The notion that a 200 million USD company would rely on a home-grown backup system to store other people’s sensitive data is mind-boggling, to say the least! And yet, it appears that the password management app LastPass did precisely just that. The result? They were hacked, and a backup copy of their customer database was stolen.
This is just the latest example of a hack that could have been prevented had the organization not been using its own backup system.
Let’s take a closer look at how home-grown backup systems are developed, and why they leave systems vulnerable to hacking.
Creating a Home-Grown Backup
On the surface, backups sound simple – copy data from one place to another and have some versioning in place so that you can restore older files.
With modern-day cloud storage and bandwidth, it seems that all you need is to write a shell script. Of course, the cloud storage has some security, so you’d need the shell script to authenticate itself – something that can be accomplished by simply hardcoding a username and password into the script. Now the backup system will run by itself round-the-clock and copy your valuable data to a secure space in the cloud. What could possibly go wrong?
How it Goes Wrong
Consider this scenario – your development environment has been compromised by the hack of another service your organization uses. The hackers were able to access your computing environment for a few days without the breach being detected. The quick fix to this problem? Changing all your passwords.
But what about your home-grown backup script? What if the hacker was able to scan the network, find and read your backup script, and scrape the username and password from it? Even if you changed the password and updated the script, they’d be able to find it and read it. They would then be able to log into your cloud account as you and download backups of any data they want, such as your customer database.
Of course, ideally, such data should be encrypted. But the hard reality is that sometimes it simply isn’t.
This scenario above outlines how a hacker was able to access LastPass’s customer information. While the passwords and account names stored in the password vault were encrypted, a lot of other information was not.
The Need for Professional Backup and Recovery
The LastPass hack highlights the dangers of relying on a home-grown backup system. To truly ensure that their backups are secure, organizations need to use a professional cyber defense and recovery system. In fact, they need to ‘shift left’ and think not just in terms of data protection, but in terms of data resiliency. Data resiliency is about more than just creating a copy of data – it’s about proactively safeguarding your systems against new threats and making sure that your organization is always ready to recover quickly after an attack.
Implementing a data resiliency solution ensures that your data is both protected and recoverable, through backup and protection, replication, and disaster recovery. This is in the face of both ‘traditional’ threats (such as user error, system failure, site disaster) and next-gen threats (such as ransomware, supply chain attacks, insider threats).
Armed with such a data resiliency solution, you would no longer need to hardcode username and passwords in a backup script. So even if a hacker gained access to your data center for weeks, they wouldn’t be able to find anything that would help them penetrate your backups. Your backups would be stored offsite, encrypted, air-gapped and under separate management.
Sounds much more secure, right?
Organizational Credibility at Stake
Incidents like the LastPass hack are a cautionary tale for all of us, and a disaster for the organizations involved. Poor data security and resilience practices have collectively cost businesses billions of dollars in lost revenue every year, as well as reputation damage, ransom payments and data recovery organizations. Customers, and other stakeholders, increasingly judge companies based on how well they handle and can recover from such attacks.
In such a scenario, companies cannot afford to rely on home-grown backup systems. They need to make data security & resiliency a top priority and invest in robust solutions that guarantee the safety of their sensitive data, and even more importantly, that of their customers.
By W. Curtis Preston, Chief Technology Evangelist, Druva