There’s nothing worse for a bank than a service outage – unless it’s an outage imposed by hackers, who are demanding a ransom for allowing the bank to do business. Doron Pinhas, CTO, Continuity Software discusses how to avoid being victims, banks need to take very specific steps.
The wolf is at the door of banks and financial institutions. Systems are getting more complicated and hackers are getting better at what they do. There are more hack attacks than ever. Sooner or later, one of those attacks will succeed in bringing a bank down permanently – and then what?
The most likely candidate for that is ransomware, which, in recent years, has become by far the most popular form of malware. According to security firm PhishMe, a whopping 97.25 percentOpens a new window of all phishing emails analyzed delivered a form of ransomware – a testimony to how profitable this attack can be.
According to Coveware, ransom payments are rising exponentiallyOpens a new window , with a 184% increase in the second quarter of 2019 over the first quarter. The average company paid $36,295 in order to free itself from ransomware in the second quarter, compared to $12,762 in the previous quarter. And to add insult to injury, the average victim of ransomware experiences 7.2 days of downtime, according to the report.
Learn More: How to Design a Data Project for Your BusinessOpens a new window
The point of ransomware, of course, is to force a company to cough up money – on pain of having its operations shut down. Organizations that try to fight instead of pay often find out the hard way that hackers mean business. In just the past few months, ransomware attacks have knocked out services in Baltimore, three Florida cities, school districts across the United States – with Louisiana declaring a state of emergency over the situation, the company that supplies electricity to Johannesburg, South Africa, along with many others.
Banks are not exempt from ransomware attacks, and hackers are constantly coming up with new variations of attacks to stay a step ahead of security systems. What would happen if a bank’s services were unavailable for a week as the result of ransomware? If recent history is any indication, panic would ensue.
Even small, spot outages that last for just a few hours have been known to engender panic. Just recently, in fact, “Australian banks and retailers were thrown into chaos†when the ATMs and payment systems of four banks experienced an outage. In February, a Wells Fargo outage in the US “created payday panic†for many customers. And, in 2018, Visa was forced to apologize “as its card outage caused chaos across Europe.â€
Learn More: Future Proofing Your Data Infrastructure with AutomationOpens a new window
And those occurrences of chaos were for outages that lasted barely a few hours. Imagine the havoc that could ensue if hackers managed to bring a system down for a week or more. If they did it at multiple banks, they could cause major panic in financial markets over fears that banking systems could be toppled altogether.
It sounds like a far-fetched, if not impossible scenario; regulators require banks to install top of the line security systems, and all banks are required to have robust remediation and backup systems. Banks are required to create many copies of all critical data, such as banking transactions, credit transactions, etc. Some of those copies are synchronous (written at the same time) and some asynchronous (taken every hour / day / week). Often there are multiple layers of defense, including database and application backups, storage snapshots, on-prem or cloud backup, etc.
It sounds like a foolproof system; if a server or database is compromised, just flip over to a backup, and the threat of a hacker-caused outage is moot. Right? Reality, is of course far more complicated:
- Restoring from backup can take much longer than one might expect. Restoring even a single database – let alone the records of the entire bank – can often require several days.
- Restoration also carries the risk of losing some transactions, introducing tremendous financial exposure. In most likelihood, the bank would have to revert to a past copy (remember, the only copy that can guarantee no data loss is the synchronous one, and it, of course will be simultaneously corrupted by the malware). Missing transactions would have to be recreated after restoring the data, and it is not easy to guarantee this could be accomplished.
- And, of course, much more often than professionals would care to admit, data is not perfectly protected. What if you find out only after the fact that your team forgot to configure a backup to some portions of your critical data? What would happen if the backup job itself was not correctly configured and the backup is corrupt? According to experts, 34% of companies fail to test their backups, and of those that do, 77% have found that they have backup failures.
- Finally, hackers are getting more and more sophisticated, and often target the backup systems as well – locking both data and its recovery means. When provoked (and sometimes even when not) – they may leave you completely exposed.
- Seen from this perspective, it’s no wonder companies prefer to pay off the hackers – practically guaranteeing that others, or they themselves, will be targeted yet again.
- Obviously, fresh thinking is required – with an emphasis on processes that will guarantee recovery, dramatically improve restoration time, while minimizing recovery costs. Attention should be paid to:
Improving processes, including defining clear data protection strategy for each application tier.
- Building controls to make sure all critical data is backed up, and that the backup sets meet the minimum required criteria: Frequency, Retention (maintaining sufficient history of copies), Speed of recovery (you may need to mix and match multiple technology stacks, including backup, storage replication, disk / cloud vaulting & archiving.), etc.
- Ensure that backups are audited and tested regularly, with particular attention to recovery speed.
- Stay informed about new industry best-practices and vendor recommendations; Continually evaluate new risk vectors and implement mitigation plans.
Learn More: 6 Tips for Easing Migration to VMware Cloud on AWSOpens a new window
Perhaps most crucial of all is to ensure that backup sets are appropriately secure by: hardening backup systems; restricting access to policy servers and using separate credentials sets and authorization paths; locking down default accounts, regularly inspecting configuration integrity, etc. In addition, organizations should separate at least some of the copies from the main network, or employ equivalent controls (such as immutable copies, “air-gapâ€, etc.) Suspicious activity must be audited, and the hygiene of copies must be validated, so that you do not find out you restored already corrupt data and applications.
Don’t put your head in the sand. Take action today to make sure both your backup and recovery strategies are sound. The consequences of failing to do so could be catastrophic – resulting in huge losses, or even the closure of your business. With proper awareness, processes and tools you can significantly improve your business resilience to data-centric attacks.