SoylentNews is people
SoylentNews
Backups 'no longer effective' for stopping ransomware attacks:
The growth of double extortion – and even triple extortion – ransomware attacks is in danger of rendering common, traditional methods of mitigating the impact of a ransomware hit, such as well-maintained backups, less efficacious, according to a report from machine identity specialist Venafi.
Data collated from Venafi's worldwide survey of IT and security decision-makers reveal that 83% of successful ransomware attacks now involve alternative extortion methods – for example, using stolen data to extort customers (38%), leaking data to the dark web (35%), and informing customers that their data has been compromised (32%). A mere 17% of attacks merely ask for money for a decryption key.
Venafi said that this means that because ransomware attacks now rely on data exfiltration, effective backup strategies are therefore to some extent "no longer effective" for containing a breach.
"Ransomware attacks have become much more dangerous. They have evolved beyond basic security defences and business continuity techniques like next-gen antivirus and backups," said Kevin Bocek, vice-president of business development and threat intelligence at Venafi.
Venafi also found that cyber criminals are increasingly following through on their threats whether or not they get paid. Indeed, 18% of victims had their data leaked despite paying, while more than the 16% who refused outright to pay anything and had their data leaked. Some 8% refused outright, but then had their customers extorted; and 35% paid, but were left hanging, unable to retrieve their data.
(Score: 5, Insightful) by mcgrew on Saturday February 26 2022, @03:44PM (4 children)
However, maybe I should start keeping the documents folder on a thumb drive, backed up on another thumb drive and not let it on my network at all. None of the other files on my network or computers have any sensitive data.
Backing up your data is still good practice. Malware and extortion are no worse than a drive going bad without backups. Your backed up data can be read, but not deleted by bad actors.
Carbon, The only element in the known universe to ever gain sentience
(Score: 3, Interesting) by HiThere on Saturday February 26 2022, @09:20PM (3 children)
Yes, but...
The problem is that the thumb drive can be accessed and/or modified when you insert it to update the data. Better is to write that data to a write only medium. Multi-session CDs used to be good for that, but I don't know what the modern replacement is.
Of course, that doesn't solve the extortion problem.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Freeman on Monday February 28 2022, @05:27PM (2 children)
For Big Data, you've about only got Tape at that point? They do have a read-only notch on the cartridge, right? For Optical Discs, you have DVDs, 4.7/8.5/9.4/17.08GB capacities and Blu-Rays, 25/50/100/128GB capacities. Both of which can hold vastly more than a CD with typical capacities between 600-700MB.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by HiThere on Monday February 28 2022, @09:16PM (1 child)
The point isn't "read only", it's "modification not allowed". That's why I mentioned multi-session CDs. A write notch doesn't mean the same thing. Yeah, and floppy disks used to have a manual switch that you could push up to mean "write not allowed", but that didn't allow you to write an extension.
Also, the comparison here is with a thumb drive. Tapes are a different league. Perhaps DVDs or BluRay disks allow "read or append only" access, I don't know.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Freeman on Monday February 28 2022, @11:32PM
DVDs and Blu-Rays, work like CDs. You would have to hack the drivers or something to get a CD/DVD/Blu-Ray drive to modify a Read-Only Disc.
https://www.sony.com/electronics/support/articles/00024787 [sony.com]
So far as I know, they are as resistant to writing over as a multi-session CD / CD-R. You can also create multi-session DVDs and Blu-Rays. Also, I wouldn't recommend using a multi-session disc for "backup safety". Since you're not normally able to read that disc on a different computer.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by progo on Saturday February 26 2022, @04:29PM (4 children)
If I have a secure machine that logs in to the backup subject's system with the subject's credentials, and pulls changes for versioned backups going back several weeks, how would ransomware break this?
(Of course in reality I only have a setup like that for my shared web hosting account. I'm not paranoid enough.)
(Score: 2) by progo on Saturday February 26 2022, @04:32PM (3 children)
Bah. I misread the story. It's saying that the operational damage is from stealing data, not from losing access to data. As the previous comment says: you still need backups.
(Score: 1, Insightful) by Anonymous Coward on Saturday February 26 2022, @04:43PM (2 children)
What this says, is that you need a different method of backing up. As in, the computers with the data aren't connected to the net and only the encrypted files are backed up. This has logistical issues as encrypted files can't be compressed and shouldn't be deduplicated.
In other words a lot of sneakernet transfers and wasted storage space. As well as something like mirrored zfs with snapshots enabled.
(Score: 2, Informative) by Anonymous Coward on Saturday February 26 2022, @08:49PM (1 child)
You compress the files before encrypting
(Score: 0) by Anonymous Coward on Saturday February 26 2022, @10:19PM
It depends how you're storing the files. Compressing individual files may or may not be acceptable.
