This article was written by guest contributor Chris Henderson, who runs threat operations and internal security at Huntress.
MSPs know that backup is the last line of defense when clients have a security incident—and so do the threat actors that now actively target backups during a ransomware attack.
That’s why it’s important to choose a secure backup vendor, monitor for vulnerabilities in your backup technology, and establish best practices to secure you and your clients’ backups.
Look For “Green Flags” When Choosing A Backup Vendor
The list of red flags that would signal distrust when selecting a backup vendor is endless. There are a few key “green flags,” however, that can help you make better decisions:
The vendor is actively improving its product’s security posture
One of the best signs of continual security improvement is the presence of an active and publicized Vulnerability Disclosure Program. Soliciting feedback and paying independent security researchers for their findings leads to early vulnerability discovery and patching.
The vendor provides transparent disclosure of vulnerabilities to clients
Look through the vendor’s knowledge base, or patch notes to see how much information they are disclosing. Is it enough to make an informed decision on the criticality of a patch? Update notes that include a broad statement of “patched security issues” do not offer enough information to make an informed risk-based decision on patching cadence.
The product is secure by default
If your backups are the last line of defense against ransomware, the backup solution needs to be securely configured out of the box. Look to see if MFA is required by default. Is data encryption natively enabled? Does it separate the ability to take a new backup and delete existing backups between roles?
Backup Basics You Must Get Right
Once you have selected a secure vendor, there are some basics you need to get right every time for both you and your clients:
- Establish unique credentials for all users. Password reuse is a significant security risk for any application, especially when it comes to protecting you and your clients as the last line of defense.
- Users should have access to only the minimal functions they need to perform their job duties.
- Credentials to your backup appliance or application should never be stored on the same assets that are being backed up. Threat actors will hunt for your backup credentials—do not make their jobs easier.
- Include your backup assets in vulnerability scans. Backup appliances, virtual or hardware, are not immune from vulnerabilities. Recently threat actors are exploiting a vulnerability in Veaam, CVE-2024-40711, to deploy both Akira and Fog ransomware. Your vulnerability scanners need to include these assets in their scope. Critical vulnerability findings on your backup technology should be remediated as soon as feasible.
- Finally, there is often a lag getting new CVEs loaded into vulnerability scanners. To mitigate that lag time, make sure you have subscribed to whichever feed your vendor is utilizing to communicate security issues. If you can scan for a CVE, so can adversaries. There will be times you need to patch faster than your vulnerability scanning technology will have the ability to scan for a published vulnerability.
Backups Are Your Fail-Safe – Keep Them Protected
Backups are not a replacement for a solid security strategy and implementation. Rather, they are the final fail-safe for when your existing security controls are thwarted. There will be downtime and revenue impacts from a ransomware attack, but between virtualization and restoration capabilities, you can largely minimize your clients’ data loss. So be sure to make informed decisions to partner with a secure backup provider that provides secure default configuration. And make sure you are staying on top of vulnerabilities in one of your most critical assets.
If you missed Chris Henderson’s last column, see How To Mitigate The Risk Of Identity-based Cyberattacks As Digital Lives Merge