How To Protect Backup Servers From Ransomware Attacks

W. Curtis Preston is the Chief Technical Evangelist at Druva, a SaaS data protection platform. He is also the Founder and Webmaster of Backup Central, a website dedicated to data backup and recovery. Since 1993, Curtis has specialized in storage, backup, and recovery and has been an end-user, consultant, and analyst. He has written four books on these subjects and is the host of the Restore it All and No Hardware Required podcasts.

Here’s a glimpse of what you’ll learn:

• W. Curtis Preston shares how he became known as “Mr. Backup”
• How ransomware targets backup servers
• Curtis talks about Druva and how it differs from other offerings
• The importance of updating backup plans
• Key considerations for selecting data protection SaaS providers
• What are the effects of SEC (Securities Exchange) regulations on public and private companies?
• Curtis’ best cybersecurity tip: password managers and MFA

In this episode…

Ransomware is becoming increasingly sophisticated, with hackers deactivating companies’ backup servers to counteract cybersecurity efforts in a traditional attack. Still, businesses are neglecting to test and protect their backup servers. So how can you safeguard your data against cyberattacks?

With the emergence of modern technology and impending security regulations, W. Curtis Preston says it’s more crucial than before to implement disaster recovery plans that facilitate data restoration. One way to ensure maximum protection is to utilize a SaaS data protection provider. Selecting a provider necessitates evaluating your cybersecurity methods and aligning them with the provider’s disaster response plans.

In today’s episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with W. Curtis Preston of Druva and Backup Central to talk about data protection and disaster recovery. Curtis explains how ransomware targets backup servers, the importance of updating backup plans, and key considerations for selecting data protection SaaS providers.

Resources Mentioned in this episode

• Jodi Daniels on LinkedIn
• Justin Daniels on LinkedIn
• Red Clover Advisors’ website
• Red Clover Advisors on LinkedIn
• Red Clover Advisors on Facebook
• Red Clover Advisors’ email: info@redcloveradvisors.com
• Data Reimagined: Building Trust One Byte at a Time by Jodi and Justin Daniels
• W. Curtis Preston on LinkedIn
• W. Curtis Preston’s email: wcurtispreston@gmail.com
• W. Curtis Preston on Twitter
• Druva
• Backup Central
• Modern Data Protection: Ensuring Recoverability of All Modern Workloads by W. Curtis Preston

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media.

To learn more, and to check out their Wall Street Journal best selling book, Data Reimagined: Building Trust One Bite At a Time, visit www.redcloveradvisors.com.

Episode Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:37  

Just Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

 

Jodi Daniels  0:55  

In this episode is brought to you by that was the wimpiest drumroll ever. Red Clover Advisors, we help companies to comply with data privacy laws and customer trust so that they can grow and nurture integrity. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our new best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. You haven’t found this is our first episode that we’re recording in 2023. It’s been a while. It has been a while we have these like fancy mics and how to remember how to what have you been up to? And record things?

 

Justin Daniels  1:42  

Have you been up to? Ah, it’s been fun.

 

Jodi Daniels  1:46  

Are you ready? Let’s do this. All right. So today we have a really cool guest. I’m so excited for this discussion. We have W. Curtis Preston, also known as Mr. Backup. He has specialized in designing data protection systems since 1993, and has designed such systems for some of the largest organizations in the world. His lively pros and why real world approach has made him a popular author and speaker. He has written for O’Reilly books, the latest of which is Modern Data Protection published in 2021. He is also the host of backupcentral.com. And its Restore it All podcast. He is now the chief technical evangelist for Druva, the only at scale SaaS provider of data protection. Well, Curtis, we’re so excited to have you here today.

 

Curtis Preston  2:38  

I’m excited I I’m, I’m your first podcast recording of the year very, you know, I’m honored.

 

Jodi Daniels  2:46  

It’s a great way to start the new year.

 

Justin Daniels  2:48  

And Jodi had a lot of coffee today. So she’s quite perky.

 

Jodi Daniels  2:51  

I only had one little cup, but I’m really hungry. And I haven’t really eaten very much

 

Justin Daniels  2:57  

today. And I’m sure that’s my fault. But let’s delve in. So, Curtis, how does your career evolved to your current role?

