World Backup Day celebrated annually on March 31

Tomáš Foltýn 

World Backup Day, celebrated annually on March 31, is a timely reminder of the importance of taking effective measures that can make all the difference when a data loss incident strikes. It is also a good time to pause and reflect on the rising tide of threats that organizations, notably those operating in critical industries, face in cyberspace. 

It is a safe bet to say that Hippocrates didn’t expect the wisdom of the oath named after him to extend nicely to cybersecurity one day. And yet, thousands of years later, many security practitioners will probably swear by one of the dicta contained in modern versions of the physicians’ pledge, namely that “prevention is preferable to cure”.

Nevertheless, as threats are constantly evolving and become more pervasive, incident response and recovery are increasingly jostling for the attention of organizations’ cyber-defenders. Indeed, the threat landscape gives a sense that security ills are sometimes well-nigh unavoidable. Given our reliance on technology, having a plan for how to respond when the chips are down has never been more important.

In information security, best practices in preparations for a possible emergency include implementing a robust plan for data backup and recovery. World Backup Day, celebrated since 2011, helps raise awareness of the fact that a data loss event can cost people and organizations dearly. The causes of such incidents clearly run the gamut and include a hardware or system failure, a human error, a malicious insider, and a cyberattack.

To be sure, there is also the possibility of a physical disaster. However, compared to, say, fire or flood, cyber-incidents – especially of a malicious bent – pose a range of specific challenges for both detection and recovery. To begin with, it may not even be immediately obvious that something is amiss. Also, the actual extent of the damage or the timing of the intrusion may not be immediately apparent. The risk of a contagion spreading to other systems is yet another of a number of challenges that cybersecurity incidents bring.

Whatever the cause of the incident, an organization needs to restore the lifeblood of its operations – its mission-critical data – in order to begin a recovery. The journey to restoring the organization’s vital functions begins with a pre-purchased ticket, which in this case is a robust backup of its data.

Indeed, reconstituting lost or corrupted data, especially business-critical data, can be a matter of survival for any business. In critical infrastructure, the stakes are particularly high. For services that are essential for the functioning of entire societies, even short-term disruptions can have particularly dire ramifications.

Critical data, critical infrastructure

The financial services sector, which is part of the critical infrastructure, is facing a plethora of specific and palpable cyber-risks. In a world where criminals usually follow the money, cyberattacks against financial institutions come thick and fast and in many forms and sizes. Adversaries are well resourced, organized, persistent – and often successful. To blur the threat picture further, insiders and third-party service providers with privileged access represent a threat in their own right, whether acting out of malice or negligence.

Attacks on banks may not necessarily involve “only” cyber-heists, however. There is another – and no less insidious – threat that involves attempts to harm the integrity or availability of data. These onslaughts are aimed at data corruption or at shutting out access to data altogether.

Many organizations in critical industries admit to facing attacks that are aimed at file deletion or manipulation. In the financial services sector, one worry is that this could involve large-scale data manipulation or sabotage of critical customer and business account data. In addition, networking giant Cisco recently sounded the alarm on an emerging type of attack that seeks to wreck backups and safety nets needed by organizations in order to restore their systems and data after an incursion.

Throwing a lifeline

Now, suppose that an information storage disaster hits a bank’s data center and things go so spectacularly awry that not even standard backup plans and recovery procedures are able to restore normal service promptly. Such an attack would normally involve data concerning account records; if these data are inaccessible, clients could effectively become locked out of their money.

While this nightmare scenario may strike a chord only with survivalists, preparations for any imaginable adverse turn of events are at the heart of standard business continuity and disaster recovery (BC/DR) plans, whether they involve physical, virtual or cloud-based environments.

Securing some of the most valuable information in the digital age obviously requires a multi-layered approach. To bolster their data resilience and recovery capabilities in the face of increasing threats, it turns out that banks and other financial firms in the United States are adding another layer of data protection in addition to their standard backup and recovery playbooks.

As part of our marking of World Backup Day, we will look at the extra precautions that they are taking in Part 2 of our article.

https://www.welivesecurity.com/2018/03/28/world-backup-day-saving-day-saving-data/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Attingo Datarecovery onthult hoe roekeloos bedrijven en consumenten omgaan met gevoelige gegevens

Verbijstering over het aantreffen van vertrouwelijke gegevens gebruikte datadragers

Slechts een paar muisklikken bleken genoeg om de vertrouwelijke gegevens van een grote supermarktketen boven water te krijgen, zo bleek onder meer toen Attingo Datarecovery aan de slag ging met 100 opgekochte tweedehands datadragers.

Een onderzoek dat door Attingo met enige regelmaat wordt gehouden bracht wederom schokkende resultaten aan het licht ten aanzien van de manier waarop bedrijven en particulieren hun data wissen alvorens de gegevensdragers van de hand worden gedaan. "We konden het nauwelijks geloven maar op meer dan 73 procent van de harde schijven, SSD's en SD-kaarten waren zeer gevoelige gegevens beschikbaar", vertelt Robbert Brans, Managing Director van Attingo Datarecovery. "Extra opmerkelijk is dit te noemen aangezien we sinds 2011 met deze onderzoeken juist steeds een significante afname zagen van niet correct verwijderde data. In 2014 ging het 'slechts' in 28 procent van alle gevallen mediadragers die we hierop onderzochten."

