Like most people in the cybersecurity field, I follow Brian Krebs’ work. Brian posted an article on ransomware on July 19, 2021. Below are the excerpts that I found most interesting. As you reflect on your backup, recovery and testing plans for your personal information (or for your parents, 2nd cousin twice removed or kids) or the critical information for your business or employer, are you making an action plan to revise anything based on these insights (side note: make sure you backup and test the recovery of this new action plan!)?

1. “the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups is that nobody at the victim organization bothered to test in advance how long this data restoration process might take“
2. “…victims that have off-site, encrypted backups of their data but discover that the digital key needed to decrypt their backups was stored on the same local file-sharing network that got encrypted by the ransomware.
3. “…third most-common impediment to victim organizations being able to rely on their backups is that the ransomware purveyors manage to corrupt the backups as well.”

Side note – Check out this “old” ransomware “scenario” from Cisco Talos group. This sounds like a good script to base a purple pen test on.

Krebs, quoting Fabian Wosar from Emsisoft, writes that all “organizations need to both test their backups and develop a plan for prioritizing the restoration of critical systems needed to rebuild their network.” Of course, this is basic blocking and tackling. Some people may consider this blocking and tackling boring when compared to the pen testing of let’s say a Tesla, or the forensic analysis of a Drone. Let’s be honest (with some sarcasm, but not too much) that backup and recovery isn’t as glamorous or exciting when compared to security architecture. Let’s give a shout out to business requirements gathering, threat modelling, security design assessments, or architecture design documentation. Oh yeah!

But let’s be clear: no team every wins or makes it to the Super Bowl or the “neighborhood “championship” unless they get the basic blocking and tackling techniques down! And you can’t get basic the blocking and tackling down unless you make it a priority and practice it. Let’s repeat:

Prioritize it. Practice it.

Prioritize it. Practice it.

And as the saying goes, practice makes perfect (or at almost perfect since after all backups, recovery and test plans are still run by humans at least until Skynet comes online).