 

Curtis Preston  3:08  

Well, I started, like a lot of people that started it, I got the job that nobody else wanted, right, which, which was the backup guy back at what at that time was the second largest credit card company in the US MBNA. And that was back, as you said in 1993, which by the way, this month, marks my 30 year anniversary in the space. And the I actually tried to get out of backup, and kept I just kept literally falling into it. And eventually then I realized I knew a lot about something that most people didn’t, and started writing. And next thing you know, I’d written a book, and then I read more books and about five years ago. But I had always been on the the the end user side, the company side, you know that were that were actually using the technology. And then five years ago, I decided to you know, cross the other divide. And so I went to work for my first vendor. And that’s Druva. So that’s a brief, you know, one minute version of 30 years of time.

 

Jodi Daniels  4:27  

Well, congratulations on 30 years. Very exciting.

 

Curtis Preston  4:31  

Thanks. Now,

 

Jodi Daniels  4:33  

if we think about where we are in prepping for this call, I thought this was a really interesting fact while you were talking about ransomware and their focus and targeting of backups, if you can help explain to our audience a little bit more about how this actually works. So many people are just used to kind of the commonplace ransomware as opposed to where they’re, they’re focusing these days.

 

Curtis Preston  4:57  

Right so you know, there was ransomware V one, right, which was we’re going to, you know, get into your environment, we’re going to encrypt the data, and then we’re going to demand money in order for, for us to unencrypted data, that’s a, that’s the old ransomware attack, what they’ve moved on is a two phase attack, where they still do that, but then what they’re looking for is a place to exfiltrate your data, you know, specifically unencrypted versions of your, your company’s intellectual property, or something else embarrassing about your company, right? Maybe customer account data or whatever it would, you know, whatever it is, it doesn’t matter really what they’re able to exfiltrate, as long as it’s something they can demand money. So they, you know, it’s either give us a million dollars, or we will release this embarrassing thing about your company, right? What they’ve realized is, is that the backup server is a prevention for the first type of attack, and a honeypot for the second type of attack. So they’re realizing that if people have decent backup and recovery and disaster recovery systems, you know, then they can say no to the ransom of the first type. But what they’ve also realized is that, you know, in the first part of the call, I mentioned that, you know, I got the job nobody else wanted. Well, for various reasons, backups are not the, you know, the star quarterback of any IT department. And so, the system is often ignored from a cybersecurity perspective, or quite, quite often managed by someone who’s relatively junior. And so the, the bad actors have realized that, if they can get a hold of the backup server, the first they can, they can, if they can basically deactivate the backup server, it means it can’t be used against them in a traditional attack. But even more interestingly, is that the backup server holds a, you know, a treasure trove of the data that they’re trying to exfiltrate. And it’s often not stored in the most secure way. And so that’s why they’re going after the backup server either to deactivate it, to take it out of play of the traditional attack, or to use it to exfiltrate data. Instead of exfiltrating it directly they’re getting it from the backup server.

 

Jodi Daniels  7:32  

So I have a follow up question, which is, are there any common ways that you’re seeing how these attackers are getting to those servers? Ah,

 

Curtis Preston  7:45  

I don’t know. I don’t know if I’d say common. Basically, the there are a series of ways Either they’re doing. They are gaining access credentials that through other means, right, like hacking Active Directory, and they’re gaining access credentials to the backup server. Or they are there are vulnerabilities and some of the on prem backup packages, right? In my world I separate. There’s on prem backup software, and SAS based backup software, which is what Druva does. So there are vulnerabilities, there were some again, I don’t want to mention vendors names. But there were a handful that were announced recently on one of our main competitors. So there are direct exploits. And then finally, I would say that there are traditional, basically privilege escalation attacks, that a lot of the designs, especially to big companies use Windows as their main OS for the backup server. And a lot of basically, if you’re able to escalate your privileges to administrator in Windows, all bets are off from the security of the backup system. And so that’s, that’s another way to that they’re

 

Justin Daniels  9:12  

able to do. So can you talk a little bit about Druva? And how it’s different from other vendors in the space that say they have sauce? Yes. So

 

Curtis Preston  9:25  

there are so you know, if you go back, like I’ve been at the company five years, and when I first got here, you know, the famous Gretzky phrase of of skating where the puck is going, right? You know, basically that’s, he’s like that was what you need to do you need to skate to where the puck is going.

 

Justin Daniels  9:45  

Jodi, do you know who Gretzky was? Yes.

