The three layers of protection you'll need against Ransomware in 2018



cyber attack - Header Copy 2 900x450.jpg
A guide to protect your data from Ransomware

Protecting online systems has become an increasingly difficult job.

Over the last decade, we’ve seen the role of IT security become more crucial — not only within the datacenter — across entire organizations. A company’s data is now its most important asset, and must be protected against a growing number of threats. Optimizing your cybersecurity strategy requires understanding the evolution of attacks, the current threat landscape, and the emerging best practices that keep data safe.


Optimizing your cybersecurity strategy requires understanding the evolution of attacks, the current threat landscape, and the emerging best practices that keep data safe.

Cyber attacks are as old as the internet

Hackers, viruses and malware have been part of the internet almost since its inception. The earliest incidents of cyber attacks include the successful hacking in 1983 of computer systems at multiple institutions, including the Lawrence Livermore National Laboratory. However, it wasn’t until the 1990s that cyber attacks became more rampant and damaging. In 1998, the Morris worm virus infected an estimated 6,000 computers and caused an estimated $98 million in damages. This was a pivotal moment in internet history, when criminals realized that illegal access to computers and networks allowed them steal more money than in the “real world” and with less risk, since they didn’t have to be physically present to commit the crime. As businesses were increasingly going digital, a new era of cyber criminals began to emerge.


The first known ransomware was AIDS written in 1989. The malware hid files and encrypted file names, demanding payment in order to receive a fix tool. Since the malware used symmetric encryption, the encryption key could be extracted from the malware data and recovery was possible without having to break the encryption. Fans of Neal Stephenson’s Cryptonomicon might recall that the use of asymmetric encryption for ransomware, first proposed in 1996, changed the landscape of ransomware: data was no longer decryptable by the encryption key in the malware code. The attacker held the key for decryption.


In 2017 the rise of ransomware attacks brought this malware to the forefront of cyber security discussions. As individuals, businesses, schools and hospitals became victims, the majority of users are now keenly aware of its dangers. The fact that attackers can turn strong encryption that was created to protect data against its users is quite frightening.

Ransomware today is big business

Ransomware is an extremely profitable business. Ransoms paid to criminals last year were estimated at over$5Bn USD. The anonymity in the form of cryptocurrency gives the attacker a convenient way to obtain payment with the certainty that they can’t be tracked. Ransomware attacks have also become painfully constant. The availability of bitcoin has created an untraceable form of payment and it has made it easier for attackers to exploit vulnerabilities remotely, turn encryption into a weapon, and receive ransom.


Experts predict an increase in attacks, both in frequency and volume. Even worse, these attacks will become more targeted and sophisticated, targeting specific organizations and individuals, and everyday objects such as cars and appliances due to the increasing adoption of IoT.

How to keep your data safe

The cyber security industry has grown tremendously and there are now many ways to protect, prevent and recover from cyber attacks. The first aspect of preparation is adopting a mindset of expecting an attack. This allows you to consider both your personal data, as well as your business needs in terms of recovering from an attack, and work backwards on determining what you need to do to fill in the gaps. It’s a matter of thinking “When and how will we be a target of a cyber attack?” instead of ‘if’.

I. Start with prevention

By shifting your mindset from ‘if’ to ‘when’, certain activities which may appear burdensome, tedious, and sometimes are even ignored will become relevant and important. Take for instance routine updates and patching. Although the process may seem repetitive, it should be a priority for any organization.


Start with periodic or scheduled port and vulnerability scans, remediating any vulnerabilities that are found immediately. Network segmentation can limit the exposure to a successful attack and application blocking can prevent malicious code from being able to run. Improved management of user access by either ramping up password policies or replacing them with more secure user authentication methods can prevent unauthorized access.


Security experts recommend that teams learn from these regular activities by either reflecting on them individually or discussing as a group how best to introduce practices for specific parts of your environment. By making sure that routine activities have a feedback component, you can convert them into internal projects that deliver valuable learning for the organization.

Educating users patches your biggest vulnerability

One of the biggest vulnerability is an organization is the human being. Social engineering techniques like phishing or baiting take advantage of cognitive biases that are inherent to human decision making to gain access to systems or introduce malware. Having a culture of security that makes people aware of these biases and techniques to counter them is critical. User training around security has to be one of the central projects of any IT organization. Hours can be spent designing and implementing a highly secure IT infrastructure, but it can be breached when a single user clicks on the wrong file. Training should be complemented with clearly defined frameworks for access to systems and data, and periodic testing of those protocols.

II. Detection and remediation minimizes the scope of a successful attack

It’s important to understand holistically that nothing can ever be 100% secure. Quick detection of intrusions or malware in the data center can minimize the scope and cost of an attack. Detection systems are either signature-based where the system looks for known patterns of malware activity, or behavior-based protection that builds a model of what is considered normal behavior within a computer, and compare it to every process in order to detect attacks.


