Building a malware-proof backup system

By on
Building a malware-proof backup system

There’s no magic way to protect your data against online threats, so a strong backup strategy is a vital last line of defence. We explain the options.

There are several things you can do to minimise the risk that one of your systems will be compromised by malware.

First of all, keep operating systems and applications up to date. A vulnerability that has been eliminated from your systems is a vulnerability that can't be used against you. Remove applications and add-ons that you don't need (Flash is often mentioned in this context) for the same reason.

Secondly, ensure that you and your colleagues or employees are on guard. That means, for example, steering clear of the seedier side of the web (though mainstream sites have been known to deliver malware thanks to advertising networks that don't do enough to screen their clients' content), and being extremely suspicious of links in emails – especially where the URLs don't match (for example, if an email supposedly from Telstra links to or similar).

This even applies to emails apparently from people or organisations you do business with – or even within your own organisation – regardless whether the content of the message seems genuine. If there's the slightest concern, talk directly to the sender to confirm the message's authenticity. Some large organisations periodically send randomly-selected employees emails that are designed to tempt them to click on embedded links – if anyone falls for it, they are given a refresher course in security basics.

Attachments should be treated with similar suspicion.

Thirdly, technical measures can be employed to minimise the risk of malicious traffic. Email filtering services can prevent many malicious links or attachments ever reaching your people, security software can prevent them visiting known-bad sites and detect most malware before it can run on that computer, and firewalls can provide an additional layer of protection.

Yes, this is the same old advice – we’ve provided this and other preventative advice previously – but people are still being caught out by the criminal fraternity.

Which backup solution?

Despite all your efforts, malware may find a way through your defences. If even the likes of the US Federal Reserve, LinkedIn and CabCharge aren't safe from attacks (among many others), it's clear that we all need prepare for the worst. 

Some types of malware can be cleaned up fairly easily, but there's always a risk that some files may be lost or damaged. And the whole idea of ransomware is to encrypt at least a subset of your files, making them unusable until the ransom is paid.

Even if you're dealing with 'honest criminals' who intend to deliver the decryption key on receipt of your funds, there's always a risk that something will go wrong (their server may get shut down before your 'transaction' is processed, for example), leaving your files unrecoverable.

Continuous backup

So you really need a good backup system. The problem is that if it isn't completely automatic, sooner or later the required manual action won't occur. The person responsible will be too busy, distracted, away (and didn't delegate) or something similar. OS X's Time Machine is a good example of how an automatic system should work – once set up, it backs up new or changed files every hour. Something generally similar is available for other operating systems.

The problem is that because the destination disk is connected to the computer, malware and especially ransomware can potentially interfere with the backup files. If you disconnect the drive after each backup, the next backup can't run until it is reconnected – and that means human intervention, which may not occur.

So while this kind of almost continuous backup is a good starting point, it isn't enough. You also need a backup that's only connected during the backup and restore processes.

Disk cloning

One way is to regularly make a complete copy of the computer's hard drive using disk cloning software such as Macrium Reflect (which offers a free version), and then disconnect the clone drive until it is next needed. That protects it from malware, as long as you use a set of drives in rotation and you detect the malware before the oldest good clone is overwritten.

Cloning with Macrium Reflect

Other advantages of cloning are that it is one of the quickest ways to completely recover a badly corrupted system, and it is a convenient way of maintaining a complete off-site backup by taking the drives home or keeping them in another separate location.

But because you're probably cloning on a daily or weekly basis the most recent backup may not be particularly fresh, meaning there will probably be more work needed to recreate the newest data (assuming that's possible).

Hidden destinations

So you probably want another way to recover at least your most important and frequently-changing files after malware strikes – one where the destination isn't visible to malware, or that works to protect and retain older versions of files.

Various tools fall into the former category, but what they have in common is that they don't communicate with the destination as if it was a networked drive. Examples include Arq (for Windows, OS X; and backs up to Amazon S3 and others) and Duplicati (Windows, OS X, Linux; backs up to Amazon S3 and others).

Protecting a backup with Duplicati

But be aware that such programs may also provide options that do mount the destination as a network drive – there's nothing inherently wrong with that, it's just that you may lose the protection against ransomware if you use those options.

Online backup services

Mozy and other online backup services work without mounting a drive, and keeps old versions of files for up to 90 days.

File syncing services can play a part. Dropbox, for example, keeps old versions of files for 30 days, or indefinitely with a Dropbox Business account (or if you pay extra for extended version history with Dropbox Pro). This may allow you to recover the files as they were before being encrypted by malware or damaged by other types of malware.

Restoring a previous version from Dropbox

The Dropbox folder on a ransomware-infected computer will most likely be encrypted – what protects you from disaster is access to the older versions of files retained by the service.

Either of these cloud-based approaches also provides off-site copies in the event a fire or other disaster strikes your premises.

Whichever combination of methods you select, remember to monitor the processes to ensure backups are actually being performed according to schedule, and periodically check that you can recover files from backups. You don't want to run into a malware problem and then discover nothing's been backed up for a month, or that some other issue makes it impossible to restore the backup.

Copyright © BIT (Business IT). All rights reserved.

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?