 

Jodi Daniels  9:49  

Thank you. I know that sports might not be my forte, but that doesn’t mean

 

Curtis Preston  9:57  

for the record is not my forte here, but I knew that vote before I even knew where it came from, by the way. But that’s the way we were for a long time we were we were the main if not the only, you could say SAS based provider of data protection. And then in the last year or two, a bunch of other companies have gotten into the, by the way back, then I had to explain what that meant. Right? You know, you have to use say, what, you know what Microsoft 365 is right? Or like, yes, well, you know, we’re like that, but for backups, right, I had to explain what that meant. Well, now, there are a handful of our, you know, many of our competitors have gotten into the SAS based business, but what they did, the way they got into the business was by lifting and shifting their on prem architecture into the cloud, right. So you know, you know, the basically, there’s a very big difference from designing and coding your infrastructure specifically for a cloud vendor, and basically moving a VM into the cloud. And that’s what our competitors have done. And there are significant cost differences. And since we’re talking about cybersecurity, cybersecurity differences, right. Basically, the the attacks that you would leverage to attack an on prem system are basically the same attacks that you would use to attack that same system if it’s been moved into the cloud, if all you did was lift and

 

Justin Daniels  11:31  

shift, right. So Curtis, I kind of have a follow up question on the whole notion of backups hand, having handled a variety of incident response engagements. And typically, what I see is either they don’t have backups, they have partial backups, meaning we have everything except oops, forgot to backup our largest customer, so we’re going to be paying, or even if they have the backups, they never test them. So they decide, You know what, it’s just easier to pay even if files are corrupted, rather than get our backups. So is this still, from your perspective, the state of affairs? Or are things starting to change, given all the executive orders that came out last year and some of the other regulations that are being talked about?

 

Curtis Preston  12:16  

I think that the ransomware attacks of the last, I’m going to say six years, I remember 2014? Was I guess that wow, I was thinking it was 2020? Sorry, seven years? Eight, nine, crap, I’m doing math in my head. And

 

Jodi Daniels  12:36  

it’s early January, it’s okay. We’re all still Yeah.

 

Curtis Preston  12:39  

So nine years, by the way, 2014 to 2023. The last nine years, I think have caused a lot of people to revisit their, you know, their specifically, their Dr. Plans, right, which Dr. Plan is going to rely on the backup plan. And I think, and I would also say that a variety of not all, but there are newer players in the backup market, one of which is Druva a that have made things easier, right. So when it’s easier to do automatic selection of servers, for example, when you’re a VMware shop, for example, and you can just say, look, automatically backup, every new VMware VM, wherever it shows up, when you can do that. It’s so much better than when I joined the, you know, the industry. And I had to get a memo, right? There’s a new server, and I had to get a memo that there’s a new server, or else that server wouldn’t be backed up. Right. So it has gotten easier. And if you’re using newer technology, to basically at least make sure everything’s protected. Number one, that was sort of what you were, the first to you talked about was just people not even being sure that all their data is being protected. So I think it’s easier to do that. And then the third, or the third one about not testing, the cloud has made testing a lot easier, a lot more feasible. You still have to know to do it, you still have to conduct a recovery test, right. But you know, for example, with Druva, you can do a full Dr test with a single click of a button. And, you know, and we don’t charge extra for those tests, right. And you can do that if you can automate your DR test at that point. Again, contrasting that to the way it was when we did a DR test at the bank. It was you know, 30 people for an entire weekend to to recover a handful of our servers. Now you can just push a button and restore your entire environment you know, with the One person. And so I think that if you’re using newer technology, there’s really no excuse for not testing other than just laziness. It’s not, it’s not the cost and huge logistical nightmare that it was 30 years

 

Jodi Daniels  15:13  

ago. So what might you suggest to an organization looking for SSH service for data protection and resilience? What should they be looking for?

 

Curtis Preston  15:26  

Well, I would, I would first, you know, we’re talking a lot about cybersecurity, I would first ask them, how their data is protected from a cybersecurity perspective, right? How is it protected from a ransomware? Attack? How is it protected? If you move to a SaaS based provider, your biggest risk, but remember that I think when you ask me, how are people doing it is the the it was getting a hold of access credentials, right? If you’re using a SaaS base data protection provider, your biggest risk is probably that someone gaining access to your username and password that is the controlling account for your, for your backup provider. Ask your vendor, what happens if somebody gains access to your main account, and then goes in and deletes all your backup configurations? Or worse yet deletes all your backups? How does their product respond to that? Many of the products don’t have an answer to that I know we do. Some of our competitors do. Because that’s another one of the attacks again, from a ransomware perspective, or just a disgruntled employee perspective, I’m going to show you I’m going to log into the backup account, and I’m going to delete all of the backups. Right? And this is why I used to, and it also asked them what they do from a least privilege standpoint. Right? How are they? How are they limiting the blast radius of each employee who’s running the backup system? Are you able to separate? You know, like the person that creates the backups from the person that runs the backups, for example, right? And then finally, ask them about cost, right? Because ask them about how predictable the costs are. And what happens if significant changes happen in your environment. So for example, if you sell off half your company, you decide you’re no longer in the I don’t know, whatever business and you sell that part of your company off and half your datacenter leaves with it. Do your costs go down? If they don’t, my opinion, that’s not really a SaaS provider. You know, that’s my opinion. But whatever.

