Transcription
WHITE PAPERSecurity Tips for Protecting your Backup ServersThe ProblemThe rapid rise of malware attacks in the past few years hasbrought to the attention of administrators and C-level roles alikethe increased risk businesses face today regarding data loss,crippling production delays and harmful reputation hits. Not onlyis the frequency of malware on the rise, but the ever-changingcomplexity or polymorphic characteristics of malware creates ahuge hurdle for detection to find and isolate. In fact, in 2019, 93%of malware strains seen by Webroot were polymorphic.1This has led to businesses evaluating and implementing a multilayered approach to securing and protecting company data.This paper will focus on additional measures and techniquesto specifically protect the backup environment, as well as theCarbonite multi-layer approach for securing your data, part of ourcyber resilience philosophy.
The Cyber-Resilience ApproachTips to Secure Your Backup EnvironmentCyber Resilience is the ability to continuously deliver theintended outcome despite adverse cyber events. Thinkof cyber resilience as digital fitness. It’s the ability toabsorb punches and get back on your feet, no matter whatthreatens. The concept of cyber resilience is critical forcompanies of all sizes, as is the ability to not only be assecure as possible from breaches, but also quickly recoverand continue business as usual even if a breach doesoccur. Put simply, strong cyber resilience could make thedifference between continuing to grow your business andgoing under. Carbonite and Webroot have a full suite ofcyber resilience solutions for every business.Backup is your copy of your most valuable digital assets.Implementation of secure backup policies is necessaryto facilitate disaster recovery protocols when adverseevents threaten to disrupt operations. It requires a deepunderstanding of the different types of data underprotection and the urgency of the data for the users whodepend on it. Webroot Security Awareness Training is for yourfirst line of defense: your people. It provides a phishingsimulator, robust training courses, and reporting, andhelps support compliance requirements. Webroot DNS Protection is the first DNS Protectionservice to marry DoH (DNS over HTTPS) privacy withsecurity. This solution provides enhanced connectivity,helps reduce latency and stops up to 88% of knownmalware.2 It’s also simple, fast and easy to deploy. Webroot Endpoint Security is our leading nextgeneration security solution. It provides advancedsecurity and detection, simplified security managementand integrated support and remediation. Webroot BrightCloud Threat Intelligence is the primarydriver behind our power-in-prediction and cyber resilienceplatform.These solutions are complemented by offerings fromCarbonite, including: Carbonite Endpoint provides comprehensiveprotection of all the data that resides on your endpointsto help prevent data loss, while providing advancedadministrative control and award-winning support. Carbonite Backup for Microsoft 365 is a completebackup solution for the entire suite of Microsoft 365applications, including protection from data loss due tohuman error and ransomware attacks. Carbonite Recover enables rapid recovery in the cloudfor your entire business through continuous real-timereplication. Carbonite Availability uses continuous, byte-levelreplication to maintain an up-to-date copy of youroperating environment. Carbonite Migrate moves server workloads acrossdifferent hardware platforms, storage types and operatingsystems with minimal risk and near-zero downtime. Carbonite Server offers efficient, comprehensive, all-inone protection for servers with flexible deployment andoptional local failover.With the right tools for protecting data, any organizationcan establish secure backup policies that help ensure theavailability of data. The important thing to remember is thatbackup security is not a project, but a process that requiresconstant monitoring and improvement.The sections listed below serve as tips for implementing amore secure backup infrastructure. We will primarily focuson securing the Carbonite Server director. The directorserves as the storage repository for your backups. It alsoperforms other tasks like replication to maintain multiplecopies of your data through N:1, 1:1 and N:1:1 replication.1Do not broadcast your backup serverWhen deploying a backup server, stealth can beyour friend. Adding an Active Directory entry for yourbackup server is like providing an advertisement messagesaying, “I’m right here.” Instead, use window workgroups orconnect agents to the backup server via static IP address.The less information known about the backup server, thebetter.Hide OS services and application version numbers whenpossible. Some services and applications installed onthe protected server may display version informationvia an HTTP header. Providing this version informationcan also provide an attacker with useful informationregarding potential exploits. It may be simple to removethis information by deleting it from the HTTP header ofits greeting banner. Since the director runs on a WindowsServer operating system, examine the protected server’s OSfor specific Windows services. You may wish to scan thoseservice and application ports with a tool such as Nmap orNetcat to verify the information presented. For specificservices or applications, you should refer to the productsupport documents or vendor website. Also use cautionbefore modifying any application settings.These types of procedures are often referred to as “Securitythrough obscurity” or STO. The technique can be a usefulway to reduce the chances of attack, but only whenemployed along with other security components that forma complete security strategy. STO should never be lookedupon as an all-encompassing security practice.2
