CMMC – Backup Systems Assurance

This blog post ‘CMMC – Backup Systems Assurance’ is the fifth in a series on Cybersecurity Maturity Model Certification (CMMC) – a US Department of Defense (DoD) initiative that imposes requirements on contractors and subcontractors to help safeguard information within the US defense supply chain.

This post looks at the ‘Recovery’ domain, the security disciplines surrounding backup systems and how organisations can follow the CMMC guidelines to achieve a more robust approach to ensuring their backup systems function as expected, and can be relied on, when needed.

Backups and Cybersecurity

We know the importance of backups in the recovery of failed systems and in retrieving information when things go wrong. An essential lesson in backup management is ensuring the backups are frequent and complete, and the recovery process works. Regular testing of the restore process helps prevent unexpected problems when you are dealing with an incident, since a failed backup procedure might result in you not being able to recover the data you thought you’d safely stored offsite.

Two types of attacks – those that affect availability and those that affect data integrity – are also mitigated through good backup and restore capabilities, which is why system recovery is such a critical control highlighted by the CMMC. The Australian Cyber Security Centre (ACSC) also cites backups as one of the Essential Eight critical security controls all organisations should have in place. So, what should you consider when designing a backup solution as a security control?

How frequently should backups be taken?

Many organisations follow a daily backup routine, but for information changing more frequently, interim differential backups are also a good idea, since each iteration of the backup means you potentially lose less of the work your organisation has undertaken since the last restore point.

Some organisations perform continuous backups where all changes to critical data are stored incrementally in a backup location so that every change can be recovered in the event of a failure. Transactional financial data (banking and stock market trades), along with vital health information from monitoring systems are two examples of the kinds of data that might require continuous backup, so for these solutions, cloud backup services are by far the best approach, since they are always-on and always accessible.

Frequent backups of critical business data, along with important configuration settings, should be retained for at least three months.

After a cybersecurity incident occurs – such as a ransomware attack – if you have a full and recent backup of your organisation’s most critical business data, you don’t need to consider paying the criminals for the decryption keys. Yet for many organisations, the first time they verify whether their backup solution works is when they attempt to restore it during the incident management process.

Online or offline storage of backups?

Traditional best practice ICT systems management recommends that backups are be stored offline. However, the alternative of storing data online, but in a non-rewritable and non-erasable manner, also works well. Backup solutions that run in the cloud can be both online and offsite plus have the bonus of being easily accessible.

Backup system testing

Testing should occur as frequently as makes sense to your specific business operations. It should ensure a full recovery is possible after infrastructure changes occur, since a change could introduce something into the enterprise that results in the recovery process not working. The first time you discover this error should not be during an incident.

The CMMC suggests that users should be encouraged not to store data on their PC’s local hard drive or removable USB media since that data is rarely included in the business’s backup regime. For critical business data – the information the user and the business absolutely does not want to lose – should be stored in an enterprise-provided storage solution that is guaranteed to be included in the backup regime.

Test, test and test again

Testing is vitally important in any recovery plan; verifying backups have been successful and recovering systems or data even partially helps assure the process and provide guarantees that the recovery process will work in a real situation.

You should look for ways to monitor the backup system to ensure it works, passing logs back to the security team to keep an eye on the solution’s utility over time. If the approach you use is a custom backup design, where you might just be copying essential files to an online storage location, you can still create scripts to verify the copy process worked and whether all the data (and even their details) have been successfully stored in the target location. This data can also be sent to the SOC to monitor for issues and deal with failures.

Maturing Your Backup Security

Once you have confirmed your backup process works and you can recover data, there are a few security requirements you should consider to further protect the confidentiality of the data stored in those backups.

Backup system encryption

Some backup systems use encryption to safeguard the confidentiality of data since backups are often targeted by criminals who know that in many cases, businesses forget that the security of storage locations needs to be as strong as the primary locations within production systems.

Link to the incident management process

The backup systems need to be hooked into your incident management process to ensure it doesn’t try to overwrite the last known good backup during a cyber security incident. There have been many examples of businesses falling foul to ransomware attacks  where a properly working backup solution has overwritten good business data with the encrypted information, making recovery impossible.

When you take full backups of all files, so that servers can be recovered, you should be aware that those backups could already contain the malware you are trying to avoid, depending on how long it’s been within your environment. Some organisations have recovered their systems and started working again only to find that they have been reinfected. The way you store full backups and incremental backups of critical information should always be considered in these use cases. The Center for Internet Security (CIS) offers three tips to help you mature your backup process:

1. Ensure all system data is automatically backed up regularly.
2. Ensure all the organisation’s critical systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system.
3. Ensure that all backups have at least one offline (i.e. not accessible via a network connection) backup destination.

Business Continuity

Backups capture your business’s operation at any one point in time.  They form a vital aspect of your security architecture, protecting both the integrity and availability of your services, systems and critical business information. To keep your business safe, don’t leave it to chance…. back yourself.