 

Jodi Daniels  18:06  

Well, your opinion is valued, and we appreciate it. Thank you so much. I think our listeners will will

 

Justin Daniels  18:11  

as well. You know, the best Wayne Gretzky quote, is marketing.

 

Jodi Daniels  18:17  

I don’t but I know you’re going to tell us

 

Justin Daniels  18:18  

Yes, miss 100% of the shots you don’t take? Oh, see, I

 

Jodi Daniels  18:22  

know that. You say it 400 times a day.

 

Justin Daniels  18:27  

There you have it. Kids know evolves. So Curtis, kind of changing a little bit to the current kind of regulatory environment around cybersecurity, we had a series of executive orders from Sisa and the Biden administration around breach reporting requirements. There’s some new SEC regulations that are likely coming final in the next month or two. How do you think these regulations are going to start to impact both public companies as well as those private companies in their supply chain, needing better CYBER HEALTH AND incentivize them to really pay attention to having good backups? testing our backups? What are your thoughts on Yeah,

 

Curtis Preston  19:13  

I think it’s great. I hearken back to many years ago, where California passed a new law that required companies to disclose if they had if personal information of their customers had been exposed, and uh, suddenly you saw all these all these breaches that were being notified, you know, publicly, there were so many it became a Jeopardy category, right? Somewhere. I’ve got the clip, that there was a Jeopardy category of all of these breaches that happened in a single year. And it’s not like suddenly breaches started happening. It’s because suddenly they were required by California law to tell us I expect a similar explosion. I don’t know if that’s the right word. But in notifications from companies after hopefully these rules go into effect. Companies, they just don’t. They don’t obviously they don’t want to notify. I’m thinking about. There are there are two. The one that’s coming to mind is the Rackspace outage that happened December 2. And there’s another company whose name is escaping me at the moment. Oh, LastPass. So these are two companies who had both had hacks. One was incredibly forthcoming, in how the hack happened, what happened, what was accessed what wasn’t accessed. The other is there they’ve been opaque as as milk. Right? You know that? They’re not saying anything. And I think that if these SEC rules, force public companies to report on exposures like this, and hacks, then I think hopefully more companies will be like, the way LastPass has responded and not the way Rackspace did. You, right,

 

Jodi Daniels  21:29  

I think you often find regulation tends to push people to do things that they don’t always, you know, have to do before, and then people become more aware of it. And I think that’s when change will continue to happen. I like to think that change will happen with just being good company, people. But someone do it that way.

 

Justin Daniels  21:53  

So Jodi, which will happen first federal privacy law or federal cybersecurity law?

 

Jodi Daniels  22:00  

And that’s a interesting question that I, you know, I don’t like to gamble. So I don’t know, it’s a toss up. I think it depends on which company is going to scream the loudest. And it could be that a lot of big companies don’t like these new disclosures and want some kind of standard. But then you also have a lot of states who are continuing to pass laws, and it’s really whichever political person is going to win. And company is going to add on No, I can’t answer. I’m not voting system to. I’m not voting. The reason I bring it up vote. Okay, was your

 

Curtis Preston  22:41  

thoughts. I’ll say the cybersecurity one, because I think it’s, it’s the other the privacy law, which by the way, I’m behind as well. The idea of the privacy law, it impacts every single company every single day, whereas the cybersecurity law allows a company to go well, it won’t be us. You know, and it’ll only impact us once, right? We’re versus the privacy law impacts every single company every single day. You know, so I think the cybersecurity law will go first. But

 

Jodi Daniels  23:12  

those are good arguments for the cybersecurity law.

 

Justin Daniels  23:14  

Well, remember what state laws you have, including Guam and Puerto Rico 52 Different breach notification laws. And so the question is, as these privacy laws proliferate, which, as I like to say, you know, privacy and cybersecurity of the peanut butter and jelly of technology. What does that do for all these companies who are trying to navigate this patchwork quilt of state laws when it comes to privacy and security? Does that then motivate the federal government to get their act together? That’s what I did.

 

Jodi Daniels  23:45  

And we had a bill and then it didn’t pass. But we could have a whole episode on that. And I’m going to reel it back in.

