Soluzioni Corporate di backup Alessandro Stesi

Corporate backup solutions Self-protection tests

Introduction

Corporate backup solutions: In light of the growing number of ransomware attacks in which cryptolockers stop database processes to unlock database files for encryption (Cerber, GlobeImposter, Rapid, Serpent) and they can encrypt local and network backups to request a ransom payment (Rapid, Spora), we decided to test the self-protection capabilities of the best backup solutions used in the corporate environments available for testing.

The test aims to check the sustainability of the processes and services of the products against the typical attacks on the security software described below, as well as the self-protection of the local backup and of the product files. Ransomware can encrypt configuration files and local backup files that belong to a backup program by disabling file recovery. In addition, once access to the agent or server processes is obtained, the attacker can delete backup copies of files not only locally, but also in the cloud on behalf of a backup solution.

This document is a summary of the enterprise backup solutions test report and includes a description of the test environment, a list of tested solutions and their versions, an overview of test scenarios, as well as results and conclusions based on these results. We do not classify the tested solutions and do not award any prize, but we provide the results “as is” for informational purposes only.

 

Testing environment

The tests were conducted on the virtual machines of:

 – Windows 8.1 SP1 32 bit build 9600

 – Windows 10 Enterprise 64 bit Build 16299

 – Windows Server 2012 R2 Standard 64 bit v. 6.3.9600 Build 9600

We have tested backup solutions on platforms
32 and 64 bit because the process injection techniques used in the test scenarios differ on these platforms. In addition, 32 and 64 bit product builds may contain a different set of features, including self-protection, and their implementation may depend on the architecture of the operating system.

 

Tested products

Corporate backup solutions: The most recent versions of the following products available at the time of testing were tested:

Product name

Components

Version

Management Server

Agent

12.5 9010

12.5 9010

Unified Data Protection Server

Unified Data Protection Client

6.5.4175 Aggiornamento 2 Build 667

6.5.4175.791 v.r6.5

Backup & Replication

Agent for Microsoft Windows

9.5 Aggiornamento 3

2.1.0.423

Veritas Backup Exec

Server

Agent Utility pour Windows

16.0 Rev. 1142

16.0 Rev. 1142-1632

 

Each product was installed with the default settings and updated before running the test.

 

Corporate backup solutions – Test scenarios

The test suite includes 31 tests that simulate attacks on local backup files, product files, processes, services and cloud storage that aim to block the backup and restore service. The “Product File Protection” test category contains simple tests aimed at destroying backup and application files making it impossible to recover data encrypted by ransomware.

The second group of tests “Protection of processes and products services” is essential for self-protection since the malware can inject the malicious code into a backup agent and act on behalf of a backup solution obtaining all the necessary privileges to check the backup files. At the behest of an attacker, a malicious process can interrupt processes and services with consequent blocking of the backup and restore application

or deleting backup files on behalf of a backup solution. The latest series of tests is “Cloud backup and recovery protection” and is addressed to communication interfaces with cloud storage. The attack of DNS poisoning or the improper use of the CLI can cause the cloud backup service to be interrupted.

 

Corporate backup solutions – Conclusions

The purpose of the test was to verify the backup software’s self-protection capabilities to protect related files, processes, services and cloud storage from scenarios that can potentially be run by ransomware.

The results showed that most of the tested products are not ready in many cases to counter ransomware-type attacks by allowing a potential attacker to block user backups and disable backup and restore services. Only Acronis Backup has shown good results with an 87% and 81% effectiveness rate for 32-bit and 64-bit products, similarly providing complete self-protection and service sustainability features.