2Implement a replication configurationCarbonite Server supports multiple replicationarchitectures. The N:1 configuration allows multiple local(often referred to as satellite) directors to replicate to asingle primary director. The 1:1 configuration allows a singleprimary director to replicate to a single, passive secondarydirector. This ensures that data is available for restore evenif one vault is offline or unavailable. It also ensures that aredundant copy of your backup data exists and can beaccessed if any compromise to your primary director wereto occur. Typically a secondary director will be placed at aseparate data center facility, often at a specified DR site.Examples of Carbonite replication configurations areillustrated here. director (passive backup server) into separate VLANsegments or security zones. You should then lock downthe backup and replication traffic to the specific portsrequired by Carbonite Server for agent-to-directorcommunications or director-to-director replication. Section7 discusses port requirements in greater detail. It isrecommended that you place the secondary director in asecurity zone with other disaster recovery equipment if youare performing 1:1 vault replication.Keep in mind, backup traffic from the agents to thedirector is always encrypted with AES 256-bit at rest andSSL/TLS in transport. Replication traffic is also encryptedbetween directors.4Update OS and CarboniteServer versioningPeriodic update of the operating system and applicationsoftware on a server is a crucial step in keeping it safe fromsecurity risks.Outdated software versions have typically already beenexplored for weaknesses and vulnerabilities, leaving themopen for attackers to exploit those known weaknesses andvulnerabilities. Keeping everything up to date minimizes thenumber of vulnerabilities.Since Carbonite Server writes to storage in a proprietaryformat, if data is corrupted on the primary director,replication (N:1, 1:1 or N:1:1) would fail. If data is corrupted(e.g. disk failure) or changed by a foreign process (e.g.malware) the director would detect the issue, stopreplication, and alert the administrator to prevent the pushof corrupted data to a secondary director.Additional steps can be taken to enhance security andfurther protect the redundant backup data housed on thesecondary director, as detailed in the next section.3Network separationIt is critical to ensure secure communication withyour backup server. One of the best security strategies is toseparate your backup network into security zones. Securityzones are groups of servers, systems and networks thathave similar security requirements. Each zone consists of asingle interface or a group of interfaces to which a securitypolicy is applied. These zones are typically separated usinga layer-3 device such as a firewall or through virtual localarea network (VLAN) segmentation. If configured correctly,VLAN segmentation hinders access to backup environmentsby limiting packet sniffing across security zone trustboundaries and by limiting broadcast domains.Using Carbonite Server, this can be accomplished byseparating the agents, primary director and secondarySoftware manufacturers are continually updating versionsfor new features and efficiencies. However, they are alsopatching potential security vulnerabilities. Keeping softwareup to date is a key method for securing your assets,including your backup infrastructure.The question is how often should you update and upgradeyour backup server and agents.Automatic updates are one way to guarantee that noupdates are forgotten. However, allowing the system toautomatically make such changes on its own also introducesrisk. Before you update your backup server or agent,download the release notes and research the updatenotes for potential impacts. The Carbonite Server portaldoes have an optional automatic agent update capability.However, many, if not most, administrators prefer ascheduled agent update.One of the best methods for a solid update/upgradestrategy is to define a scheduled time to periodically reviewthe agents and the server versions (for instance, monthlyor quarterly). Download the release notes and evaluatenecessity and required effort of the updates/upgrades.Then define the right date and time to implement.Verify any installation dependencies before installingsoftware. Make sure you are not adding anything to thesystem that is unnecessary. Also, determine if any of thesedependencies will be auto-started on the director and makesure those auto-starts are required. The best rule of thumbis to not install any software that is not necessary to managethe Carbonite Server backup process.3
A word of warning: Do not let your updates/upgrades fall toofar behind. Not only will you be easing your way into a lesssecure environment, but you also risk a more complexupgrade scenario (for instance: multi-step dependentupgrade) which may require more time and effort.5Limit and monitor accessWho has access and the level of privilege theymaintain to your backup server needs to be closelymonitored. Most security comes down to having responsiblepeople. The backup administrator has access to a vastamount of a company’s data. That individual must betrustworthy and well versed in security policy. Basic stepslike pre-employment background check and review ofreferences can reveal potential issues. Security policytraining, reviews and audits are activities the backupadministrator should regularly participate in. Periodicoperational audits can ensure that all the correct proceduresare maintained.Administrators need to periodically review access tobackups. Some common tasks to perform are: Look for older unused Admin or user accounts andimmediately disable or remove. Review the need for access. Often accounts are createdon the fly with more privilege and rights than necessary toperform their appropriate tasks. Review any audit logs for unusual access and activity.Report and anomalies or violations to the securitymanager.When evaluating backup solutions, verify the backupsolution provides the appropriate amount of auditing andsecurity capabilities that are consistent with the company’ssecurity policy requirements.6 Enable two-factor authentication. Set an expiration date for a password. Monthly orquarterly are typical, however, for higher privilegedaccounts, setting a faster expiration time may be prudent. Use passphrases instead of passwords. Often, they canbe just as easy as passwords to remember. For example:I-WantToDrinkBourbonAt1255CenterSt!The password policy should be required to access theadministrative consoles as well as encryption security. Keepin mind, job encryption passwords need to be well plannedout and secured. It’s best not to change them, because ifthey