By Tomáš Foltýn
As World Backup Day reminds us, robust
backups are integral to healthy information security practices of any
organization. This is doubly true for those operating in critical sectors.
Picking up where we left off in Part 1, we will now look at how many US financial institutions
apparently aim to attain ultimate safety for their critical account data.
First, however, let us stop to consider what contributed to putting such
considerations on the front burner.
Increasingly, some types of attacks have been
trending towards outright destruction, as opposed to “mere” disruption or
theft. A number of organizations have learned this the hard way in recent
years, including Saudi Arabian state-owned oil and gas firm Saudi Aramco and entertainment company Sony Pictures
Entertainment. They both saw tens of thousands of their computers
wiped out in particularly destructive attacks.
The onslaught at Sony, in October 2014, was one of the first massive hacks of
an American corporate infrastructure that was largely aimed at data
destruction. As part of its toll, the attack completely
erased half of the company’s servers and computers, reducing a
number of employees to using pen and paper to do their jobs.
This incident raised concerns across the
board. US banks, for example, took part in a series of regular cybersecurity
simulation exercises between 2014 and 2016 that were aimed at testing their
ability to ward off similarly destructive attacks. Lessons learned during these
drills, known as the “Hamilton Series”, gave rise to a last-resort mechanism
that is intended to further step up the banks’ game vis-à-vis data resilience.
“The significant other”
Enter an initiative dubbed “Sheltered Harbor”, which
requires its participants to convert their up-to-date customer account and
transaction information into a standardized format, before encrypting and
placing it into secure, air-gapped and offsite “data vaults”. Also, according
to the high-level overview of the program, the data must be unalterable and, if
ever needed, must be retrieved from the “fallout shelter” exactly as when they
were archived.
Crucially, the initiative seeks to add an
extra layer of resiliency on top of the standard “restore and recovery”
programs in that the affected institution would not be left to its own – at
that time incapacitated – devices. Banks need to form pairs. If a member of the
pair is unable to quickly restore normal service on its own, it can fall back
on its backup peer, which loads the affected bank’s data into its own systems.
This would be possible thanks to the standardized format required by the
program.
However, focusing too much on a single bank
would be missing the point. At the end of the day, the goal is not to salvage
the hapless bank. The key idea is to ensure that if a bank crumbles under the
weight of an egregious cyberattack or a particularly destructive accident, the
incident won’t snowball. The ripple effects of such a scenario are all but
impossible to predict. However, the main concern is that a particularly serious
incident could spook the public and trigger a sweeping run on not only the
impacted bank.
This is because, on top of downtime and
financial fallout, attacks targeting the confidentiality, integrity or
availability of critical bank account data share another possible consequence –
the loss of consumer trust. That is saying something for a sector that is
essentially predicated on consumer confidence. Trust is a fickle mistress, and
we all know that its erosion can trigger a chain of events with
hardly-predictable ramifications.
Collectively, the participating banks are
said to hold some two-thirds of retail accounts in the US, and it’s claimed that a sizable portion of retail brokerage accounts
are also being included. Having a contingency plan that involves industry-wide collaboration is particularly sensible in a
sector in which the roof may cave in with a particularly loud bang.
Indeed, a solid backup and disaster recovery
solution in general can ultimately mean a difference between a few days’
inconvenience and lost service (followed by months or years rebuilding trust)
and total business collapse. In a way, then, Sheltered Harbor may be thought of
as insurance that is good to have, but that nobody wants to ever use.
In conclusion
All told, the value of a reliable backup plan
in general is especially apparent when dealing with a situation that is not
entirely under our control. Data may be lost or corrupted in various ways, but
successful recovery is conditional on a dependable backup strategy. There is no
denying that the current cybersecurity climate dictates paying increasing attention
to data restoration and recovery, which are themselves intrinsic to the
cybersecurity defense playbook.
Although World Backup Day comes only once a
year, we all know that both individuals and organizations need to create their
backups much more often. Implementing a solid backup routine clearly goes a
long way towards bolstering our data defenses. And while we’re at it, we should
not forget that ensuring that we’re actually able to restore data from a backup
is equally as important. Happy World Backup Day!
https://www.welivesecurity.com/2018/03/29/world-backup-day-banks-others-back/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29