To combat ransomware attacks, government agencies should go beyond solely implementing data backups to maintain data integrity and operational continuity. A recent FBI and CISA warning about the Ghost ransomware group demonstrates why this paradigm shift must happen.
Network segmentation, timely patching and multi-factor authentication (MFA) should be essential data security measures. However, agencies should take it a step further by strengthening their cyber resilience, ensuring that critical data and systems are immutable and survivable. Further, establishing quick data recovery measures must also be a priority.
Agencies should also bridge the gap between backup administrators and cybersecurity teams. They should update their disaster recovery requirements, ensure rigorous backup testing and adopt an “assume breach” mindset with zero-trust strategies. These proactive approaches are essential for swift data recovery from future ransomware attacks.
Breaking down the silos between federal backup administrators and cybersecurity teams must be a crucial first step to tackle ransomware threats.
Oftentimes, these functions are siloed within government agencies. In some cases, security teams might not know what the backup solution is for their environment until a cyberattack occurs. This is an alarming issue.
To address the silo issue, government agencies should establish requirements for quick threat hunting inside data backups, looking for malicious content and activity to detect backup data vulnerabilities and malicious activities, which will give cybersecurity teams better insight into backup infrastructure and reveal hidden threats that live systems might not reveal.
Government agencies must update their requirements for backup capabilities in disaster recovery.
According to a Rubrik Zero Labs report, nine out of 10 external organizations surveyed reported malicious actors attempting to impact data backups during a cyberattack, and 73% were at least partially successful. This concerning data highlights the fact that data backup methods alone will fail to protect sensitive data and hinder the federal government’s ability to recover data quickly following an attack.
Government agencies would suffer catastrophic consequences from having their operations down for a week, a month or longer. In this instance, the speed of recovery matters regarding how quickly agencies can return to normal operations.
To address these challenges, government agencies need to move beyond simply checking off backup requirements. Instead, they should focus on designing backup architectures that enable them to survive and quickly recover from a cyberattack, avoiding situations where a complete system rebuild is necessary. Their data recovery plans should include immutability, air-gapping, encryption and multi-factor authentication.
Agencies need systems with immutable backups that an administrator cannot disable. That’s a key component. It’s crucial because adversaries today use many attack techniques to steal credentials, escalate privileges and log in as legitimate users and, often, as administrators.
With the federal government’s current legacy solutions, a data administrator can delete backups and disable immutability and other critical data security components. So, a tool built on the zero-trust principles of “never trust, always verify” for anyone or any hacker trying to access government networks has many fail-safes. For example, a zero-trust approach can enhance backup data security by implementing strict access controls, verifying all access requests and continuously monitoring suspicious activity.
Further, air-gapping backup data involves physically isolating backup storage from the main network and the internet, creating a “gap” to protect against cyberattacks and data loss. The process ensures backups remain secure even if the primary system is compromised.
Validation testing of backup systems should be prioritized to fill one of the gaps in government data security.
To go beyond just data backup security, regular testing must be a priority joint exercise between government IT and cybersecurity teams to ensure that backup data is safe and trusted and that it can be recovered, to ensure that backup data is accurate, complete and free from data corruption. Moreover, testing backups will allow government agencies to verify that their recovery procedures work as intended, including checking whether the restoration process is efficient, timely and compatible with government networks, applications and systems.
Lastly, government agencies should adopt an “assume breach” mindset and deploy zero-trust strategies to enable quick recovery from future ransomware attacks.
CISA’s Zero Trust Maturity Model operates on the premise that breaches will occur, so government agencies’ strategies should be to eliminate implicit trust in network and third-party systems. Agencies can back up malicious or compromised systems and data; therefore, implicit trust should be removed from the backups until the agency has a robust capability to monitor and hunt for cyber threats within the data backups. Data backups need to restrict outside access while integrating analytical functions. Moreover, protecting government data requires essential security measures, which include encryption and audits to eliminate potential attack vectors.
In summary, by going beyond data backups, government agencies can ensure the integrity and availability of sensitive data while safeguarding against potential breaches, increasing their ability to recover from cyberattacks, and, ultimately, protecting national security.
The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of Rubrik. This article is for informational purposes only and does not constitute business or legal advice. Organizations should consult with legal and compliance professionals to ensure their cybersecurity strategies meet all applicable federal, state, and international requirements.
Travis Rosiek currently serves as public sector chief technology officer (CTO) at Rubrik, helping government agencies become more cyber and data resilient. Rosiek is an accomplished cybersecurity executive with more than 20 years in the industry. His experience spans driving innovation as a cybersecurity leader for global organizations and CISOs to corporate executives building products and services. He has built and grown cybersecurity companies and led large cybersecurity programs within the Department of Defense (DoD). As a cyber leader at the DoD, he was awarded the Annual Individual Award for Defending the DoD’s Networks.
Prior to Rubrik, Travis held several leadership roles, including chief technology and strategy officer at BluVector, CTO at Tychon, federal CTO at FireEye, a principal at Intel Security/McAfee, and leader at the Defense Information Systems Agency (DISA). He has served on the National Security Telecommunications Advisory Committee (NSTAC) as an ICIT fellow and on multiple advisory boards.
Leave a Reply
You must be logged in to post a comment.