Malware, Network Security, Ransomware

Why backups are not a cure-all for ransomware attacks

Inside a heavily secured data center.
(MediaNews Group/The Mercury News via Getty Images / Contributor)

In a webinar sponsored by KnowBe4 earlier this month, 78 percent of attendees surveyed said backups won’t save companies from the aftermath of a ransomware attack.

The webinar, 5 Top IT Security Myths Your CISO Believes Are True, was hosted by Erich Kron, the company’s security awareness advocate, and Roger Grimes, KnowBe4’s data-driven defense evangelist.

Kron and Grimes weighed the merits of each myth and then asked the audience to register their own opinions in a vote. Here’s a summary of each myth that the duo discussed:

Good data backups will save you from a ransomware attack.  Audience Vote: Yes 22%. No: 78%.

Roger Grimes, KnowBe4

The audience tended to agree with Grimes, who said backups don’t truly protect organizations from ransomware's destruction. Most people don’t have good backups and have never performed a critical systems restoration said Grimes.

Ever since the Maze ransomware group began exfiltrating data and holding it for ransom in what is now known as a double extortion attack, the game totally changed, said Grimes. Many ransomware groups now have polished PR pages that announce to victimized companies and the general public that they have successfully pulled off an attack and plan to release stolen data publicly if a ransom is not paid, Grimes said. In such cases, backups won't help.

On the flip side, Kron said in the case of a smaller business such as a local bakery or doctor’s office, backups could be critical to getting systems back online quickly. Still, Kron said businesses get into trouble when they don’t test the backups. For instance, a company he knows once took back-up tapes to an offsite location, and the tapes were unknowingly wiped by a magnetic field in the facility. While that’s an unusual case, companies should make sure to test backups so they are ready in an emergency.

Every organization needs antivirus and firewalls on endpoints. Audience Vote: Yes 85.1%. No: 14.9%.

Grimes maintains that antivirus and firewalls are worthless, noting that after 30 years the industry faces more threats than ever. Grimes believes that most people pay attention to firewall logs when they first enter the security field, but after the first few years they become background noise.

Erich Kron, KnowBe4

Kron was not convinced, however, suggesting that SIEMs actually helped people more effectively manage firewall logs when they first came on the scene. He also says that while the effectiveness of AV has waned, at least they still provide another layer of helpful alerts. For example, on one of his last jobs, the AV sent alerts of malicious plug-ins that were being download. He was able to find them on a scan in time, but if he hadn't been alerted in the first place, he would have been wiping multiple machines.

Long passwords are safer than short passwords. Audience Vote: Yes 71.4%. No 28.6%.

Grimes said that NIST, the National Institute of Standards and Technology, has flip-flopped of late: After years of advocating for strong and complex passwords, the agency now says people can use shorter passwords that don't have to be updated as frequently.

Both Grimes and Kron agreed that a more troubling problem than using a long or short password is when individuals frequently reuse passwords.

Ultimately, Grimes recommended using a unique, long phrase for a password. He said users could even go with something silly like “rogerjumpedoverthedogandcat” and then add a tag phrase for whatever it’s used for -- banking services, news, or music, for example.

Also, Grimes and Kron agree that people should use multifactor authentication whenever possible, as well as password managers because they set a complex password for each web account. Grimes said the average person has seven to 19 passwords and manages approximately 170 web accounts.

Running an obscure OS keeps your network safe. Audience Vote: Yes 25.2%. No 74.8%.

Grimes and Kron were with the minority on this one. Grimes acknowledged companies that can avoid attacks by running on Chromebooks, but they should stay vigilant. Years ago, the axiom was that Macs were more secure, but the reality was that the attackers focused more on Windows machines. That’s changed as Macs have become more popular, and could change again if more organizations deploy Chromebooks, Grimes said.

Kron noted that he has seen some obscure operating systems in the medical field that would be difficult for hackers to attack. And he’s seen many IoT devices based on the Arduino OS are also difficult to crack.

End users can’t be trained; technology is your only defense. Audience Vote: Yes: 4.8%. No: 95.2%.

An axiom to live by: Don’t have the hacker be the only person testing your employees. On this, Grimes, Kron, and an overwhelming majority of the audience agreed: it’s possible and necessary to train end users.

Kron said the training has to be relevant and geared to the group at hand. For example, he trains a Silicon Valley startup team much differently than a bank or a manufacturing company where the people are not as tech-savvy.

If organizations believe they can’t train people, it becomes a self-fulfilling prophecy that cripples training, Kron said. And while awareness training won’t solve every problem, Grimes asserted that keeping staff members aware of common phishing lures helps place the company in a position to stop many of them.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.