(Score: 5, Interesting) by Mojibake Tengu on Saturday February 26 2022, @04:43PM (5 children)
Archive as NFS on ZFS. Requires kitchen server with its own UPS. Server has no ssh login at all, but own console. Strictly no other services to net except NFS. Good size quad mirror zpool on geli encryption down under.
Can't be effectively stolen, invaded or infected directly and does snapshots and backups automagically on itself.
If something happens to client's data at the client mount, there is still a historical time series of many previous snapshots.
What I do not understand, why commercial NAS devices are not built simply just like that. Remote administration of any critical device is a weakest point.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 1, Interesting) by Anonymous Coward on Saturday February 26 2022, @06:16PM (1 child)
You can also use SMB, which is capable of exposing ZFS snapshots natively as Windows File History, which makes recovery by end users trivial. ZFS, at least ZFS-on-Linux has native encryption capability now, no need to use geli or LUKS. Using the native capability also allows backups by zfs send/receive even if the target remote server doesn't have the ZFS encryption keys. Handling lower layer encryption backups can be trickier in comparison
In order to have a wide appeal NAS appliances have to:
1) be easily administrable, which means exposing system settings via layers of potentially insecure web technologies
2) provide many, many services at once due to the sheer scope of NAS-related technologies
2a) provide too many legacy connection options
Obviously using a specialized, custom-built system is better, but also way more expensive. Not only you have to hire someone to design and build it, but also to keep it running. NAS vendors at least try to provide timely security updates, but it's always a game of cat-and-mouse. The end users also have to install those updates, which means possible downtime most people want to avoid.
(Score: 2) by Mojibake Tengu on Sunday February 27 2022, @03:31AM
Since Linux does not support delegation with ZFS, for it has no relevant user filesystem control facility necessary for this, I cannot use Linux for servers nor for virtualization.
More importantly, I use this setup for more than a decade already, rock solid. No need for me to experiment with newish possibly unreliable features.
And finally, I consider SMB protocol untrusted, even on Linux.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 4, Insightful) by maxwell demon on Saturday February 26 2022, @06:22PM (1 child)
And how does this backup system prevent live data from being read off the live system?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday February 27 2022, @05:36AM
Precisely, the only reasonable solutions involve done sort of air gap. I wonder what I'd going to need to happen in order to get companies to just accept that you can't have sensitive information kept on Internet connected computers and not expect this.
I guess that won't happen until they're identifiable and liable.
(Score: 1, Funny) by Anonymous Coward on Saturday February 26 2022, @09:42PM
https://videocardz.com/newz/nvidia-allegedly-hacked-the-ransomware-attackers-back-by-encrypting-1tb-of-its-stolen-data [videocardz.com]
(Score: 1, Flamebait) by Anonymous Coward on Saturday February 26 2022, @05:47PM (11 children)
then damn keep them UNCONNECTED to the damn Internet!!! HOW is that so hard to understand???
If you do not bother to keep your data secure, then you have only yourselves to blame for damage when they get leaked.
(Score: 2, Informative) by Anonymous Coward on Saturday February 26 2022, @06:13PM
Everything is online now, their business midels depend on securely accessing the data over the net. You're not wrong though, and where possible data should be protected in that manner.
(Score: 0) by Anonymous Coward on Saturday February 26 2022, @06:20PM (4 children)
Good advice, but usually it's not the NAS or servers themselves which get attacked, but workstations that access the data on daily basis. You can't expect the workstations to be off the Internet when most of the work depends in some way on it.
Proper design of data access policies, permissions, auditing and active monitoring of access patterns is the proper solution. If you detect that one workstation is modifying huge amounts of data, then it's time to check it out, for example. As always proper security is expensive, and most of the time only considered AFTER a huge breach has happened.
(Score: -1, Troll) by Anonymous Coward on Saturday February 26 2022, @06:38PM (3 children)
Is keeping TWO damn boxes connected to two damn LCDs on same desk SO damn hard?
An Internet connected one for emails, searches, and online timewasting; and another on the internal network where sensitive data are, and no Internet-connected device allowed in.
If something from the sensitive-data network ever need be emailed for some reason, then damn print it out, then scan it in, and send. Or do a photo of the screen and send that. If that is "too hard", then your data are not sensitive enough.
(Score: 3, Insightful) by Anonymous Coward on Saturday February 26 2022, @06:43PM (2 children)
Yes, it is that damn hard. Normal people barely comprehend a single PC, and you expect them to handle two with no method of sending data from one to the other?
Your solution is clearly not a realistic one. We're talking about normal companies handling client data, like internet shops and so on, not NSA state secrets.