are changed it will require the reseed of the job data.7Turn off unnecessary Windowsservices and portsIt’s simple math: More employed services will require moreaccess and more open port traffic. Increase the backupserver security by reducing the attack surface area.To reduce the attack surface area, software installed andmaintained should consist of only the bare minimumnecessary to maintain requirements and keep theapplication and server running. Only enable the networkports used by the OS and required by Carbonite Serverapplication components. The less you have on the system,the better. Here’s a list of Carbonite Server ports:Agent PortCommunicationProtocolOutbound:8086, 8087To PortalTCPOutbound: 2546To vaultTCPOutbound: 2548, 8031To Windows CentralControlTCP(optional)807, 2547, 12547Vault Replication - 1:1TCP (Only ifReplicating)807, 2547, 12547Vault Replication - N:1TCP (Only ifReplicating)Establish and enforce a password policyOne of the major access risks is weak passwordenforcement. Weak passwords can be easily acquiredthrough password guessing and brute-force attacks. Inorder to minimize the risk, there are certain steps that canbe taken. These steps should be detailed in a passwordpolicy.The first thing is to set a password policy that must befollowed by all members on the server, no exceptions. Somesteps to enforce are: Root out and correct all empty or default passwords onthe server. Enforce a minimum password length and complexity. Implement a lockout policy that is triggered by a specifiednumber of failed attempts. Do not store passwords using reversible encryption. Force session timeout for inactivity.A Windows OS server should only have required servicesto maintain that backup application. For instance, it isunlikely that the Carbonite Server director will requirethe Bluetooth Support Services (bthserv) to maintain thebackup application. Please refer to Microsoft supportdocumentation for a full list of services and their purpose.Also, several security publications exist regarding theprocess of hardening Windows Server configurations. Youmay wish to research them, especially if your organizationfalls under compliance or regulatory mandates.A few useful guides that provide information on this topicbut are beyond the scope of this document are listed below: NIST Special Publication 800-123 - Guide to GeneralServer Security CIS Benchmarks - Securing Microsoft Windows Server Microsoft - Windows security baselines4
If possible, disable Remote Desktop Protocol (RDP) on theCarbonite Server director. If remote access is required, lookat methods for locking down RDP. Always make sure to onlyallow RDP access when combined with VPN access. Youshould never expose port 3389 directly.When you purchase an appliance from Carbonite orimplement an appliance using Carbonite professionalservices, much of this work is done for you up front. However,Carbonite provides the option for customers to provide theirown server hardware, as long as it meets the backupworkload requirements. Therefore, our customers will oftenimplement and configure their own backup server(s). If this isthe case, there are certain steps and considerationsregarding which Windows services are necessary.8Test your backupsIt’s essential to periodically test your backups.However, the process for testing backups and DisasterRecovery (DR) can often dictate the results. A successfulresult can often be misleading. When testing the backuprecovery or DR procedure, a few general rules of thumbinclude: Test with real data. Don’t create a special backup as arecovery demonstration. Randomly, select safe set datafrom historical backups. Spot check file system backups. Since most recoveries aresingle file or folder recoveries, perform multiple recoveriesfrom different point-in-time backup safe sets. Set aminimum of at least three recoveries for three separatebackups. It’s also recommended to select separate ormultiple server backups to recover from. Test full system recovery via a Bare Metal Recovery(BMR). Verify that all applications and their associateddata are correctly operating as expected after therecovery. Document your results, including:- Data size- Recovery time- Any recovery issues- Any work-around steps required Incorporate the results into your DR planSummaryCarbonite Server, whether it is deployed as an on-premisesor cloud backup solution, provides many options andfeatures to secure your data. Carbonite is committed tothe security of your data, exemplified by our approachto security within our cloud service offering. For moreinformation on our own internal procedures, readthis datasheet.However, when deploying any hardware or software solutionon-premises, it is important to secure the infrastructure thatsupports it.122020 Webroot Threat ReportBased on Webroot’s internal testingContact us to learn more – Carbonite USPhone: 877-542-8637Email: carb-data protection sales@opentext.comAbout Carbonite and WebrootCarbonite and Webroot, OpenText companies, harness the cloud and artificial intelligence to provide comprehensive cyber resilience solutions for businesses, individuals, and managedservice providers. Cyber resilience means being able to stay up and running, even in the face of cyberattacks and data loss. That’s why we’ve combined forces to provide endpoint protection,network protection, security awareness training, and data backup and disaster recovery solutions, as well as threat intelligence services used by market leading technology providersworldwide. Leveraging the power of machine learning to protect millions of businesses and individuals, we secure the connected world. Carbonite and Webroot operate globally across NorthAmerica, Europe, Australia, and Asia. Discover cyber resilience at carbonite.com and webroot.com. 2020 Open Text. All rights reserved. OpenText, Carbonite, and Webroot are each trademarks of Open Text or its subsidiaries. All other trademarks are the properties of their respective owners. WP 1111205
Carbonite, including: Carbonite Endpoint provides comprehensive protection of all the data that resides on your endpoints to help prevent data loss, while providing advanced administrative control and award-winning support. Carbonite Backup for Microsoft 365 is a complete backup solution for the entire suite of Microsoft 365