 

Justin Daniels  23:53  

Okay, I’m sorry, I’ve gone down a tangent that been slapped

 

Jodi Daniels  23:56  

and is. So Curtis, perhaps in your universe, you talk about privacy and security all day long, just like we do over here, as you can tell riveting conversations. So when you are out and about and people know what you do, what is the best cybersecurity tip that you would offer people?

 

Curtis Preston  24:18  

Well, are we this is a these are companies not consumer, you can

 

Jodi Daniels  24:24  

answer it either way.

 

Justin Daniels  24:25  

It’s a broad question. It can be for consumers or for business. Yeah, from?

 

Curtis Preston  24:33  

I’d say one that goes for both is I am a huge proponent of password managers. Okay. Not LastPass. I, I think, I think LastPass days are over. But that’s a, again, another discussion for a whole because of multiple reaches, et cetera, et cetera. But I’m a huge proponent of password managers. And I’m a huge proponent of MFA everywhere all the time. And And the, if you’re if you’re a company and you have accounts that matter at all, they should be protected by MFA. If you’re a person, and you, and you’re working with banks, or places where you can buy things, right, I mean, you know, I don’t care so much. If you’re, I don’t know, I can’t think about if your account that doesn’t store any of your data doesn’t have MFA, I don’t care so much about that. But if it’s a place where you can buy things or you know, withdraw things, please, activate. The only thing that stinks about that. One of the things that sucks about MFA is that it’s optional at any places. Well, if it’s optional, please select that option. And if your accompany, please start requiring that option. Right. So I would say, you know, use a password manager to get a unique password and make those passwords. The beauty of using a password manager is you can make the password ginormous. Right? You can make it 20-30 characters, and it doesn’t matter because it’s just gonna copy and paste it you know, doesn’t matter how big it is. So you know, you have a unique password everywhere and then use some sort of MFA system. I am you know, a proponent of, you know, good is better than nothing, you know, something is better than nothing. So, even if you’re just using SMS authentication, that’s better than nothing. But I would prefer if you’re, if you’re okay with using something like Google Authenticator, or or I am a proponent of Authy, then that’s better than that. So those are my two cybersecurity tips for so Curtis when

 

Justin Daniels  27:03  

you’re not working on being Mr. Backup and writing all of your books, what do you like to do

 

Curtis Preston  27:09  

for fun? I’m a huge barbecue person. And by barbecue, let me define barbecue that is not a grill in the backyard that is grilling, barbecuing, being smoking. So I make a mean brisket. And I think it rivals what you would get if you went in Texas, great ribs. Pulled Pork if I’m if I’m asked for it. And yeah, I love I love doing that and sort of perfecting that. So much so that it may be my retirement income, we’ll see. But yeah, I enjoy maybe I’m also a big DIY person. I just literally finished the largest DIY project I’ve ever undertaken. And that is i i put down vinyl planking the luxury vinyl, luxury vinyl planks, that’s what they call it right? In my whole house. Wow, is a huge project six months, I will tell you two things. One is I’m not going to do the I’m not going to do the second floor. I did the first floor. Because I committed to that I’m like, damn it, I’m going to finish this thing. If it kills me. And and it will be the last time I do it. There were a number of times that the main problem is you’re on your hands and knees the entire time. And the number of times I said I’m too old for this blank. Over the last six months was was a few

 

Jodi Daniels  28:52  

Well, congratulations. I’m sure those floors look beautiful. And if people wanted to learn more about your flooring capabilities, your barbecue your books or backup, where should we send them?

 

Curtis Preston  29:05  

So if they’d like a free copy of my latest O’Reilly book, they can go to druva.com/ebook and if they want to talk to me personally, I’m WCurtisPreston@Gmail.com or at WCpreston on Twitter as long as Twitter stays up

 

Jodi Daniels  29:25  

well, thank you so much. We learned a significant amount we’re delighted to have this discussion to help companies prepare and protect their assets more interesting remarks Mr. Quote man,

 

Justin Daniels  29:40  

I’m looking forward to Curtis’s next book Curtis on barbecue. That’s a good one. Yeah.

 

Curtis Preston  29:47  

I am writing a new book on ransomware by the barbecue Yeah, less competition in the Red Square Space but uh, but a barbecue way. too much. By the way, I’ll give you another on top of your your quote about the missing 100% of the shots you don’t take. quitters never win and winners never quit, but those that never win and never quit are idiots

 

Jodi Daniels  30:16  

very, very nice.

 

Curtis Preston  30:17  

That’s from a company called despair.com which makes D motivation posters. They cracked me up.

 

Jodi Daniels  30:26  

Okay, well, thank you so much. We appreciate it

 

Outro  30:31  

anytime. Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.