Description

The purpose of this document is to highlight several information points and related links regarding Ransomware.

Summary:

There are six areas of consideration, each covering avenues of protection and ways to increase your data protection and maintaining data integrity.  

1. Version Management

The best way to limit potential access is to keep current with all versions of both the NetBackup version, but also keep current with the patch level of related appliances and end points within your enterprise deployment

•  Reduce vulnerability exposure by staying current with security patches and releases that contain security updates.
•  Monitor Veritas Technical Alerts by visiting the Veritas Support website or Veritas Services and Operations Readiness Tools (SORT)

2. Data Encryption

It is recommended that you use and deploy a network infrastructure that includes planning and implementation for encryption both "at rest" and "in transit".

• Implement in-transit encryption to protect your data from being compromised within the network.
• Implement at-rest encryption to prevent ransomware or bad actors from stealing your data and threatening to make it public or take other malicious actions

3.  Identity and Access Management

For NetBackup we highly recommend that you use RBAC - Role Based Access Control to provide more detailed auditing and trackable access use information.  It is also recommended to implement similar auditing in your enterprise environment -- with least access use for tighter security.

• Require users to log in with their own credentials.
• Implement role-based access control (RBAC) and two-factor authentication to limit access to only required functionality for each persona and prevent account takeover from using a single credential.
• Change built-in generic user IDs and passwords, including the host ‘admin’, ‘maintenance’, RMM ‘sysadmin’ and ‘nbasecadmin’ accounts

4. Configuration

Network and infrastructure planning, if implemented securely can provide another wall of defense to limit unwanted or warranted access to your backup appliances and storage devices.

• Follow security implementation guides.
• Harden your environment by restricting ports and processes by enabling firewalls.
• Update the default Primary Catalog backup policy.
• Set up a backup policy for the NetBackup Key Management Server (KMS)

5. Immutable Storage 

• Prevent ransomware from encrypting or deleting backups using immutable and indelible storage technology

6. Deployment

• Adopt the “3-2-1” best practice approach of backing up data recommended by the U.S. Cybersecurity and Infrastructure Security Agency: keep three copies of data on two different media types, with one off-site.
• Use Auto Image Replication (AIR) technology to replicate to other domains

Summary:

Once you have your strategy in place, it’s vital to periodically test and rehearse. Not only will this practice help shorten threat response times and minimize the impact of an attack, the enhanced visibility will help you identify problems areas to resolve and improve. Your resiliency plan is only as good as your last test, so rehearsing and regularly revising your strategy is recommended.

Additional information is available at the locations below, which cover additional protection information in detail:

https://www.veritas.com/en/uk/form/whitepaper/ransomware-protection-with-nbu

https://www.veritas.com/en/uk/protection/netbackup/ransomware-solution

https://www.veritas.com/defy/ransomware