In light of WCry, and ransomware in general, I was curious how to protect daily backups on my NAS from also being infected? I have a pretty limited understanding of networking, so ultimately I am looking for the easiest solution that is also secure.
I started watching the pfSense build guide on Level1Linux and perhaps that is the best solution?
I also found an old topic that seems to address security on a network, but since I'm not very familiar with networking I don't know that it covers this specific issue.
It's a pretty simple setup. I have daily backups that are encrypted using Acronis that are stored on my NAS. In the event that my computer is compromised, by ransomware or other means, I just wanted to know how to secure my NAS so that it doens't get tainted.
To answer your second question, no I don't run any other services on my NAS; it's strictly for backups.
I do indeed protect my backups by manually mounting the backup share before running the packup (rsync). The share has a dedicated username and password, which is different from the credentials I use on the machines to login - so no malware can easily mount it (in case they learn that)
Than I run the backup and later unmount the share again.
I was also contemplating to automate that task with a script but in the end I said no, as what is if the script runs when the ransomware is already active on the system? The share could get mounted by the script and than the encryption virus can go havoc on the backup -.-
Makes sense. However, if you're using the computer everyday that is the source of the backups, wouldn't you know if your computer was compromised? If you're away for a few days or whatever, then you just don't run any backup processes.
Thanks everyone for the information. I think the argument has been made pretty clear the best way is to do it yourself. Does anyone know of any alternatives? I'm just thinking about large companies that take snapshots of their data or whatever. I'm not going to give them too much credit because it's obvious there are a lot of companies that don't practice good security. However, there must be some pretty reliable solution?
That's the easiest and probably fastest way to protect yourself. If you get yourself (or build yourself) a FreeNAS box you can set up regular snapshots with a few clicks, that you can easily reset back to in case of an incident.
If you want to further enhance your security and also resilience (e.g. against physical damage to your hardware due to fire etc.) you can set up automatic replication that will copy the data to an off-site machine. If you have two FreeNAS boxes ready to go, this is done in like 15 minutes
There are many good solutions for backup, both free and commercial.
A FreeNAS box or other home built solution could be capable of scheduled snapshots of shares, which would protect against ransomware. Similarly some commercial NAS devices can do this such as Synology or in fact ShadowCopy on a Windows server.
Other solutions include "pull" type backups, where the backup is initiated from the backup server. This way the versioning on the server can't be influenced by the client computers. A free example of this is BackupPC, and a commercial example would be Datto.
I run with small system drives and have all my data on the NAS, so I disconnected it in Windows for now. I can't seem to find the option to modify my user account (in the freenas control panel) so that the shares are read-only to me.
Still on 9.3, by the way. I stopped updating because Freenas wants me to flash my HBA (an LSI 9211-8i on firmware version 16, Freenas wants version 20) Oh well, I guess it's time to back everything up, pull the card and flash it, add some drives and start anew with the newer version. Not this week though, gonna be one hell of a week at work.
Don't get me wrong, but I think this is not a practical solution. In my experience, most people who have a NAS are working off the data from the NAS as well and not just use it as a backup volume. So those files that are on those shares will most likely be affected, unless you happen to not have worked with them since you booted the machine (given that you need to login to the share manually before using them).
So in my opinion it is probably a better idea to make sure that the effects of a ransomware infection are limited than to prevent its direct damage. In other words, make the data that might become encrypted recoverable through snapshots, etc. than to stop having things mounted.
With my arse currently flapping in the breeze, and a note from the CISO that went out at work....um...yeah, I'm interested. I like the pull or push/pull methodology for keeping my shtuff safe.
Another option from windows might be to NOT have password saved? However, if it strikes while you're logged into the share with write permission, depending on how your shares are configured, there could be a heck of a data slaughter. Split read and write like a sane person...and only use write sparingly.
I too work off my NAS, but I'm thinking of "adding" to the family and having a couple of "true" backup boxes and external drives for my most important data. Looking at some viable options, and I'm interested how things shake out.
I'm not as worried about myself, but for the rest of my family that turn to me for tech support. I hope they have their $300.00 handy.
Maybe people will take security seriously...maybe (Nope!).
I get you. My personal opinion is that as much as possible everyone should limit themselves from having access to the backups/snapshots yet keeping the process of creating backup as much simple as possible otherwise you will stop bother (at least until next crisis). I personally created a "system" of tiers of data that I backup. And for each tier I have a little different approach and backup intervals. The basic rule is the more that data is important for be the more effort I put into this.