Data Backup – How to Not to Lose Data When Hacked (In Real Life)

In the previous article, “Data Backup – How to Not to Lose Data When Hacked (In Theory)”   I wrote that backups are what you have to keep in case of a network attack, and you have to be sure you can rely on them. At PATRON-IT, after several years of work (experience with different technologies) and a series of debates, we have developed a number of proven technologies that we trust and use for all of our customers. For each customer, always at least 2 of them. Better safe than sorry. 🙂 This way we are sure that the backups will survive.

Veeam endpoint backup + Synology NAS

Our most versatile backup technology that resists both ransomware and human invaders while being affordable. It consists of backing up entire servers/stations with Veeam endpoint backup (free for stations and servers) to a shared folder on NAS. NAS is any Synology that supports Btrfs (supports snapshots). We have automatic snapshots of shared folders with backups on NAS.

  • Veeam Agent

    • Free of chargé for stations and servers.
    • Allows you to back up your entire PC/servers and restore them to another HW or make virtual PCs/servers.
    • Allows backup compression (saving so much disk space).
    • Keeps an optional number of backups with any planning.
    • Backups are very fast and can be made during working hours. If the server is sufficiently dimensioned, users won´t notice.
  • Synology NAS with Btrfs

    • Thanks to multiple disks, backups are single-disc-fail-proof.
    • In the event of a failure of the entire NAS, the drives can be shuffled to another NAS or Linux PC and data can be accessed.
  • Resistance to electronic attacks

    • Shared folders on NAS require login access. Logins are stored in Veeam, which runs as a “system” account.  That means the user, if he/she does not have admin rights on the station, will not get to the shared folders with backups. Therefore, the virus/program running under user rights can not access such folders.
    • If someone accidentally gets to the backups and deletes them, the entire shared folder can be restored within seconds by returning to the old snapshot.
    • If someone wanted to delete snapshots, it would have to get the NAS administration that is protected by other login information. We have gone so far as the only available folders are one´s shared from the customer’s network. NAS Webmanagement is only available from our offices. That means that the customer never gets this password on any of the PCs and can not get into the NAS webmaster. We have also reduced the attack surface of NAS (most of the exploits are run against the Web interface, but it is blocked on FW NAS).
  • What else can we do

    • Our monitoring system finds every signle day out from all of the stations and servers out whether the backups via the Veeam have been successful (there is no need to carry out a time-consuming manual checkup of the success of the backups, and in the event of a problem, we will learn of such event. right after the first unsuccessful backup).
    • Our monitoring system extensions monitor system status, disks, RAID, OS version, FW functionality, and NAS availability. We also update NAS and SMART disk tests. If a problem occurs, we will learn about it within 5 minutes.

Altaro + Hyper-V

Altaro is a paid backup software that supports both Hyper-V and VMware. By serving virtual servers, it is not suitable for the smallest businesses without virtualization. Altaro is a cheaper alternative to more expensive Veeam Backup & Replication. Alternately, we back up virtuals to local server storage (high bandwidth) or to some network storage (different server or NAS).

  • Altaro

    • It has deduplication and compression (saves so much disk space).
    • Allows you to run a virtual server directly from a backup.
    • Supports encrypted backups as well as external media such as Tandberg.
    • Performs automatic backup integrity verification.
    • Backups are very fast and can be made during working hours. If the server is sufficiently dimensioned, users do not notice.
  • Resistance to electronic attacks

    • I have always recommended that you do not have Hyper-V in the same domain as virtual (either have it standalone or at own separate domain). The point is that if the domain is broken, the attacker does not automatically reach the Hyper-V servers where backups are located (or accesses the backups). Breaking a domain is not so difficult and you do not want to lose the backup as well as the domain.
    • Another security strengthening is to give Hyper-V servers a separate VLAN. We completely isolate this VLAN from other VLANs. To access this VLAN, it is necessary to connect to the ready port in the switch or to go through the VPN from our offices. As a result, the attacker does not have the ability to compromise the Hyper-V servers themselves during LAN compromise (assuming there will be no functional exploit VM -> Host).
  • What else can we do

    • Our monitoring system verifies every day whether the backups have been successful (no need to perform a time-consuming manual check of the success of the backups, and in the event of a problem we will learn about it at the first unsuccessful backup).
    • We can monitor HW status of target backup destinations, whether on NASes or local storage.