(Score: 1, Insightful) by Anonymous Coward on Saturday February 26 2022, @07:10PM (1 child)
Those "normal companies" can choose; either they do NOT gather and keep sensitive client data, or they are fully liable for criminal negligence when the mis-kept data get stolen from them.
If people cannot be bothered to handle sensitive data with proper care, they SHOULD NOT BE HANDLING THEM AT ALL.
(Score: 3, Funny) by Anonymous Coward on Saturday February 26 2022, @07:26PM
Then by the finest capitalist principles they choose not to care unless they are in the EU and are bound by the GDPR rules.
(Score: 2) by maxwell demon on Saturday February 26 2022, @06:38PM (3 children)
Indeed, online shops should only store their customer's credit card info offline. And require the customer to send it in on paper, so that it never touches the internet-connected servers. That certainly will gain them lots of customers. </sarcasm>
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Insightful) by Anonymous Coward on Saturday February 26 2022, @07:01PM (1 child)
How about NOT STORING IT AT ALL?
The ONLY place on the damn Internet that has ANY business storing my credit card info, is the bank that issued the card. Any other outfit that keeps the data past the transaction, is doing it for the sole reason of scamming me.
Not that in my case the data they squirrel away would help them, or any other crooks, any: https://en.wikipedia.org/wiki/3-D_Secure [wikipedia.org]
(Score: 0) by Anonymous Coward on Saturday February 26 2022, @07:21PM
You should be aware then that 3-D Secure can be skipped by the payment processor, for example Amazon Payment Services (https://paymentservices.amazon.com/docs/EN/54.html):
>It is also possible to bypass the 3D Secure authentication process based on a set of rules that you define in the back office.
(Score: 5, Interesting) by Thexalon on Saturday February 26 2022, @07:37PM
As someone who worked for many years on credit card processing for a fairly major company: The only leak we had of credit card data, at least that we ever found out about, were a set that came in over the phone and were processed by a customer service rep (who was caught and arrested). So requiring customers to send it in on paper isn't just inconvenient, it's creating a weak point, namely the humans who process the piece of paper.
But the sibling is right that payment card data is supposed to be treated like a hot potato, something to get rid of as quickly as possible or even better not have at all. The ideal flow of that data these days for online transactions is from browser to payment processor, without going through the retailer's server at all. Now, that does create a giant problem if, say, Chase Paymentech gets pwned, but they have a level of resources to prevent being pwned that your average small online retailer just doesn't have.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Sunday February 27 2022, @01:30PM
Office and web browsers auto create and logon to an internet account It just gets worse year after year. Windows 11 will require a MS account and no doubt in the future a phone number.
Two courses I have attended required a Microsoft account.
A school requires kids to use a google account to access the coursework.
Work is the same. All devices have AAD now. Teams is a backdoor for patches. Integrated with Office.
How will people work offline? Not with Windows
(Score: 2) by EvilSS on Saturday February 26 2022, @07:38PM (1 child)
(Score: 0) by Anonymous Coward on Saturday February 26 2022, @08:48PM
I for one come here to read the comments.
(Score: 5, Interesting) by jon3k on Saturday February 26 2022, @07:41PM (1 child)
Why are we calling everything ransomware now? If you just break into a server and can access the data you can leak it on the dark web, extort the owner or inform customers that you stole it. No ransomware required.
(Score: 0) by Anonymous Coward on Saturday February 26 2022, @11:00PM
I guess if there is no software involved you can call it a cyber ransom attack? If there is software involved then you can call it a ransomware attack?
(Score: 3, Interesting) by MIRV888 on Saturday February 26 2022, @09:18PM (2 children)
I am of the opinion that a motivated intelligent group of hackers can compromise just about any system that isn't entirely offline. So that leaves you needing mitigation procedures/ designs in addition to traditional backup and firewall policies.
It's not that you did something wrong to allow the attack to happen. It's what do you do once it does.
(Score: 2) by HiThere on Saturday February 26 2022, @09:32PM (1 child)
Ummmm....no. But that's probably true for any default configured system. Many FOSS systems have the ability to be stripped of most attack surfaces, and some of them can be stripped quite far. But you can't access lots of services on them at that point. It's quite difficult to attack a system where the only access you have is an HTTP1 interface (no JavaScript!). It's possible to strip things even further, where there's only custom text based access, and only a limited set of predefined commands can be run, include NONE that allow batch access. But it's inconvenient to use.
There are lots of choice points where the choice made has been "easy" rather than "secure". Those are still available if you put enough work into things. But it won't look like a modern system.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Monday February 28 2022, @05:35AM
Although it's possible to write custom software that is not insecure, it's nearly guaranteed that a custom program will have more bugs in it than a mature one.
I would take a well-configured SSH instance over any kind of custom program with text input.