hope you enjoyed your stop at Center for Internet Security (CIS) Critical Control 9: Limitation and Control of Network Ports, Protocols, and Services! If you missed the previous stops on this journey, please check out our full blog series on the CIS Top 20 Critical Controls; each blog provides educational information regarding the control of focus as well as tips and tricks for consideration.

The next stop is Critical Control 10: Data Recovery Capability. As is the case with all expeditions, the journey tends to be bumpy but thrilling nonetheless. For your safety, please remain seated and keep your hands, arms, feet, and legs inside the train. Thank you, and enjoy the ride. Away we go!

What the Data Recovery Capability Control Covers

Center for Internet Security (CIS) states the following is the key principle of this control: “The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.” The control standard consists of four criteria which are labelled as foundational elements to a security program; these focus on system backups and testing. The standards are as follows:

  1. Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems storing sensitive information. To help ensure the ability to rapidly restore a system from backup, the operating system, application software, and data on a machine should each be included in the overall backup procedure. These three components of a system do not have to be included in the same backup file or use the same backup software. There should be multiple backups over time, so that in the event of malware infection, restoration can be from a version that is believed to predate the original infection. All backup policies should be compliant with any regulatory or official requirements.

  2. Test data on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.

  3. Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.

  4. Ensure that key systems have at least one backup destination that is not continuously addressable through operating system calls. This will mitigate the risk of attacks like ransomware which seek to encrypt or damage data on all addressable data shares, including backup destinations.

Who Cares About CIS Critical Control 10?

As I have in the past, you may be wondering why this matters. So what? Who cares? What’s the big deal here? Well, here’s the thing: Adversarial actors like to muddle in more than just configurations and software. Indeed, attackers occasionally alter data, albeit subtly, on compromised machines, thus potentially contaminating the organization. It’s one thing when a pipe bursts in one isolated house, but it’s a different story and mess when it’s a pipe burst impacting several properties.

This kind of attack has the potential to be catastrophic for any organization but especially for those handling sensitive information (e.g., PII, medical records, etc). Think about the data in your systems. Consider the cascading effects of large-scale contamination, such as the loss of financial reports for a business or health records for a hospital.

How to Implement This Security Control

The good news is that there are ways to prevent large-scale effects, some of which are discussed below. There are several facets to implementation, but policies, processes, and tools related to backups and testing remain central to this control. In the words of revered Lil Jon and the East Side Boys, “Back, back, back it up!” First and foremost, an organization must prioritize backups. Specifically, each system must be automatically backed up on a weekly basis at a minimum. Systems storing sensitive (or critical) information should be backed up more frequently. In addition, backups must be protected—thus neither physical security nor encryption can be neglected; this includes encryption at rest as well as in transit. The determination of what type of encryption—at rest and in transit—can be completed based on data classification (e.g., confidential vs. restricted or internal vs. external), thereby reducing the cost of encryption. Next, backups must be tested, thereby ensuring that all backups are whole and functional.

As part of common procedures and practice, an organization should conduct backup tests quarterly as well as after obtaining new backup equipment. Conducting regular backups and testing, an organization is proactively preparing itself for any malicious doings related to data by potential attackers. While frequent backups are most often recommended for data recovery, organizations may approach data recovery differently based on the their needs. For example, an organization may leverage an alternate system, warm standby, or system function reassignment. Organizations must work within their means to establish the most effective data recovery program for their needs. With robust and implemented restoration procedures, an organization has the ability to use a version that predates an infection; moreover, it reduces the total downtime following an incident.

Like many things in life, practice makes perfect. Or, it at least reduces the chance of a noteworthy problem or setback. In the sport of triathlon, there are three disciplines: swimming, cycling, and running. However, those of us in the triathlon community joke that there is a fourth discipline: the transition between sports. Seasoned endurance triathletes know that solid, speedy transitions are crucial to a successful day. Funny enough, we practice running to our 1-ft x 2-ft foot space, throwing our helmets on/off, and stashing snacks in our race kits for the long ride or run ahead. Just as backups are a small component in an organization’s thorough security program, the transition is a sliver of the race, a truly minuscule part. Nevertheless, a mistake in that three and a half minutes has the potential to add massive hurdles for the duration of the race. It’s a seemingly small thing, but it matters. So, too, do comprehensive and practiced data recovery procedures. While they make up one small piece of the larger security puzzle, well-rounded data recovery procedures are vital. It’s a simple thing, and it could make all of the difference!