3:45 min read | 
In the event of a security breach of your network, it is likely that the attackers have altered or destroyed important data and security configurations. The tenth CIS control, data recovery capabilities, addresses the importance of backing-up system data and properly protecting those back-ups. By doing so, you ensure the ability of your organization to recover lost or tampered-with data.

Every minute your network is down is productivity lost. Administrators must ensure up-to-date and functioning restoration data has been properly protected using physical safeguards and data encryption – both at rest and in transit. Failure to establish a reliable and secure data recovery solution could mean the difference between a smooth return to standard operations and scrambling to rebuild systems for days, or weeks–just to get back to where you were before the data loss. No one wants that.

A step-by-step breakdown of the proper controls to ensure you can recover your data:

Ensure Regular Automated Backups

A fundamental component in the implementation of an efficient backup process is automation. Humans are prone to err. Beyond mental lapses, we are susceptible to illnesses and mobility-limiting natural disasters to list a small subset of possible contingencies.

Numerous applications are available that can streamline the backup process and achieve data redundancy. Maintaining a redundant set of up-to-date backups at an off-site facility is essential and can help ensure data recovery in most situations. A useful rule-of-thumb is 3-2-1:

  • Keep THREE copies of the data
  • On at least TWO separate mediums
  • With at least ONE located offsite

Perform Complete System Backups

It is important that a comprehensive backup strategy be implemented. This should allow for the speedy recovery of data, whether it be a few specific files, or an entire server. One useful technique for scheduling system back-ups is the Grandparent-Parent-Child system:

  • Child: Daily backups (incremental/differential) are performed.
  • Parent: Weekly full backups are replaced.
  • Grandparent: Monthly a full backup is archived at an off-site facility.

This system allows for the intelligent use of backup storage and provides a range of restore points for modified, corrupted or deleted data.

Test Data on Backup Media

All the automation in the world won’t save you if your backups are corrupted. The integrity of both your backup system and the system images themselves must be tested regularly.

CIS Control #10 states, “Once per quarter (or whenever new backup equipment is purchased), a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment.”

Variations of the Grandparent system explained above can also be easily adapted to work here.

Protect Backups

Backups could be directed to various locations, such as network-attached storage, removable media, or a cloud-based datastore. The size and budget of your department will directly affect what approaches are feasible for you. It is important to ensure that onsite backup data is not directly accessible by other hosts on the network. Direct access to backup data should be limited to the backup utility used to perform backup and restore activities. Ideally, archived data should be stored offsite and offline with physical safeguards.

The biggest mistake you can make is assuming your organization will not be targeted. Do not assume that because you are not handling government secrets it is alright to leave the removable media holding your backups sitting on your desk. Physical security measures for media containing backup data must be enforced as rigorously as those pertaining to the network. It is also important to ensure that backup data destined for off-site storage is encrypted when saved to removable media.

Ensure Backups Have At Least One Non-Continuously Addressable Destination

More explicitly, CIS control #10 specifically urges that “…all backups have at least one backup destination that is not continuously addressable through operating system calls.”

The operating method of hackers is, after gaining a foothold in the system, to enumerate the systems present in your network, slowly mapping its architecture and attempting to escalate privileges across multiple points.

Because of this, it is unsafe to assume that any backup data accessible through your network is ultimately safe. As mentioned in the 3-2-1 method, and explicitly urged in CIS Control #10, at least one back-up should be located offline and preferably offsite.

The most important ideas to remember when designing your backup systems are

  • Scheduling
  • Automation
  • Verification
  • Redundancy
  • Security

Addressing each of the above items will help to ensure the safety and recoverability of your network systems and company data.