Both signature-based as well as behavior and heuristic systems have pros and cons, which are covered in depth by cyber security experts vendors and malware researchers. The fact remains that organizations must consider some form of endpoint security approach, and the more layers they have, the better positioned they’ll be to defend themselves.


Assuming an attack is a realistic, plausible scenario also puts you in the position of having to prepare tools and procedures for remediation. This will save valuable time once an attack has been detected and minimize the impact.

III. Recovery is your last line of defense

If an attack results in loss of access to critical data — such as malware that corrupts data or ransomware that encrypts your data — data recovery becomes the only option. Therefore recovery from attacks becomes another consideration as you build strategies for data recovery and determine the target RPO (the acceptable amount of data loss in case of an incident) and RTO (time to recovery).


Until the introduction of snapshots in the early 90s, traditional backups served as the single mechanism for data protection — both for data recovery and for disaster recovery. Traditional backups suffered from very poor levels of RPO and RTO. Snapshots introduced in the early 1990s provided very low RTOs, replacing backup as the preferred mechanism for data recovery from errors and corrupted data, including those caused by malware and ransomware attacks. However, practical RPOs continue to be in the order of hours with the best achievable at tens of minutes.


Recent IDC research suggests that most organizations are not 100% confident they can restore data within their required SLA’s. With an increased frequency of attacks, the sheer volume of data that needs to be protected, and increased data change rate have meant that using scheduled snapshots and legacy backup techniques still expose companies to significant data loss in the case of a successful attack. Perhaps an organization can recover within a few hours, but they’ll have to rely on the most recent backup, which might mean losing hours (if not days) of data. This is no longer acceptable for most firms.


What IDC calls “the race to zero RPO/RTO” means that IT professionals are aware of the challenges, but current data recovery techniques requires them to have a complex set of interconnected components and duplicate IT infrastructure in order to provide fast recovery. Not every IT organization has the resources, both in staff and trained talent, as well as the budget, to purchase multiple backup and recovery solutions. Even if they do, it means the IT teams are usually using a combination of snapshots, offsite backups, asynchronous or synchronous replication and many others.


As described above, the problem with this strategy lies in the fact that this interweaved set of data protection techniques usually comes with a big cost, both in budget, and in the time and resources needed to manage them. It’s a tough space to be in, on one hand you spend time and energy on putting together a backup strategy, which often has duplicate infrastructure, but on the other hand, you aren’t sure you can recover.


The best approach towards lowering your RPO’s and RTO’s for data recovery is the opposite of the one for detection: Less is more. Instead of having many layers and multiple components, try to simplify and reduce the amount of solutions that you put in place. While many layers at the perimeter help you prevent an attack more effectively, multiple components in your last layer of defense makes your environment more complex, which in turn compounds the situation.


A simpler approach to data recovery is unifying your primary storage and backup stacks, as reported by Forrester. If you can go one step further and integrate your primary storage system into this unified approach, not only will you be able to recover in the case of an incident much faster, you will lower your entire IT infrastructure footprint, leading to a lower TCO.


This approach not only works for cyber attacks, but less sinister scenarios as well: It’s more likely that 80% or 90% of the time, you resort to your backup because of human error. There is always a moment of panic when you are verifying your backups aren’t corrupted. As one user who employs this strategy recently wrote: “I no longer have to think of backups.” Converging your storage and backup under a single platform can yield much better results for your data recovery strategy.

Reducing the complexity of your infrastructure is vital for protecting your data from cyber attacks


By changing your mindset from ‘if’ to ‘when’ with cyber attacks, you’ll start viewing your IT security strategy in a much more holistic way. Think of your perimeter as big walls that you have in place with different countermeasures to prevent attacks. Invest into several layers of security, including education, as part of this layer. But understand that this is not enough, attacks will get through, so be ready with a detection and remediation solution.


Your last layer of defense sits at the core of your infrastructure. Your ability to rapidly recover ensures that you will minimize the risks of not being able to continue operating as a business in case of a successful cyber attack. Reducing the complexity of this layer will enable you to focus on making sure that the rest of your defenses are operating properly, which in turn will reduce the likelihood of an attack getting through.

Find out more about Reduxio's capability to simplify your data center infrastructure by converging primary and secodary storage!

Data Protection

Eyal Worthalter

Written by Eyal Worthalter

Eyal enjoys discovering, learning and sharing how technology can improve our world. He currently leads content marketing efforts at Reduxio as Head of Sales Enablement. Eyal holds a BSc in Electronics & Communications Engineering and earned his MBA from Hult International Business School in Boston.



Want to comment on this blog post?