Het blijft een wijdverspreide mythe dat het eenvoudigweg wissen en formatteren van gegevens voldoende is om data te vernietigen. Brans: "Voor particulieren valt er wat geld te verdienen door afgedankte media te verkopen. Vaak zie je dan dat er maar een enkeling is die er op let dat data goed verwijderd wordt. In sommige gevallen zien we zelfs dat er helemaal geen goede pogingen zijn gedaan om gegevens te verwijderen. Slechts op een paar gegevensdragers waren de gegevens volledig vernietigd voor dat ze verkocht werden. Veel mensen missen de technische knowhow over hoe gegevens gewist moeten worden of welk resultaat het formatteren van data oplevert. Het is een misverstand dat gegevens daarna echt weg zijn", gaat Brans verder.

De data die Attingo Datarecovery aantrof betrof complete financiële dossiers van particulieren, toegang tot de gegevens die nodig zijn om te kunnen internetbankieren en onlinewinkels. Maar ook vakantiefoto's of erotische videobeelden opgenomen in de slaapkamer van de vorige eigenaar van een harddisk of andere datadrager.

Door slecht te wissen maken bedrijven zich schuldig aan zware inbreuk op gegevensbescherming. Het onderzoek laat zien dat zelf grote gerenommeerde bedrijven op een grove nalatige manier omgaan met de gegevens van nietsvermoedende burgers.

Bij particulieren schaadt het 'slechts' de maker van de beelden, bij bedrijven echter wordt daarmee de privacywetgeving geschonden. "Des te huiveringwekkend is het dat zelfs zeer gevoelige informatie te vinden is op gebruikte mediadragers. "In één geval werd de datadrager door een IT-manager zelf aan ons verkocht", gaat Brans verder.

Bijzonder opmerkelijk was wat er boven water kwam bij meerdere schijven van een servernetwerk van een grote supermarktketen. Behalve dat daardoor toegang mogelijk werd tot het interne netwerk, bleek ook dat teksten, prijslijsten, interne onderhandelingen, protocollen van leveranciers en loonlijsten van medewerkers werden gevonden. Op de afgedankte harde schijven van een volledige mailserver van een bedrijf in de logistieke sector werden duizenden e-mails van werknemers gevonden. Bij een grote kabeltelevisieprovider werden alle klantgegevens op een harde schrijf aangetroffen. Daarmee wordt duidelijk dat een goede bewustwording van gegevensbescherming bij de verkoop van gebruikte datamedia dringend nodig is.

Brans: "Van een grove nalatige behandeling van gegevens op gebruikte opslagmedia blijkt bij vele bedrijven nog altijd sprake te zijn, ondanks de nieuwe EU-verordening inzake gegevensbescherming. Privacy omvat immers ook de juiste vernietiging van gegevens van afgedankte hardware."

Attingo Datarecovery biedt professioneel gegevensherstel van defecte harde schijven, SSD's en datatapes, evenals de verificatie van gegevensdragers. Dit is met name handig voor bedrijven die ervoor willen zorgen dat hun interne gegevensverwijderingsstrategieën echt voldoende zijn.

Attingo Datarecovery

Attingo Data recovery is al meer dan 20 jaar gespecialiseerd in dataherstel. Attingo redt data van zowel complexe RAID-systemen of servers als van harde schijven, tapes of USB-sticks. De onderneming heeft drie eigen hypermoderne ISO 9001:2015 gecertificeerde cleanroomlaboratoria.

-----

Voor meer informatie :

 Robbert Brans, directeur van Attingo Datarecovery  Nederland.

Telefoon: 0252- 621 625

E-mail: info.nl@attingo.com

http://www.attingo-datarecovery.nl/

Critical Infrastructure Interview with David Harley

WeLiveSecurity sat down with David Harley (ESET) to get a better understanding of Critical Infrastructure and the role he has played in the area throughout his career.

David Harley

[Editor] How did you come to be involved with Critical Infrastructure?

[David Harley] I first took an interest in Critical Infrastructure (CI) when I started working on the security side of medical informatics. Not that what I was doing for the Imperial Cancer Research Fund (now Cancer Research UK) would have been formally considered to impact directly on CNI (Critical National Infrastructure) at that time. While healthcare has long been considered to play a part in CNI in the US and in the UK, it probably wouldn’t have been considered to include a charitable organization focused on medical research in the 1990s. Certainly I had no direct contact at that time with the relevant government agency.

However, I had a pretty wide range of responsibilities during the 11 years I was there: while I was already deeply involved with malware management issues (and had been since 1989) and therefore with security more generally, I was also deployed in first and second line customer support, even when my primary role was system administration. And since security came up time and time again, I found myself doing a lot of background research, subscribing to mailing lists that covered topics like national security, SCADA, and so on.

