7 steps to ensure your Azure backup works when you need it

Worried about ransomware attacks? The best thing you can do now is make sure your backup system is ready.

CSO > Microsoft Azure backups / cloud computing / binary code / data transfer
Microsoft / Just_Super / Getty Images

Recently, a disturbing ransomware attack impacted 22 Texas local governments and left them unable to process tax payments or perform normal business processes. It’s another reminder that both public and private organizations need to review their ability to recover from such attacks. That starts with having a proper backup strategy.

Attackers often investigate how the network is set up and what processes the firm uses for backup solutions. I’ve seen attackers target the backup locations first, ensuring that they silently and quickly delete backups on local NAS devices and write over the devices with 1s and 0s to ensure that the backup is totally deleted and cannot be recovered without great expense.

They often target online backups first. Rather than encrypt the backups, attackers will try to delete where the backups are located and write over the top of the location so they cannot be recovered. Then they target virtualization guests, virtualization hosts, workstation data and finally the domain controllers. Attackers use different encryption keys for every server and workstation and charge for every recovery key, taking a page out of software licensing fee models.

Backup and ransomware recovery best practices for Azure

The key is to not make it easy for the attackers, and too often we do. The Department of Homeland Security (DHS) has put out recommendations on actions to take. The top action is back up your systems. Even that can be tricky in today’s business economy. Fragmentation of responsibilities can lead to situations where one team thinks the other team is taking care of a key task and it ends up falling through the cracks. Too often I’ve seen backups set up but not monitored. There is nothing worse than thinking a backup is taking place when it’s really not.

Follow these steps to ensure that your backups can save the day when ransomware or other attacks hit.

  • Review how your alerts are set up. In addition to setting up alerts to let you know when backups are failing, consider notifications when backups succeed. Find out what alternative means you have to alert of backup issues. Review if the backup solutions send failure notifications via SMS or other communication means so that the failures are more obvious.
  • Know where the backup log files are located and review them on a regular basis for any unusual issues. In the case of Azure, you can review the cloudbackup\operational event log on the client. The main log files for Azure Backup are in C:\program files\Microsoft Azure Recovery Services Agent\Temp. You’ll want to review the logs noted below:
    • C:\Program Files\Microsoft Azure Recovery Services Agent\Temp\CBEngineCurr.errlog
    • C:\Program Files\Microsoft Azure Recovery Services Agent\Temp\CBUI0Curr.errlog
    • C:\Program Files\Microsoft Azure Recovery Services Agent\Temp\CBCmdlet0Curr.errlog
bradley backup Susan Bradley

Microsoft Azure backup logs

  • Always ensure that the user account for backups has not and does not log in. You should back up targets on a completely separate network that the rest of your infrastructure cannot access, strictly presenting as iSCSI devices only on your backup server. Review if the backup software has a means to “privatize” the login and use a separate user/permission structure.
  • Use scripts or other tools to confirm that backups are completing. Double-check that SQL database backups are completing using scripts as well. Often the overlooked backup that wasn’t working is the one that you do need most.
  • Don’t overlook old-fashioned paper documentation. Too often people place all the network documentation and information on a digital platform that an attacker can encrypt. Print out key documentation and store it in a secure location.
  • Make sure you have planned for alternative communication methods such as signing up for another email platform to ensure that you can communicate with team members.
  • Finally, always test backup recovery on a regular basis keeping in mind that you may be restoring your complete network from the ground up. Think of what you would do if the worst happens to you. Are you ready for it? Plan on when, not if.

Don’t forget to sign up for TechTalk from IDG the new Youtube channel for tech news of the day.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!