Sometimes, it pays to imagine yourself in your opponents’ shoes. And with that in mind, let’s have a go at a little thought experiment. If you were going to design a piece of ransomware, what would be the biggest challenge you face?
Well, speak to ex-hackers and malware "engineers," and they'll tell you that it's not the seemingly obvious one of infiltration – in most cases, a simple spear phishing email is an effective delivery mechanism. Rather, the problem is one of backups. As we've long pointed out, any organization with an effective, encrypted backup system Is pretty well protected from ransomware attacks. Unfortunately, not many organizations have that kind of system.
That's not (always) because of a lack of awareness or investment, though. Some firms have state-of-the-art backup systems, in which data is beamed off-site via a satellite link and stored in hardened data centers. Unfortunately, in many cases, this just makes a hacker's life easier because all your backups are in one place and accessible via the internet.
So, here’s an idea – why not use magnetic tape for all your backups?
Despite the distant sound of laughter, I’m actually serious. Here’s why.
First, let's look at the problem. Ransomware is a risk for most organizations, but not because they lack backups. In fact, speak to most network engineers, and you'll hear the opposite – that they have too many backups. By enslaving ourselves to the 3-2-1 rules (3 copies, 2 local, 1 off-site), we've effectively used up masses of hard-drive space and ensured that half of our computing power does little more than copy the results of the other half to another drive.
But here’s the real problem: our backups aren’t very good. In fact, according to a Barkly survey of those who experienced a ransomware attack, only 42% were able to successfully recover from backup. That’s because our backups are generally pretty similar, in terms of structure and hardware, to the original data they are a copy of. And this makes them just as vulnerable.
To take a simple example of this, imagine that a “normal” user has just undertaken the task of backing up their Mac. They generally do so by copying their files to an external hard drive, which is (a) not encrypted, (b) not even password-protected, and may even be (c) shared amongst their friends. This means that their backup is even more vulnerable to ransomware than the original data.
Let’s translate this into the small business arena to see why it matters. Ransomware is not just a problem of having private data stolen or divulged publicly - either is bad. The reality is that a company might be forced to close its doors for good after an attack due to loss of faith from customers who decide to take their business elsewhere. At some point, no amount of trying to undo the public relations damage will help.
The advantages of tapes
This is where magnetic tape comes in. As we’ve long pointed out, there is a place for tape in even the most advanced network infrastructures. This is not because the medium is cheap, easy to work with, or looks great whirring away in your server room (although it does). It’s because tape is so low-tech.
Let me explain. With the correct tape rules for long-term storage in place, you can make a backup to magnetic tape that is essentially inaccessible to ransomware. The physical nature of tape – in which reels have to be loaded into read/write machines and then taken out when full – creates a natural gap between your storage medium and the machines used to read and write it.
In other words, a piece of ransomware might be advanced enough to decrypt your hard drives, use staff iPhones as an infection vector, and infiltrate Iran’s nuclear enrichment facilities, but no piece of malware ever designed can fly through the air by itself.
This is, of course, just another version of the idea of air gapping. In fact, this is the way in which a recent memo from the Tape Storage Council explains the value of the medium – “with tape, there is a gap between the cartridge and the computer systems. Disk drives remain on-line and are particularly vulnerable to an attack,” the memo says, and then points out that "tape technology prevents electronic cyberattack access to the data because a tape cartridge removed from the system is no longer accessible electronically."
The Tape Storage Council has, of course, something of a vested interest in this topic. Nevertheless, their views are surprisingly widely held by network administrators. Take a look, for instance, at this backup software forum, in which one user notes that "I always recommend using tape whenever possible as the last line of defense,” because "I saw tape backup saving companies from the worst disasters so many times ... and I also saw every line of comprehensive disk-based protection strategy failing miserably, leaving users with unrecoverable data loss."
The real problem
Depending on the sophistication of your other systems, you might find the idea of “going back” to tape inherently absurd. And you might be right. According to Dan Jan, Principal, Product Management at Iron Mountain, the best way to address ransomware is to prevent attacks from happening in the first place. After an attack occurs, organizations often struggle to pick up the pieces.
This is certainly true but also points to a broader truth. Tape backup solutions are not inherently less or more secure than any other medium. While the air gap can prevent some forms of attack, the relatively low speed of tape means that using it for large amounts of data is not feasible.
What it does provide, though, is diversification. As the old saying goes, one shouldn’t put all your eggs in one basket. The same applies to backups. This entails that the best approach for many organizations is actually a maximalist one – using as many different forms of storage as possible in order to leverage the advantages of all of them.
And that's my point here – that using tape might be absurd, but so is relying on your hard-coded satellite link. Diversify your backups, and you are increasing the chances of having one left in the unfortunate event ransomware comes knocking.