mask the detection of a security breach. The following password policies should be avoided:

  • Do not enforce password complexity requirements
  • Do not enforce regular password expiry

Instead, the focus should be on providing guidance on password creation, such as adopting the 'three random words' technique which can help users to use suitably complex passphrases that they can actually remember. Ideally, technology should be used where possible to both reduce and help staff to cope with password overload.

The NCSC provide excellent guidance on password strategies that can help your organisation remain secure.

Step 2 Educate your team on Cyber Security

98% of cyber-attacks rely on Social Engineering. The easiest way for hackers to deliver a malware payload, or gain private information, is by duping a company employee to follow a malicious link, open an attachment, or give away sensitive information or data such as usernames, passwords or banking details.

The act of disguising oneself as a trustworthy entity in an electronic communication with malicious intent is covered by the umbrella term 'Phishing', which is reasonably well known. However, there are many forms of phishing which have labels such as 'Spear Phishing' and 'Whaling', which may be less well known to many employees. Training aimed at helping staff recognize the likely forms of phishing attacks is a very valuable exercise for any company to undertake. This can be just in text book form, but a more effective approach would be to run simulated phishing attacks performed either internally, or through an external company.

There are many phishing simulator tools available on the market to assist with phishing training. Infosec Resources is an excellent online cybersecurity awareness and training resource that offers the Infosec IQ Security Awareness Training & Anti-Phishing Simulator as well as a round-up article highlighting the current Top 9 Phishing Simulators.

Step 3 Always update OS security patches and malware definition files

Cyber-attacks seek out vulnerabilities that exist within any layer of the technology stack, this extends from the physical network infrastructure in the lower layers, right through to the business applications at the top. The role of any systems administrator in the context of cybersecurity is very much a constant race against the bad guys, where the hackers always have the upper hand.

The reason for this is that most traditional security tools such as firewalls, anti-malware and anti-virus scanners are based on an approach known as 'blacklisting', whereby lists of known vulnerabilities and malware codes need to be constantly kept up to date. Of course, these vulnerabilities have already been exploited by the time they appear on any blacklist, so this traditional approach is a very reactive one, which always leaves the door open to hackers in that period of time between malware detection, and definition file updates.

Most operating systems and blacklisting based security tools offer automated updating which should be enabled for maximum protection. However, many organizations with under resourced IT departments or limited budgets, such as the public sector, often possess outdated systems and security tools which provide any easy target for cybercrime.

Application Whitelisting is the proactive opposite to security tools that use blacklisting, and operates on the premise that no application code can gain access to a network resource unless it has prior authorization. Security tools based on whitelisting can provide a protective ring fence around vital network resources and ultimately form the basis for a 'Zero-trust' approach to IT security. Zero-trust is a paradigm shift in cyber security which is gaining higher focus due to the increased security risks being presented by the shift to remote working.

This useful article from TechBeacon outlines how whitelisting and blacklisting fit best into a security strategy and how they can operate effectively together.

Step 4 Close Security Gaps

Aside from the network vulnerabilities described in Step 3 which are usually the result of a software development oversight, the other most common entry point for cyber-attacks is when doors to networks have been left wide open.

With Microsoft Windows being is the most commonly installed OS, estimated at between 77 and 87.8% globally, it is unsurprisingly the most targeted platform. Remote Desktop Protocol (RDP) is a pre-installed Microsoft Windows application that makes it easy for your employees to connect to work or home computers remotely, and is used by millions. Because RDP is so widely used, it is a common target for man-in-the-middle cyber-attacks.

With the increased need for remote access as a result of COVID-19, there has been a significant increase in cyber-attacks, particularly on RDP servers.

Although RDP operates on an encrypted channel, there is a known vulnerability in the encryption method in earlier versions of RDP, making it a preferred gateway by hackers. Microsoft estimates nearly 1 million devices are currently vulnerable to RDP security risks. The company issued a legacy patch for its outdated platforms, including Windows XP, Windows Server 2008, Windows 2003, and Windows 2007. (RDP is known as Terminal Services on these legacy platforms). Windows 8, 10, and newer operating systems are not vulnerable in this way.

Following the increase in RDP use this year, Microsoft have issued Security Guidance for Remote Desktop Adoption.

To further secure remote access, mechanisms such as 2-factor authentication should be enabled where available to help verify the identity of individuals attempting to access the corporate network, or performing other tasks such as personal data updates or transaction requests.

Security experts recommend that companies perform a network vulnerability assessment a least once per quarter. This is not only a very beneficial task from a security standpoint, but it may also be a requirement in order to meet certain industry certifications.

Vulnerability Assessments identify and address any security exposures, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed. Scanning tools are used to scan all IP addresses on the network and to identify vulnerabilities such as out of date software and patches. Depending on scope, assessments can cover an organisations internal network, external boundary or both.

A vulnerability assessment report will show a detailed network map of all end points which can be referenced against the company's IT asset register. Any unofficially added devices to the network would then be identified. These rogue devices are seldom hardened or secured and therefore introduce unwanted risk to the network.

The NCSC provide useful guidance to help companies access and prioritise vulnerabilities.

Step 5 Backup & Lockdown

Maintaining a backup schedule for vital operational and sensitive business data is an essential safeguard against cyber-attacks. Having the ability to restore systems from a backup taken from a known 'safe' point in time will improve and accelerate your chances of recovery following a cyber-attack, and hopefully mitigate the need to meet any ransomware demands.

Of course hackers know this, so the more sophisticated attacks go searching for backup files first in order to encrypt them before compromising the live production environment. Clearly malware codes can search directory structures looking for backup file extensions to encrypt, but most of the larger attacks are human driven.

Data volumes that store backup files must therefore be secured from any unauthorized access. Blocky for Veeam® uses application whitelisting technology as described to Step 3 to secure backup volumes from any modification other than by the list of system processes that have been pre-defined by the systems administrator. So in the case of Veeam®, the Veeam Backup & Replication application could be set as the only process capable of writing to a protected backup volume.

Blocky for Veeam® uses application fingerprinting techniques which make it practically impossible for a malware code to masquerade as an approved application and gain control of backup volumes.

Of course, early cyber-attack detection is essential to help determine the point in time where your backups are 'safe' and free from malware infection. You could have been sending infected data to backup for some time.

Application whitelisting should be considered for any vital data store and used in conjunction with traditional security tools as part of an overall strategy.

The 3-2-1 rule is a best practice guide for backups which suggests that three different copies of your production data should be taken, using two different types of storage media, one of which should be off-site. To further mitigate ransomware protection, Veeam® suggest adding another "1" to the rule whereby one of the media is offline1.

Examples of offline storage include tape, removable hard drives and cloud connected immutable storage. The offsite and offline techniques suggested within the 3-2-1 rule are certainly very effective but for some organisations the added complexity and costs could be beyond the resources available to them.

Hopefully the tips and trends outlined here have given you some new areas for consideration on your cyber security journey. For any questions please get in touch through our contact form, the Blocky team are always ready to help.