"In my day," desktop computers saved their files to a server. That server would get backed up daily. The backup tapes/drives would be stored offline and rotated to an offsite location. (Back then you were more concerned about the building burning down than a ransomware attack.) The same would be true for any apps running on servers; their data/databases would be backed up daily and the tapes/drives used for backup would be stored elsewhere.
What is this old guy missing? If a process like this were in place, nearly all of their data would be intact. Yes, it will take some time to do a full restore and you will be missing some amount of data that was created since the last backup. But it's survivable in many cases. And you're not negotiating with criminals.
The bigger issue is that nowadays organizations have lots of interdependent systems, and if you seize the data of one, you basically cripple the entire organization. So for each system you need to institutionally require both backups and backup testing procedures, which is easier said than done.
Plus, you may want to determine the exact time at which you were compromised, or else you'll be restoring potentially tainted backups. Depending on how well you're organized that alone will take quite some time, especially considering that your logs may be encrypted as well. Sometimes you don't even know how to contact everyone, because your comms are down, too.
Sure, if you do everything right and adhere to all the best practices, it won't be that big of an issue. Just don't forget about the amount of legacy crap and budget constraints many orgs have to deal with. That comes with many pitfalls and a lot of opportunities to make a mistake.
We’re using their immutable storage option, with a 60 day window with multiple rotation intervals, and just biting the bullet on the cost of cold storage vs archival because of how slow tape is.
I could definitely see a larger entity having significantly more data and the restoration process can’t even start until they finish triage. No point in restoring until you know the source of the intrusion or at least have a plan to prevent it from recurring.
If your ransomware stays resident in your systems for 6 months, any backup you recover from ends up being infected and can potentially be considered useless to restore from unless you're very careful in how and what you restore from.
[0] https://www.nbcbayarea.com/news/local/san-francisco-paying-1...
People like that and the associated competence level are rolling out the red carpet.
I completely understand that somebody does not want to upgrade into the warp-abyss-abomination of modern windows, especially if huge expenses software was written once, that needs backwards compatability or contains sensitive data. You can not use windows if you work for anything with sensitive data.
In todays world the legacy is the good stuff. Just needs protection.
Why does it matter anyways. With both Intel and AMD running processors independent of your machine, there's really no way to keep anything secure unless you use a machine that's over 20 years old.
> there's really no way to keep anything secure unless you use a machine that's over 20 years old.
This is nonsense. Security isnt a binary thing, and even if it was, you're still vulnerable to wrench-ops. If your threat model is that you suspect your procedure manufacture have backdoored your CPU, you better be running your own fab, air gapping your machines, and desoldering input ports.
Meanwhile for probably 95% of people and businesses out there, keeping windows up to date, 2FA required, encryption in transit and at rest, and regular tested backups is enough.
This isn't a Windows vs Linux vs Solaris vs BSD issue, this is a "did I manage and configure ACLs, RBAC, GPO, and other security features correctly" issue.
For example, I've had customers have had RHEL 6.x enviromments that still got hit because they wrote a security group that allows all traffic from all ports from 0.0.0.0/0 (aka everywhere).
Security issues always come down to misconfigurations and the lack of best practices in my experience. In that regard, the MS suite is actually superior to Linux because if you need a Security Solution Partner, Microsoft Professional Services is infinitely more competent than the largest Linux solution partner righ now (IBM).
The big thing that Microsoft and Windows have against them, is the crapshow that is all that they include on a standard installation. That said, from what I'm seeing, this is not really unique to Windows anymore. Seems everyone wants everything on the machine.
So, yes, it is theoretically possible to setup all access rules correctly. But it is essentially a lines of code problem, at this point. Given a mountain of things to setup, you will make a mistake somewhere.
It's important to remember that 'state of emergency' is less of a 'everybody stop and listen to this' than a legal circuit breaker that allows the signing of checks and assignment of tasks without being bound by the normal web of procedure and contractual obligation. We tend to imagine (in popular culture) the executive aspects of government as being somewhat by fiat, but much of the time it's more like incremental product development, with most of the job being workarounds, excuse-making, bullshitting, and tedious social obligations.
But that’s not how it’s done on these large enterprise networks. Ransomware gangs will still use single user entry points, but the hackers will work quietly inside the network to escalate privileges and determine key servers that should be targeted first.
Privilege escalation in Windows Active directory domains is really easy. Securing a large corporate network is really hard. Especially on a tight budget.
But it makes great budget headlines, “I slashed the IT budget in half!”
https://news.bloomberglaw.com/securities-law/do-kwon-tapped-...
A completely finished os can be stored on a read only device.
We just have to start from scratch :) that is all it takes :)
ChromeOS has entered the chat
Seriously, if it's good enough for school children, it surely is good enough for government. I love my Chromebook, and while I cannot yet do my day-job on it, I did interview at a crypto company that did do their day jobs on it, so I believe it's possible
You might get away with Azure AD instead of a local domain controller and exchange but you won't get much farther than that. And if there isn't a backup strategy in place already, this won't change with cloud.
Are they ever going to hold the leadership accountable for sleeping on the job ?