Windows server backup

Sort of an “emergency” in our tools. This is a Windows Server component from 2008. Windows server backup is easy to use, can manage backup space itself, can use VSS snapshots (as a pseudo “change block tracking”) to speed up backup.

We have used it more often previously. We now replace it with the above-mentioned technologies. It is more down-stacked, slower for backups, with larger backups, and smaller disk drives. In addition, there is a risk of overwriting old backups (if there is a big change to production data [eg due to ransomware] and the target partition for backup is small).

  • Windows server backup

    • It is directly included with Windows Server 2008 and newer.
    • You can manage your backup space yourself.
  • What else can we do

    • Our monitoring system verifies every day that the backups have been successful (no need to perform a time-consuming manual check of the success of the backups, and in the event of a problem we will learn about it at the first unsuccessful backup).
    • We automatically monitor the amount of backups on the target repository (sometimes we have had backups playing over and over again).

Supplementary technologies

In addition to the previous core technologies that we always back up the entire server/station with, we also use the following supplementary ones.

Managed online backup

This is a cloud data backup that we have integrated into our monitoring system. Supports backup of different databases, virtual servers, and local and shared folders. In addition, we have the option of archiving (keeping the backup for an unlimited period of time). Alternatively, you can use Azure Backup or other cloud backups.

The advantage of cloud backups is that backups cannot be deleted from the server or station and are so resistant to viruses and hackers. In addition, because they are in another place, they will also resist natural disasters and thieves within a company. An advantage is a direct connection to our monitoring system.

Tapes/tandberg

An alternative to cloud backups where there is insufficient internet connection speed or the customer does not want to have data somewhere in the cloud. External media (with encrypted backups) is taken off-site and not available online. Therefore, backups are resistant to thieves, natural disasters, viruses, and hackers. Of course, monitoring of backups is provided by the monitoring system.

Previous versions

The basic functionality of the operating system from Windows 7 and Windows Server 2008. It allows you to set up regular “snapshots” of the disk. Users can then restore their data by themselves (right mouse button on the folder/file and select “restore previous versions”).

The advantage of the technology is mainly the speed of the “snapshot”, which is just a few seconds. Ideally, it fits into a shared folder where backups can be scheduled every hour (even more often). When the user deletes a shared file or makes a bad edit, you restore the file in a few tens of minutes from the old backup. Additionally, backups are economical to space (in fact, they begin to take up space only when data on disk changes – the so-called. copy-on-write).

We use the technology on all servers with shared folders and simplified at all stations.

  • What else can we do

    • The server monitoring system monitors that over each disk where the shared folders are, the previous versions are turned on and are regularly generated. When someone creates a new shared folder, it can not happen that they did not turn on the previous versions.
    • In the case of the stations, the monitoring system monitors that system restore is turned on. The system restore automatically performs full-disk snapshots when installing updates, applications, and system changes. If a monitor on a computer detects that the feature is off, it itself will turn it on.

Snapshots

For some customers, we also use Snapshots at Hyper-V or directly on a shared network repository. So far, this is nothing standardized, but rather a means of addressing customer specific needs (unfortunately, exceptions to standards sometimes exist). We will see if this will become a standard depending on how things will evolve in the future..

Conclusion

For the sake of clarity, I have tried to capture the different properties of each method into one summary table.

Overview of our backup methods
Overview of our backup methods

How do you like our backup solutions? Do you have any better solutions or ideas for innovation? Please let me know, I will be very pleased by your feedback.

Do you like topics, I write about?

It is not necessary to periodically visit my blog to check if there is a new article. Subscribe below for notifications. You will be the first one who will know about new article.

Discussion

Leave a Reply

Your email address will not be published. Required fields are marked *

Hack The Box OSCP MCSE CHFI ECSA CCNP CCNA