When dealing with malware attacks or other disasters, backup and recovery plans are a critical component to your incident response plan. A backup plan ensures you capture all the necessary information and data needed to recover from an incident. The recovery plan validates and tests that you can utilize the backups to successfully recover.
Data Backup Considerations
Even losing some data can be devastating to a business. In some cases, businesses have filed bankruptcy due to the loss of data. Having consistent and reliable backups is obvious. However, the path to getting there isn’t always clear. The following should provide some basic insight into what a business should consider in their backup plans.
- Backup Types – Do you need to perform system image backups or just certain files/databases? After performing a full backup, how many incremental backups do you do before the next full backup? Would your backups be encrypted if you were hit by ransomware? These decisions can affect how much storage space you need and how you would store your backups (e.g. onsite, offsite, offline, virtual etc.).
- Total Storage Size – Conduct capacity planning. How much storage space would you need if you backed up everything? What if you just backed up critical data and configurations? Keep in mind that in a true disaster recovery scenario, you would want to have an off-site copy of everything.
- Data Importance – How important is the data to be backed up? It is recommended you adopt a scale, such as 1 to 5, and score each server, PC, and/or user’s data. As an example, documents stored on an employee’s laptop probably aren’t as important as a server containing financial and accounting data.
- Backup Frequency – How often does your data change and how much data loss is acceptable? These are driving factors that determine how often you need to backup data. If files on a server change only once a week, then you may only need to backup once a week. If you’re running an Internet store front, you might want to backup after every purchase.
- Recovery Time – How long can you wait for the data to be restored in case of a disaster? This question will help you determine what kind of backup medium should be used. If you don’t need to recover the data rapidly, tape backup or using the cloud might suffice. If shorter recovery time is required, then storing backups to a file server or network storage may needed. If you need immediate recovery, you might consider backing up to a virtualization platform to restore a server in a virtualized environment while the original server is worked on.
- Security – What data needs to be kept confidential? Who has control over confidential data backups? Who is allowed access to the backups? Data such as accounting, customer credit cards, intellectual property, Personally Identifiable Information (PII), and other sensitive information should be protected from access by unauthorized individuals.
- Scalability – Plan for growth. A data backup strategy should take into consideration the growth of the business and the amount of new data to be backed up. Assessing future storage requirements will help keep down the costs associated with backups and recovery.
- Backup Testing – How do you know if the backups are working correctly? Can you recover data from the backups? How long will an actual recovery take? Are there any issues that need to be identified and corrected? Routinely testing your backups answers all these questions and more.
In the short term, businesses should strive to realize a plan that follows the 3-2-1 backup principle:
- Have 3 copies of your data
- Save 2 backup copies at 2 different locations
- Keep 1 backup offsite
As part of a longer-term goal, businesses should develop, implement, and fully test the backup and disaster recovery plan and integrate it as part of their enterprise business continuity plan.
Recovery Plan Components
A recovery plan should take into consideration how to minimize the total time required to fully return a system back to operation. Key factors to include in your plan:
- Recovery Point Objective (RPO) – the acceptable amount of data loss from each system measured in time
- Recovery Time Objective (RTO) – the maximum tolerable amount of time needed to bring all critical systems back online
- Work Recovery Time (WRT) – the maximum tolerable amount of time needed to verify the system and/or data integrity
- Maximum Tolerable Downtime (MTD) – the sum of RTO and WRT, MTD defines the total amount of time a business process can be disrupted without causing any unacceptable consequences
Figure 1 Recovery Timeline
RPO, RTO, WRT, and MTD are key metrics when developing backup strategies and recovery plans and are influenced by the risk assessment and Business Impact Analysis process. RPO will be a driving force in determining backup frequency and may influence the need for additional technologies and resources to reduce RTO and WRT in order to meet MTD timeline requirements.
Online backup media is typically able to attain smaller RPO and MTD windows; however, they are susceptible to data loss and system failures. In addition to online backups, one offline copy containing at least critical data and system configurations, must be kept.
Backup and Recovery Checklist
- Policies are in place prescribing backup, recovery, and data retention procedures
- Establish recovery goals
- All staff members understand the recovery plan and their duties during recovery
- System restore procedures are known to at least one trusted party outside the practice
- A copy of the recovery plan is safely and securely stored off-site
- Files and assets identified as critical are documented and listed in the backup configuration
- List of devices that require specialized backup and recovery procedures (i.e. Appliances, SCADA/DCS, storage devices)
- List of individual systems or system groups where file level backups, system image backups, or database backups are to be used
- Backup schedule is timely and regular
- Details for when full, incremental, and differential backups should be used
- Monitor process of backup jobs to ensure backups are successful
- Every backup run should be tested for its ability to restore the data accurately – use automation
- Backup media are physically stored in a secure area
- Backup media stored off-site are encrypted
- Backup media are made unreadable before disposal
- Backups are accessible only by authorized personnel
- Multiple backups are retained as a fail-safe
- Periodic restoration and data integrity testing are performed on a regular schedule
- Perform self-assessments after a recovery to identify what went well and where improvements can be made
- Integrate backup and recovery processes with a business continuity plan
Backup and recovery strategies are an important component to surviving a ransomware attack.
Read our guide on ransomware readiness for OT and ICS environments.