CIS Control 10: Data Recovery Capabilities
The tenth CIS Control highlights the importance of backing up system data and properly securing those backups. Doing this will allow your organization to recover any lost or altered data.
Having proper data recovery measures in place can be the difference between an attack causing huge amounts of data loss, and an attack only causing slight downtime.
By having a reliable and secure data recovery solution in place, your organization can quickly return to business-as-usual instead of scrambling to rebuild systems. Re-building these systems can take several days or even weeks to recover – so don’t think that your organization is immune to this.
In the era of the Ransomware attack, accurate and up to date backups from which to restore systems is the only reliable means of recovery.
Let’s jump right into the details of CIS Control 10 and the five sub controls associated with the third foundational security control.
10.1: Ensure Regular Automated Backups
- Ensure that all system data is automatically backed up on a regular basis.
It should go without saying that organizations must ensure that system data is being automatically backed up on a regular basis. The keyword here is that system data is automatically backed up. t’s vital for your organization to maintain a redundant set of backups at an offsite location to help ensure data recovery in almost all situations.
10.2: Perform Complete System Backups
- Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system.
Image snapshots provide the most complete backup and fastest recovery option.
10.3: Test Data on Backup Media
- Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.
In this sub-control, organizations are encouraged to test the integrity of both their backup systems and system images. More specifically, the CIS recommends once per quarter, or whenever new backup equipment is purchased, that a testing team evaluate a random sample of system backups by attempting to restore them on a testbed environment.
This sub-control is crucial because you must be certain that backups are working properly before you actually need to use them. Not doing so puts your organization at risk of losing critical files because backups didn’t complete properly and encrypt important files.
While most attacks are more focused on compromising data rather than destroying it, the most notable and notorious attack that destroys data being ransomware has only proven to be a more effective and lucrative attack method over the last few years. With the threat of ransomware continuously growing, organizations must be sure that they are regularly testing backups. Doing so will allow them to have the confidence in restoring encrypted files and refusing to pay the hefty price tag associated with most of today’s ransom demands.
10.4: Protect Backups
- Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.
In this sub control, organizations are encouraged to protect backups with physical security or encryption when stored since attackers will often target backup data. It’s also important to note that onsite backup data should not be directly accessible by other hosts on the network, as direct access should really be limited to the backup utility used to perform backup and restore activities. In the case of Ransomware, where all accessible files are held to ransom, this will include backup files and snapshot data.
In an ideal world, your backup data should be stored offsite and offline with physical safeguards.
10.5: Ensure All Backups Have at Least One Offline Backup Destination
- Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.
Attackers are known to target backups before they wreak havoc on an organization. For this reason, organizations are encouraged to have at least one backup located offline. This means that the backup data should be written to a disk, tape, or a USB drive, all depending on the size of your organization. But please, don’t leave your ISB plugged in and think you won’t be targeted.
Having an offline backup will help protect your organization against Ransomware and other network attacks on your sensitive data.
Data recovery may seem like a costly investment for a ‘what if’ scenario, but if properly implemented, your organization’s data can be recovered in the event of a Ransomware attack or other data attack.
In the event of a Ransomware attack, having backups could help save your company millions in lost revenue. Even if your organization chose to do so, paying the ransom demand is not guaranteed to fix the problem. Having an up to date backup will allow your organization to confidently reject the ransom demand and go back to business as usual. Learn more about today’s ransomware threat in NNT CTO Mark Kedgley’s latest article Are we too busy with pancakes to get serious about ransomware? with SCMagazineUK.
Backing up data is a great first step, but the next most important step is to guarantee its integrity and available by regularly testing backups to ensure the backups are actually working before you need to use them.
Failure to implement such a solution could be the difference between returning to regular business operations and scrambling to rebuild systems, and we all know that every minute your network is down is productivity lost.
Figure: System Entity Relationship Diagram
You can also learn more about the CIS controls here.
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises