Maersk had a strong backup strategy, but it excluded one crucial category of system, resulting in disaster. In this video, Mike Chapple explains the importance of building and testing a robust backup strategy.
- [Instructor] The final lesson that we can draw from the Maersk breach is another common one from security incidents: Perform and test backups. When an organization falls victim to a ransomware attack, backups can ensure the rapid recovery of systems and information by restoring them to the state they were in before the attack took place. Backups provide organizations with a fail-safe way to recover their data in the event of a ransomware attack, technology failure, human error, natural disaster, or other circumstances that result in its accidental or intentional deletion or modification.
Backups are a crucial safety net for data-driven businesses. Organizations may back their data up in many different ways. Traditionally, organizations wrote their backup to tape. And this is still a very common practice today; however, tapes are unwieldy to manage, and modern backup approaches often use alternative storage that has become much less expensive over the past few years. For example, some organizations do disk-to-disk backups that write data from the primary disk to special disks set aside for backup purposes.
Those backup disks may be in a separate facility, where it would be unlikely that the same physical disaster would affect both the primary and the backup site. Another newer trend in backups is to write backups directly to storage provided by cloud computing vendors, such as Amazon Web Services, Microsoft Azure, or their competitors. This provides great geographic diversity, as the backup data is stored in separately managed facilities, and cloud providers usually perform their own backups of their systems, providing an added layer of protection for customer data.
When performing a backup, there are three primary backup types, and they differ based upon the data that they include. Full backups, as the name implies, include everything on the media being backed up. They make a complete copy of the data. Differential backups supplement full backups and create a copy of only data that has changed since the last full backup. And incremental backups are similar to differential backups but with a small twist. They include only those files that have changed since the most recent full or incremental backup.
Maersk actually did perform backups of almost all of their systems, and those backups were crucial in getting their operations quickly up and running again. But they had omitted one critical category of systems from their backups: domain controllers. The company did not backup their domain controllers because they had 150 of them around the world. Their strategy was that, if they lost one or more domain controllers, they could simply rebuild the server and then sync it with one of their other domain controllers.
That scenario didn't imagine that an attack might wipe out all of the domain controllers simultaneously. On this front, Maersk got lucky. They found one surviving domain controller located in a remote data center in Ghana. This single computer held the link to restoring service at Maersk, and it was connected to a network that didn't have enough bandwidth to transfer the entire domain to other systems. So, Maersk took the old-fashioned approach.
Someone took the hard drive from that system, boarded a flight from Ghana to Nigeria, where they handed off the drive to another employee at the airport. That person then flew back to Europe and used the hard drive to restore Maersk's digital footprint. That was a close call that could have been avoided by testing Maersk's backup strategy. When you plan your own organization's backup strategy, make sure that you've considered the impact of a catastrophic event that affects many systems simultaneously.
Then develop a test plan that leaves you confident that your data is protected.