The CSC 10.4 standard is a collection of the Critical Security Controls recommendations by the Center for Internet Security related to data recovery. The CIS Critical Security Controls are based in the real-world knowledge of actual attacks and effective defenses and reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, individuals); with every role (threat responders and analysts, policy-makers, auditors, etc.); and within many sectors (government, finance, academia, security) who have banded together to create, adopt, and support the controls. Specifically, section 10.4 of the CSC standard is: Ensure that key systems have at least one backup destination that is not continuously addressable through operating system calls. This will mitigate the risk of attacks like CryptoLocker which seek to encrypt or damage data on all addressable data shares, including backup destinations.
Summary:
-
Primary copy set is the MediaAgent with the deduplication store that lands all the backup copies β that is persistent and always on
-
Set up two independent DASH Copy targets β different servers/storage systems for complete partitioning βall individually dedicated systems
-
On even weeks write DASH copy to GOLD using selective copy; Blue is powered off.
-
On odd weeks write DASH copy to BLUE using selective copy; Gold is powered off.
-
Scheduling can be used to sequence the power up and down.
-
Ensure aging and verification are not scheduled when the library is offline.
Ransomware works over time so this strategy stretches out over a week. Flipping a disk or MediaAgent store daily runs the risk the ransomware may learn that behavior and corrupt the system today and tomorrow. If the MA-primary is corrupted, then an immediate fallback is the SELECTIVE DASH COPY on that week. It should be at an RPO of the last replicated jobs. It is critical to pay attention to the DASH copy fall-behind and ensure enough bandwidth and performance to avoid latency or lag.
If the ransomware did traverse to the secondary site and it compromised the GOLD set (assume it is the active GOLD week) then the last line of defense is the BLUE offline collection. Realize the RPO is potentially a 7 day loss. This setup would offer independent dedupe stores on each of the three copies β for safety and minimizing the complete corruption loss.
