logo

CIS Control 11: Data Recovery

The newly revised and renumbered Center for Internet Security (CIS) Control 11 highlights the need for backups, ensuring smooth and timely recovery of data in case of security breach or misconfiguration. In the current CIS Critical Security Controls (CSC) version 8 of CIS benchmarks, the data recovery control has been pushed ahead to 11. It was previously CIS Control 10 in version 7.

CIS Control 11 is a vital player among the 18 cis controls CIS has formulated. With proper data backup protocols in place, organizations can protect critical information and data even in an attack.

Hackers may not just steal the data but may even try to wipe your storage clean to inflict maximum damage. Regular, organized backups can mitigate the threat. As a result, your business doesn’t have to shut down even in the unfortunate case of an attack.

The most prominent risk to data availability right now is ransomware, which involves attackers locking out access to critical data in exchange for money. There were over 500 million incidents of ransomware attacks in 2021, the highest ever recorded. Proper protection and backup reduce the data loss impact and further attack threats.

It all comes down to the CIA triad — confidentiality, integrity, and availability — that should form the backbone of any company’s tech infrastructure. It’s also what the CIS controls help establish.

Let’s explore the five safeguards covered in the latest CSA version for data recovery control.

11.1 Establish and Maintain a Data Recovery Process

  • Ensure there’s a well-documented data recovery process in place for backup implementation and restoration.

The first safeguard focuses on establishing and maintaining a proper data recovery process that can be followed across the organization. This process will address the scope of the data recovery and set priorities establishing what data is important.

Data recovery begins with classifying data in terms of priority. That doesn’t mean there’s data that’s invaluable but only ensures that the most critical data is backed up first.

The data recovery process should outline how backups will occur properly on a regular basis, how those backups will be protected, and how the data will be recovered in case of an attack. With such a process outlining all the details, teams know exactly what to do when push comes to shove.

11.2 Automated Backups

  • Ensure all system data is backed up regularly automatically.

This must-have protocol ensures that all data is backed up automatically after regular intervals. The emphasis is on the automated procedure, so the system data is backed up after the scheduled interval of time on its own without human intervention.

For even better protection, if your organization has important data to secure, you should maintain backups at an off-site location. This will make sure you can recover data even in worst-case scenarios.

Thanks to the cloud, it’s easier than ever to back up data automatically. You can set these backups for hourly, daily, weekly, or monthly frequency based on data sensitivity.

11.3 Protect Recovery Data

  • Ensure that the recovery data is protected with the same measures and controls used for the original data.

The backup data is also at risk if attackers get into security configuration. This is why backups need adequate security as well. This may include encryption or segmenting based on data requirements. The CIS Control 3 Data Protection outlines safeguards for protecting the data, which extend from the original data to backups of all key systems.

11.4 Establish and Maintain an Isolated Instance of Recovery Data

  • Ensure there’s an isolated copy of the backup data as a safe and proven way to protect data from modern threats like ransomware.

This safeguard is all about keeping an offline backup to which no one can gain access because it’s completely disconnected. This could constitute remote backups in secure backup destinations. There can be multiple offline backups with dedicated physical security for increased redundancy.

While you can improve cloud security all you can, there’s always a risk for attackers to exploit flaws. These vulnerabilities can originate from your vendor or as a result of a third party.

Saving an isolated instance of the data ensures the most critical data is safe from digital exploitation. However, as mentioned in the second safeguard, keeping this instance updated is also essential.

11.5 Test Data Recovery

  • Ensure that the backup recovery is tested at least quarterly to ensure that the recovery process works.

This is the most underrated safeguard. Many organizations invest deeply in creating backup plans and provisions but fail to test them enough. This should be a critical component of your business contingency planning. Any weakness in the backup process can result in inadequate backups, or worse, expose the backups to cyber attacks.

You need monitoring tools that can ensure your backups occur regularly in a timely fashion. You should also test the defenses in place for backups as well as the restoration process. This is the one reliable way to ensure everything works as it’s supposed to.

Summary

Data recovery does require resources and investment. The cost in money, time, and effort can be pretty high depending on the organization’s size and structure. It’s an important consideration even for a ‘what if’ scenario. At the same time, the cost of losing data can also be high.

If implemented correctly, data can safely be recovered in case of an attack.

In the case of ransomware, having a backup can save your company from paying millions of dollars to get vital data back. Paying ransom won’t always help, either. There are cases when even paying the ransom did not help the companies recover their data, which just goes to show how malicious attackers can be.

Keep in mind that backing up data is only one piece of the puzzle. It’s equally important to guarantee integrity and availability through testing backups regularly. What’s the point of having backups if the technique doesn’t work when you need it most?

Data recovery can make a major difference between businesses with operations running smoothly or companies going under.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.