Ransomware Protection: Why the 3-2-1 Backup Strategy Works

Posted by Geraldine Hunt on Thu, Mar 29th, 2018

The 3-2-1 rule is best practice for backup and recovery. Ransomware has caused a lot of chaos and damage to networks across the globe. No backup strategy is 100% foolproof, but following the 3-2-1 rule is the strongest approach possible. To protect your data and recover from ransomware you need to have dependable worry-free backup system in place. This is what the 3-2-1 Backup approach is all about. 

Here are a few tips that will help you keep ransomware from wrecking your network and locking up your data : 

• Use the best spam filtering you can get to protect users from phishing embedded links and attachments that are embedded with malicious code
• Implement layers of content filtering to prevent users and automated sessions with websites that serve as download hub mechanisms
• Reputable anti-virus and anti-malware protection on endpoint devices
• Regular updating and patching on all of your devices
• Gateway antivirus which scans all active internet sessions and strips packets of malware infected code
• Disabling the remote desktop protocol on any computers that are directly exposed to the Internet
• Disabling files running from within the AppData or LocalAppData folders if at all possible
• Conducting user training in order to educate users to become more cynical, defensive and proactive

Patching

The latest Petya or ExPetr Ransomware attack is further proof that when it comes to ransomware patching your systems regularly is crucial. It is often the case that organisations can't always roll out updates the day they're available since they need to test the changes and make sure they won't break anything.   IT teams must build redundancy into the infrastructure, so one system can be down for patching while a different system handle the load during that time.

Endpoint protection is no Longer Comprised of a Single Tool or Entity.

It is a suite of well-coordinated tools that work in conjunction and supplement one another.  Unfortunately, however, even the most robust extensive array of security protection tools cannot guarantee complete protection against malware, especially in today’s mobile world in which users are constantly transporting devices beyond the safety of the network perimeter.

Ransomware’s Area of Infestation is Limited

One comforting fact about ransomware is that its area of infestation is limited.  It isn’t a worm that is intelligently driven to spread itself far and wide across both LANs and WANs.   Its incursion is limited to local volumes and mapped drives.  Mapped drives can include the following:

• A mapped drive pointing to a network share on a server or NAS
• An external drive attached to the infected machine including a USB storage device
• A locally installed cloud drive such as Dropbox

So the good news, if you can call it that, is that in the event that ransomware is able to establish a beachhead on one of your devices despite the best efforts of your network security array, the damage will be limited to the physical reach of that device only.

The Go-To Solution for Combatting Ransomware

And here is the other good news. There is one go-to-solution for combatting this malware, one that will always work no matter what users may do.  One solution that will prevent you from losing all of your data no matter what technical breakdown may occur in your security perimeter. That go-to-solution is called proper backup.If your organization becomes a victim of ransomware, you will never have to consider making a payment of extortion to some unnamed remote attacker if you perform regularly scheduled up-to-date backups.  A well intentioned backup will be absolutely useless however if there is a physical link to it from the infected device.

3-2-1 Backup - How it Works

In order to ensure dependable worry-free backups, you need redundancy which is what the traditional 3-2-1 Backup is all about.  The topology design of the 3-2-1 backup is as follows:

• Have at least 3 copies of your data
• Utilize two different media formats
• Have one of the copies be offsite

Three copies of your data means that one copy is the original data supported by two separate backup copies.  Your data should reside on two separate mediums such as that of a network share, an SSD drive on some type of storage array.  It can also be traditional tape media that seems so legacy today, but is mobile enough to take offsite to a secure location such as a separate site used by your organization or even a safety deposit box at a local bank.  A possible solution which satisfies both conditions of two media types and a remote location is utilizing the snapshotting feature of your SAN infrastructure.  By snapshotting your data at regular intervals throughout the day to an identical environment at a disaster recovery location, you can easily recover from an attack on a virtual host server or VM.  Of course it goes without saying that any backup plan includes regular test restorations of the data to ensure that your data can be recovered intact. 

It needs to be mentioned that ransomware may be maturing as a form of malware and thus may evolve into new forms that may in fact be able to expand beyond direct physical connections.  The one certainty of ransomware however, is that maintaining a well-designed working backup solution will serve as an effective measure against the lasting effects of ransomware, no matter how it may evolve one day. 

Talk to a specialist or  Email us at info@titanhq.com with any questions.