Download the complete department here: Nio Guard Independent Study_IT

 

[btnsx id=”2931″]

Related articles:

Modern Data Protection: The Difference is in the Cloud

BaaS | Acronis Cloud Backup

BaaS | Cloud Backup | Backup as a Service

[Name change] Acronis Data Cloud –> Acronis Cyber Cloud

Stay in control of your fast-moving, quick-shifting data

A Hybrid Cloud Backup Solution for System Integrator and reseller

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading:

RSS Full Disclosure

  • APPLE-SA-2021-05-03-3 watchOS 7.4.1 May 4, 2021
    Posted by Apple Product Security via Fulldisclosure on May 04APPLE-SA-2021-05-03-3 watchOS 7.4.1 watchOS 7.4.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212339. WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report […]
  • APPLE-SA-2021-05-03-4 macOS Big Sur 11.3.1 May 4, 2021
    Posted by Apple Product Security via Fulldisclosure on May 04APPLE-SA-2021-05-03-4 macOS Big Sur 11.3.1 macOS Big Sur 11.3.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212335. WebKit Available for: macOS Big Sur Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a […]
  • APPLE-SA-2021-05-03-1 iOS 14.5.1 and iPadOS 14.5.1 May 4, 2021
    Posted by Apple Product Security via Fulldisclosure on May 04APPLE-SA-2021-05-03-1 iOS 14.5.1 and iPadOS 14.5.1 iOS 14.5.1 and iPadOS 14.5.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212336. WebKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, […]
  • APPLE-SA-2021-05-03-2 iOS 12.5.3 May 4, 2021
    Posted by Apple Product Security via Fulldisclosure on May 04APPLE-SA-2021-05-03-2 iOS 12.5.3 iOS 12.5.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212341. WebKit Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) Impact: Processing maliciously crafted […]
  • KSA-Dev-0012:CVE-2021-25326:Unauthenticated Sensitive information Discloser in Skyworth RN510 Mesh Extender May 4, 2021
    Posted by Kaustubh Padwad via Fulldisclosure on May 04Overview ======== Title:- UnAuthenticated Sensitive information Discloser in RN510 Mesh Extender. CVE-ID :- CVE-2021-25326 Author: Kaustubh G. Padwad Vendor: Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products) Products:      1. RN510 with firmware V.3.1.0.4 (Tested and verified) Potential     2.RN620 with respective firmware or below     3.RN410 With Respective […]
  • KSA-Dev-0011:CVE-2021-25327: Authenticated XSRF in Skyworth RN510 Mesh Extender May 4, 2021
    Posted by Kaustubh Padwad via Fulldisclosure on May 04Overview ======== Title:- Authenticated XSRF in RN510 Mesh Extender. CVE-ID :- CVE-2021-25327 Author: Kaustubh G. Padwad Vendor: Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products) Products:      1. RN510 with firmware V.3.1.0.4 (Tested and verified) Potential     2.RN620 with respective firmware or below     3.RN410 With Respective firmwware or […]
  • KSA-Dev-0010:CVE-2021-25328:Authenticated Stack Overflow in Skyworth RN510 mesh Device May 4, 2021
    Posted by Kaustubh Padwad via Fulldisclosure on May 04itle :- Authenticated  Stack Overflow in RN510 mesh Device CVE-ID:- CVE-2021-25328 Author:  Kaustubh G. Padwad Vendor:  Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products) Products:      1. RN510 with firmware V.3.1.0.4 (Tested and verified) Potential     2.RN620 with respective firmware or below     3.RN410 With Respective firmwware or below. […]
  • Re: Two vulnerabilities found in MikroTik's RouterOS May 4, 2021
    Posted by Q C on May 04[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20219: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/igmp-proxy process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). CVE-2020-20262: Mikrotik RouterOs before 6.47 (stable tree) suffers from an […]
  • Re: Two vulnerabilities found in MikroTik's RouterOS May 4, 2021
    Posted by Q C on May 04[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20221: Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/cerm process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU. CVE-2020-20218: Mikrotik RouterOs 6.44.6 (long-term […]
  • Re: Two vulnerabilities found in MikroTik's RouterOS May 4, 2021
    Posted by Q C on May 04[Update 2021/05/04] CVE-2020-20212 and CVE-2020-20211 have been assigned to these two vulnerabilities. CVE-2020-20212: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference) CVE-2020-20211: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from […]

Customers

Newsletter