Ransomware: What It Means for Your Database Servers - Redmondmag.com

Ransomware: What It Means for Your Database Servers - Redmondmag.com

Ransomware: What It Means for Your Database Servers - Redmondmag.com

Posted: 21 Jan 2020 12:00 AM PST

Joey on SQL Server

Ransomware: What It Means for Your Database Servers

Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • By Joey D'Antoni
  • 01/21/2020

Happy new year and welcome to 2020. Are you prepared for a ransomware attack?

Security is definitely not the most exciting topic. If you look at the program from any database conference, you will notice a heavy lean toward topics like performance tuning (especially performance tuning), new features or high availability. While these topics are interesting, having good database security might be your last line of defense in the ransomware attack that you are likely to have.

The Mechanics of Ransomware Attacks
Ransomware attacks typically use one of two major vectors. The more common one is a phishing attack in the form of an e-mail with an infected attachment. A user opens this attachment, allowing the ransomware to execute on your network.

The other vector is identifying a vulnerability in your network, like in your VPN software, and inserting itself into your network. Once inside your network, the ransomware begins to encrypt files on the target system and attempts to encrypt files on any mapped drives or even any network-connected device that the infected machine can write to.

After your files are fully encrypted, the infected computers will display a pop-up message asking for payment in the form of Bitcoin for a key to decrypt the files:

[Click on image for larger view.] Creative Commons image captured from here.

The time limit is a common ploy to pressure the victim into paying the ransom so they can gain access to their files without them being deleted. However, several recent cases have had firms paying the ransom but still not gaining access to their files.

How This Can Affect Your Database Systems
Ransomware attacks are highly effective, but they aren't the most sophisticated attacks. The attack functions just like Transparent Data Encryption (TDE) does in SQL Server, except that you don't have the have the encryption key.

Typically, variants will attack your MDF, NDF, LDF and your backup files (BAK and TRN). This leaves your SQL Server in an inoperable state, because the SQL Server service can no longer open master.mdf -- and then things go downhill from there.

While the encryption of your data and log files is really bad, the killer is that you can lose access to your backups. Once your backups are encrypted, it really is game over in terms of your data recovery.

So What Can You Do?
Protecting against ransomware is a multifaceted effort that requires defense in-depth at multiple layers of your infrastructure. However, as a data professional, your scope is probably defined to the database servers in your environment. Let's first talk about the things you can either personally do or advocate for.

Storing Backups in Another Location: I saw a Tweet a couple of week ago that said, "It's really hard to encrypt a locked box of backup tapes," and I thought that we have returned full circle to tape backup.

If trying to remember the latest LTO type isn't on your agenda, you should ensure that you have a second copy of your backups going to somewhere that is not easily network-accessible. I really like the idea of using the cloud for this (i.e., copying your backups to secured cloud storage).

Whatever you do, don't have the only copy of your database backups be on a file share that you can access from your desktop and as a standard user. Additionally, I would recommend carefully evaluating what has access to your backup environment. If it is on the company file share that employees use, consider moving the backups to their own set of file servers with limited access.

Use Admin Account: Instead of using your normal credentials for privileged operations like logging into a database server, you should be logging in with a different set of credentials (preferably with a multifactor authentication).

Some companies take this further by having a separate domain for production systems, which is an even more secure approach. The reason to do this is because if your machine becomes infected, your user account won't have direct access to production systems.

Patch All the Things You Manage: This should go without saying, but it's absolutely critical to keep systems up to date with the latest Windows and SQL Server patches. Encourage other teams in your organization to do the same; you are only as strong as your weakest link.

Use Windows Firewall: I'm guilty of not doing this myself, as it can be frustrating to open specific ports especially when you are using things like clustering or AlwaysOn Availability Groups. However, the protection that Windows Firewall offers is really good for a basic protection level. (Note: Some malware variants actually open ports in Windows Firewall.)

Test Those Backups: Your backups are only as good as your ability to restore them. Do this regularly.

What Should You Advocate For?
Though network architecture is typically outside of the scope of the DBA, it is some of the best protection against malware. By segmenting your network so that servers have very limited ability to communicate over the network with other services, you limit the damage that a malware infection can do.

From a security perspective, this is part of what's called an "assume breach" mentality -- you assume that computers in your network have been attacked or could be attacked at any time. Part of that mindset is protecting your most critical systems (e.g., your production database servers). This approach also means actively trying to attack your own environment and regularly recovery testing.

This is the new normal -- ransomware attacks are a clear risk for the foreseeable future and your critical business data is vulnerable. As a database or system administrator, you are limited in your influence, but you can help identify security anti-patterns while maintaining best practices across your systems to provide data protection.


About the Author

Joseph D'Antoni is an Architect and SQL Server MVP with over a decade of experience working in both Fortune 500 and smaller firms. He is currently Principal Consultant for Denny Cherry and Associates Consulting. He holds a BS in Computer Information Systems from Louisiana Tech University and an MBA from North Carolina State University. Joey is the co-president of the Philadelphia SQL Server Users Group . He is a frequent speaker at PASS Summit, TechEd, Code Camps, and SQLSaturday events.
-

Comments

Post a Comment

Popular Posts

6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog

Image
6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog 5 best TrueCrypt alternatives | Encrypt your computer with these apps - proprivacy.com The Best Way to Encrypt Email in Outlook - Security Boulevard 6 Anti-forensic techniques that every cyber investigator dreads | EC-Council Official Blog - EC-Council Blog Posted: 23 Nov 2019 12:00 AM PST Anti-forensic techniques can make a computer investigator's life difficult. From committing fraud in an organization to stealing crucial data, cybercriminals can perform a wide range of nefarious activities. In some cases, these perpetrators try to cover their tracks by deleting browser history, cache memory, and even cookies. But with an upward trend , it is now much convenient for cyber attackers to use already progr...
Read more

How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf

Image
How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf Physical and Digital Safety: Arrest and detention - CPJ Press Freedom Online Mobile Encryption Market – Key Players, Size, Trends, Growth Opportunities, Analysis and Forecast To 2027 – The Courier - The Courier Fleeing WhatsApp for Better Privacy? Don't Turn to Telegram - WIRED How to Encrypt Your iPhone or iPad Backup - MUO - MakeUseOf Posted: 23 Feb 2021 12:00 PM PST [unable to retrieve full-text content] How to Encrypt Your iPhone or iPad Backup    MUO - MakeUseOf Physical and Digital Safety: Arrest and detention - CPJ Press Freedom Online Posted: 24 Feb 2021 06:14 AM PST Share this: Covering certain stories–such as human rights abuses, corruption, or civil unrest–can place you at a higher risk of arrest and detention, particularly...
Read more

A Look At Blockchain Smartphones Available Now - I4U News

Image
A Look At Blockchain Smartphones Available Now - I4U News A Look At Blockchain Smartphones Available Now - I4U News Posted: 09 Oct 2019 06:19 AM PDT There is probably no one in the world who has not heard of cryptocurrencies. In the past few years, the general public's awareness of the likes of Bitcoin and Ethereum has skyrocketed. This has happened to such a degree that there are literally millions of us using Bitcoin wallets offered by Luno and other well established names in the industry. On the other hand, blockchain is not necessarily that well known and its capabilities maybe a little less. So although we know that blockchain is the basis of cryptocurrencies, many of us know little more than that. Anyways, this technology is extremely adaptable and is being applied to many industries/sectors from health to disaster recovery. So that it will come as no surprise that blockchain is shifting its attention to mobile. This has resul...
Read more