When I moved to the UK’s National Health Service as a senior manager in the NHS Information Authority (NHSIA) in 2001, I was initially involved in the dissemination of threat information distributed by a government agency that was specifically concerned with the maintenance of the CNI, among other things. Later my role expanded to management of the Threat Assessment Centre (TAC), which had a somewhat similar function lying somewhere between a WARP and a CERT. We don’t seem to hear so much about them now, but a WARP (Warning, Advice and Reporting Point) is a sort of small-scale CERT intended to support a small-ish community (20-100), and is more about information sharing than dealing directly with critical incidents. Since the NHS had around 1.25 million users and the TAC was plugged directly into a community of network managers who really had to solve issues rather than just flag and discuss them, the TAC was, functionally speaking, rather more than a WARP, but wasn’t large enough to be considered a CERT or CSIRT in its own right.

And I never quite escaped being the go-to person on any issues related to malware. So that got me into liaising with providers of messaging security, for instance, with the Department of Health, and other government agencies, so CNI was of more than academic interest. Not least, because I now had access to data and structured information that weren’t at that time in the public domain.

[E] So you always regarded security and Critical Infrastructure as related?

[DH] Sure. Security is and always was implicit in ‘critical’, suggesting that CI components are crucial to the security of the State and/or the population (not always the same thing, even in a democracy). You only have to look at the components that are typically considered to be ‘critical’ where CI or CNI is formally defined.

In the US, for instance, the sectors are defined here by the Department of Homeland Security, and in the UK are defined here. The UK’s Security Services administer ‘protective security’ through the Centre for the Protection of National Infrastructure (CPNI).

Of course, as governments and government policies change, so do the services for which the agencies they regulate are responsible, so both the security services and the healthcare services have changed dramatically since I left the NHS, but I doubt if CPNI or other state agencies have stopped thinking of healthcare or emergency response as being critical or in need of security. Well, we can hope…

[E] What do you see as the main difference between CI as it was regarded back in the day and as it is today, apart from the obvious improvements in technology?

[DH] When I first became interested in potential risks to CI (and SCADA – Supervisory Control And Data Acquisition – which is by no means exclusively unique to a given CNI framework, but is so often associated with CNI components such as energy utilities), most of the discussion 20-30 years ago was about potential risks. There was comparatively little understanding outside the Corridors of Power of the concept of a formalized CNI, and where damage to infrastructural components was actually sustained, it was rarely the result of specific targeting of those components. Or, at any rate, it wasn’t usually reported as such.

There are claims that the Siberian pipeline explosion of 1982 was caused by a CIA logic bomb, and a story about the NSA reprogramming a printer microchip in order to compromise Iraqi air defence computers (the so-called ‘Desert Storm virus’ of the early 1990s). However, these claims – at least, in the forms in which they were circulated – suggest a sophistication (or sheer luck) redolent of science fiction rather than historical fact. My friend and sometime co-author Robert Slade analysed the Desert Storm story rather effectively in his Guide to Computer Viruses, and we revisited the topic in Viruses Revealed. There’s rather less solid analysis (let alone evidence) to be found when it comes to the story of cyber-sabotage and the Siberian pipeline explosion.

Even before the turn of the century, however, there was recognition (if you looked in the right place) of the activities of state-sponsored or state-initiated cyber-espionage activity.

In the early noughties, reports began to become publicly available on allegedly state-sponsored hacker groups such as NCPH (subject of extensive analysis in the AVIEN book) while, there were less public reports of more ‘official’ groups. Targeting by various groups going into the second decade of the 21^st century has included petrochemical companies, military and government agencies, research labs, utilities, and major IT players in the US, putting them all well into the CI bracket. Other targets included diplomats, the offices of the Tibetan government in exile, human rights activists, and government/media/finance organizations in Estonia and Georgia. The aims seem to have gone beyond disruption of services to the theft of sensitive correspondence and documents, proprietary code, and so on.

Stuxnet still came as something of a game-changer, though, as you might gather from the sheer volume of research it generated (including ESET’s, in the extensive Stuxnet Under the Microscope). This is less so because of its sophistication, though its payload pushed anti-malware specialists into areas of research with which they were unfamiliar. Rather, it’s because Stuxnet was an attack apparently targeting a specific state rather than the world at large, even though the malware was generalized enough to be found far beyond the borders of Iran. There have been many subsequent attacks that have been described as targeting specific organizations or sectors – for instance, the ransomware Win32/Filecoder.WannaCryptor.D (often referred to as WannaCry) is sometimes talked about as if it only affected the UK’s National Health Service, which is nonsense – but targeting is rarely as clear-cut as it was in the case of Stuxnet. Yet, ironically enough, much of the speculation about Stuxnet following its discovery focused on the possibility of its re-use in very different engineering contexts. Nonetheless, Stuxnet made it clear to the media and the general public that there are resources and expertise available and already deployed against utilities considered vital by the states that maintain or at least rely on them. That’s very different from the (mostly) speculative discussions of the 1990s, and even of the years around the turn of the century, when I was directly engaged in such areas.

Read more on:

https://www.welivesecurity.com/2018/03/26/critical-infrastructure-interview/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29