Viewing a single comment thread. View all comments

_bobby_tables_ t1_iwh5ok3 wrote

It really is. A company should develop an action plan ahead of time. A recovery path should be designed to restore the most critical systems first. The plan should be updated and tested.

My company can recover from a worst case scenario starting with bare metal in less than three days for productuon systems, and another two days for non-critical systems (finance, HR, legacy and a few minor administrative systems).

This is really a solved problem with a little prep work. These days I see ransomware payments as a tax on stupidity and/or incompetence. I have no sympathy.

6

Not_as_witty_as_u t1_iwhewiq wrote

How does a backup solve this though? Isn’t the ransom the threat of releasing the data?

6

_bobby_tables_ t1_iwiz1b3 wrote

Sensitive data at rest should be encrypted. So if hackers get your data, the risk of release is low. My company also insures for a year of LifeLock for any customers impacted by an intrusion.

5

Fieos t1_iwh8wj7 wrote

It really isn't, especially when you are talking in the amounts of petabytes of backup data. Plus, so much of it depends on how you were compromised...

You should have an action plan, you should have backups, but saying it is 'simple' is pretty specific to the company. But you are an Internet badass, I get it.

1

nvrmor t1_iwhtdku wrote

>internet badass, I get it.

You don't need to insult people. You could, you know, provide evidence to support your claim...

2

Fieos t1_iwhzqr0 wrote

Okay, sure.

- Source 20+ year IT veteran specializing in the private cloud computing areas of business continuity, disaster recovery, and cyber-threat resiliency.

People often think, "I have backup... I'm good."

How do you know if your backups aren't also compromised? Are you scanning for metadata changes in your archive? If your infrastructure was targeted, do you have a recovery plan for all your data center services? DNS/NTP/LDAP/SMTP/PKI/etc?

Do your business processes aligned to report and communicate internally (and possibly externally) in the event of a security breach? If you are compromised and recovering to an alternate restore target... do you have your VIPs configured to handle the new locale?

Do you have all your binaries for a site rebuild onsite in a vault and are all your runbooks current? Have you actually even tested restores?

Say you are recovering from backup and everything else is good? What is your throughput to get your data back on disk?

If your data is encrypted by a third party, what's the plan? If the data is already outside of the environment... what's the plan?

None of this is simple at scale.

2

nvrmor t1_iwi0d0v wrote

yeah but what if you just used a backup?

−1

_bobby_tables_ t1_iwhzw9i wrote

Wait. I was happy to be called an internet badass. I read no sarcasm at all into that.

1

Fieos t1_iwi7jso wrote

I will continue to dub thee with the highest level of Internet badassery, even if /u/nvrmor stands in the way.

1

nvrmor t1_iwi9kpj wrote

pfft you wouldn't know internet badass if it fragged you straight in the face. I ran gentoo in 2002 and have written DOZENS of bash scripts. All you need is a little rsync to stop ransomware and it doesn't take 2 braincells to figure that out genius jeez

1

Fieos t1_iwicibm wrote

Come at me bro... I still mostly remember my ICQ number.

1