Today, I will be going over Control 10 from version 7 of the CIS top 20 Critical Security Controls – Data Recovery Capabilities. I will go through the five requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 10
- Backups can save your company. After getting hit with ransomware, some companies have had to pay millions in ransom. While a Fortune 500 company may be able to take that type of hit, the vast majority of us cannot.
- Don’t forget to test. The importance of testing data backups is just as critical as actually creating the backups. This doesn’t have to be a complex procedure; a simple test file on a non-critical server can be quickly tested in a matter of minutes. However, it’s not a bad idea to run through a full restore of a system every now and again, either.
- How often is a regular basis? This is a great question when it comes to how often you need to run a full, incremental, or differential backup. There is no official guidance on what this number would be from regulatory frameworks, so balance performance and storage costs to a level of risk that is acceptable for the business.
Requirement Listing for Control 10
1. Ensure Regular Automated Back Ups
Description: Ensure that all system data is automatically backed up on regular basis.
Notes: There are a lot of reasons why you want to perform backups. Availability is the key component that was the driver of this control historically. Now that ransomware is prevalent across any industry, this can be a driver to show additional ROI for backup solutions.
2. Perform Complete System Backups
Description: Ensure that each of the organization’s key systems are backed up as a complete system through processes such as imaging to enable the quick recovery of an entire system.
Notes: The three main backup types are full, incremental, and differential. There are pros and cons to each type, primarily around the performance of obtaining and restoring backup data. A full backup will take longer to create; however, restoring a full backup is much quicker than restoring from incremental or differential backups. The best option is to have a mix of backup types, such as a full backup once a week with daily incremental backups.
3. Test Data on Backup Media
Description: Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.
Notes: There are two reasons why this is absolutely critical. The first is that you need to be sure that the backups are working before you actually need them. Nothing is worse than losing a critical file before finding out that the backups didn’t complete properly and you cannot restore it. The second comes in the face of ransomware. By testing backups, you can have confidence in restoring encrypted files. You will also have an idea about the internal costs associated with restoring these files and can make an informed decision that restoring files is cheaper than paying a ransom.
4. Protect Backups
Description: Ensure that backups are properly protected via physical security or encryption when they are stored as well as when they are moved across the network. This includes remote backups and cloud services.
Notes: Sophisticated threat actors have historically gone after backup data. However, since IT organizations have been restoring data rather than paying a ransom, ransomware authors have also begun targeting backup files to prevent restoration.
5. Ensure Backups Have At least One Non-Continuously Addressable Destination
Description: Ensure that all backups have at least one backup destination that is not continuously addressable through operating system calls.
Notes: This one is related to the previous requirement. Malware can be written to automatically target backups before they wreak havoc on your data. This means that the backup source should have a copy of the data stored offline. This can be written to a disk, tape, or even a USB drive for smaller organizations. Just don’t leave your USB drive plugged in and think you are safe.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 Critical Security Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
You can also learn more about the CIS security controls here.