In my opinion there should be a separate cycle that rotates one monthly backup over one year. This way you can go back to any month up to one year back. You need an additional 12 tapes which are taken at the end of each month and recycle the following year, so you just label them with the name of the month.

Besides that you can have a yearly backup that never rotates, so an additional 12 tapes for the last 12 years.

>Hi Al,
>
>Thanks for all the comments. This customer is 50 employees. Big enough to want to address issues like this but not large enough to have dedicated security staff. Their IT guy knows a fair bit but sometimes I think there are gaps in their strategy. I used to be more or less their IT manager until about 5 years ago (was on contract with them). I think they need to address the fact that their backups only go out 8 weeks and I have heard reports of ransomware not activating until longer than this. I would either like to see them extend it further (to 6 mos) or even better, go back to tape. The reason for tape is not just for the ransomware but for general archiving. They used to have this when I was there but they moved to a backup device (Sonicwall) which has been great but now discontinued. They have not replaced it because about 99% of their data seems well covered off by other means (all email is journalled to a Barracuda cloud repository and most of their documents [customer related] are stored in a documents repository that has strict settings for deletion - and it is backed up in its entirety - and can only be restored in its entirety).
>
>But even with those, we have the ransomware threat. On top of that, there is a small (comparatively) smattering of documents that do not get archived - some in their accounting department, some in marketing. And in the past 5 years, having some old tapes from 10 - 15 years ago has saved their bacon on a couple of court cases. These are cases where someone claims something about their payments after many years. In both cases, there were some odd documents that I found that showed conclusively that the company had done everything correctly and was not at fault. They are under no regulatory requirement to keep these documents, but it saved them a lot of money.
>
>So I would like to see things improved to protect their data both for ransomware and also for archiving. I have got buy-in from one of the partners for the archiving as he was the one involved in the last 2 court cases where I was able to get very old documents off of tape. I also need to make the case though that their whole-server images should go out further or should be sent to a cloud repository (although I have wondered how long it takes to download a large image - to be determined).
>
>As far as their backups (Veeam) being protected enough, because typically a client machine gets infected, this would be the case for the average user who has limited rights but if their IT person or help desk person gets infected, they have elevated rights to the servers (which I would also like to change) and the Veeam setup was done with their general purpose domain administrator account which is used for all kinds of services (which I also do not like and am trying to get changed). If someone were able to get the admin password, they could get to the backups - what I consider the "crown jewels" of the enterprise. I have heard that the smarter ransomware first goes out and tries to find backups before starting the encryption process.
>
>So I would rather have a 6 month old copy of their backups then none at all (although I am not sure how well active directory would react to being restored when 6 months old - maybe you somehow have to sandbox it with a back date and then bring the date forward before starting to rebuild the domain).
>
>It's too bad their Sonicwall device is at end of life. It does to versioning but it has the limitation that you cannot restore directories to a point in time. I know of another law firm that got infected and their IT guy spent days restoring one file at a time - picking the version just before the infection. He told me he literally spent 2 days (and nights) at their office restoring files so they could work. And I have now been bitten a bit by these device boxes - one of their two boxes has died and I cannot fix and there is no support. For tape, there are tape restoration companies that will do it for a fee - and they seem to have all the major software vendors versions in their tool belt.
>
>Anyhow, thanks for the comments. Will go through them before the meeting. Oh, and BTW, they do do employee training against phishing etc. They use software from KnowBe4.com. Good stuff.
>
>Albert
>
>
>>As I understand it, some malware waits in order to try to encrypt backups as well as on-line production files. This is risky for the malware; the longer it's present but inactive, the greater the chance it will be detected.
>>
>>This is only an issue if the ransomware is able to encrypt backups. Some comments in no particular order:
>>
>>1. The most likely entry point for ransomware is a networked workstation, not a server. Workstations typically can't see backup drives on server(s). Ransomware on a workstation can encrypt any files it can access on file shares but that's it.
>>
>>2. Assuming it can spread and infect and run locally on the server, it's still not a given that a ransomware process on the server can see the backup drives. In some cases, such as Windows Server Backup, it's possible to "dedicate" a drive for backup, which is then not visible in File Explorer etc. You should ask the backup software vendor how vulnerable the backup media are to a ransomware attack
>>
>>3. Some server-grade antivirus has ransomware protection which heuristically monitors the file system for ransomware-like activity.
>>
>>4. Running a verify after a backup can give some peace of mind
>>
>>5. It's theoretically possible to ransomware to install as a file system driver. This would transparently encrypt and decrypt on the fly until the shutoff date was reached. This would be dangerous, as everything would seem to be A-OK until the attacker pulled the plug (including, for example, verified backups). I haven't heard any reports of instances of this type. I believe it would require admin access on a server to install such a driver, in which case there are likely to be bigger issues.
>>
>>6. As I understand it most ransomware just encrypts any files it can access. Some smart types may start with old files not recently accessed and encrypt new/active ones last, in an attempt to not be noticed as long as possible. That's the most likely threat, not being noticed for a long time, because that can taint backups.
>>
>>Mitigation 1: find out how many extra backup media would be needed to implement another layer in the child/father/grandfather/great-grandfather scheme. It may not be too hard to push that back to 6 months or a year's worth of backups.
>>
>>Mitigation 2: Some backup systems allow for unlimited file versioning. With systems like that, even if all files are encrypted, versions prior to encryption are still available to be restored.
>>
>>I see you've been asking some security-related questions lately. How big a company is this? I would think large companies would have dedicated IT security. I'd suggest for small firms, not to necessarily fixate on tech, but to also address other issues such as phished or rogue employees, BYOD etc. I'd be careful about offering a "secure" solution - I would make very clear which aspects were addressed and which were not.