Sophos. Understanding data backups
There is a maxim in the business continuity market that says that a backup on its own is worthless, but restoring a backup successfully is priceless. Too many organizations have suffered from backups that either failed to restore—or restore correctly—or that were already compromised. Failed backups are of no value from a business continuity perspective.
However, backups that restore correctly, are clean of all malware, and were encrypted so that the IT security teams knows that they were not compromised after the backup was created, are considered the best scenario for IT managers.
According to Sophos’ The State of Ransomware 2021 report, 37% of respondents said they were hit by ransomware and on average. While 96% said they got back their data after paying the ransom, only 65% of the encrypted data that was affected was restored. These statistics underscore how essential it is to not only have secure backups, but also protected backups stored in more than one physical location that are directly connected to the network.
Types of backups
There are five types of backups:
- Full File-based backup: A full backup is the simplest form of backup, which contains all the folders and files that you selected to be backed up. This is called a file-based backup because it only backs up visible files, not hidden or system files that are often hidden.
- Incremental Backup: This backup only includes files that were not backed up the last time. When restoring backups made from incremental backups, you must restore each incremental backup in order that it was created, starting with the full backup.
- Differential Backup: Differential backups only include data that was added or changed since the most recent full backup. When restoring using this method, you need only restore the initial full backup and the most recent incremental backup.
- Image Backups: An image backup includes everything on the disk, including any hidden or system files. You can use incremental or differential images to supplement your full image backup.
- Copy Jobs: This includes individual files or folders copied from one location to another.
Recommendations on effective backup restores
Since restoring the backup really is the ultimate goal, it is important to focus on what makes for successful backup-and-restore policies and procedures. Here are some recommendations that you might find helpful.
- Scan and validate: Scanning a drive for malware and other potential compromises prior to backing it up helps to reduce the possibility of restoring a problem should the drive in question become compromised. Once a backup is created, that backup immediately should be rescanned to validate the backup was successful and can be restored. This significantly reduces the future potential of having an invalid or corrupted backup. This should be done with master backups (full file backup or image backup) and any incremental or differential backups.
- Multiple copies: It is a best practice to have multiple copies of each backup — one easily accessible and one off-site in the cloud. For highly sensitive data or mission-critical intellectual property, you might consider a physical copy stored in a vault. Multiple copies provide additional security should your primary backup site become damaged or compromised. If you store physical copies offsite, make sure each physical disk is clearly identified with a date of creation and description of what is on the disk.
- Encrypted backups: A best practice is to encrypt all backups.
- Write-protected backups: Some security professionals use an application that not only encrypts the data, but also locks the backup so it cannot be decrypted, mounted and then modified. While some IT security pros prefer to be able to rescan a backup periodically or install security patches into a backup, others prefer to keep backups pristine and apply patches only if the backup needs to be restored.
- Test your backups: Even if you are not required to restore a backup due to a failure, it is a good practice to periodically restore a backup to a test machine. This practice enables the security team to test restoration policies and procedures periodically. Should software change or new staffers added, such tabletop exercises help ensure expertise of the staff.
Best backup schedules
One of the more popular backup strategies is called the Grandfather Father Son Backup. This consists of a “grandfather” backup that is done once a month, the “father” component being a full backup once a week, and the “son” backup being a daily incremental. There are variations of this approach with the father backup being a weekly differential backup. It also could include a variety of backups during the day, such as an hourly catch-up or a backup at any time after specific criteria is met, such as prior to a software installation or a reconfiguration of the network, or after a malware scan.
As part of this backup strategy, the security staff might choose to do one backup at one time for a local site or cloud instance and a second time for the opposite local or cloud instance. The overhead will depend on various factors, including the backup software you select, whether you are backing up to the cloud or locally, the amount of data being backed up, and metrics that might be unique to your situation.
Learn more
Sophos offers two products that help protect your backups. Sophos Workload Protection secures backups in the cloud and on the premises. Sophos Cloud Optix monitors Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) accounts for cloud storage services without backup schedules enabled and provides guided remediation.
Source: Sophos