Backup security is abysmal, says backup security expert
During this recording, Mr. Backup asked our guest how many backup systems that he had looked at had at least one critical security flaw, he said pretty much 100%. Holy. Cow. Doron Pinhas runs a company called Continuity Software, that does security assessments of storage and backup and recovery systems. They got the permission of some of their customers to anonymize and publish their findings, and the results were abysmal. (You can read the report yourself here.) He said it was extremely rare to find a backup environment that was properly configured from a security standpoint. He then went on to explain the kinds of things they look for, and how you can secure your storage and backup and recovery environments. He also explained how such environments are typically overlooked by most security scans! He said they have a lot of resources on their website to help you, and they also have automated tools that will ensure you stay secure once you zipped things up. If I were you, I'd check out those resources right now!
Mentioned in this episode:
Interview ad
Speaker:
I'm very rarely shocked when we record these episodes.
Speaker:
But it happened in this episode.
Speaker:
Uh, I ask a really important question of our guests who is a storage and
Speaker:
backup and recovery security expert.
Speaker:
Uh, and I was shocked by his answer.
Speaker:
If you care at all about the security of your backup and recovery
Speaker:
system, this is the episode for you.
Speaker:
I hope you enjoy it.
W. Curtis Preston:
Hi, and welcome to Backup Central's Restore it All podcast.
W. Curtis Preston:
I'm your host, W Curtis Preston, aka Mr.
W. Curtis Preston:
Backup, and have with me a guy that I'm not sure fully filled me in.
W. Curtis Preston:
On everything that I was in for when I bought my Tesla Prasanna
W. Curtis Preston:
Malaiyandi how's it going?
W. Curtis Preston:
Prasanna?
Prasanna Malaiyandi:
Oh no.
Prasanna Malaiyandi:
What did I do this time?
W. Curtis Preston:
I don't know.
W. Curtis Preston:
As you know, I've been incredibly happy with my new car.
W. Curtis Preston:
Um, I, I, I've, I've put a thousand miles on it already.
W. Curtis Preston:
Um, Which is more than you probably put in your entire first year.
W. Curtis Preston:
But the, um, I think the, my one disappointment, and it is, it
W. Curtis Preston:
truly is a disappointment, is that Tesla doesn't have tech support.
W. Curtis Preston:
Right.
W. Curtis Preston:
Given that it's essentially like, you know, that they've sold me this really
W. Curtis Preston:
expensive computer on wheels and it has all these interfaces and there's
W. Curtis Preston:
all this conflicting information about.
W. Curtis Preston:
Things about the car based on when you bought it, which you
W. Curtis Preston:
know, which model you have.
W. Curtis Preston:
So I have the L F P battery, which is the newer battery, which, which apparently
W. Curtis Preston:
according to the manual, as opposed to be charged to a hundred percent.
W. Curtis Preston:
Um, and you know, I just have questions that I would like to
W. Curtis Preston:
hear answers directly from Tesla.
W. Curtis Preston:
There's no phone number or email address for me to contact
Prasanna Malaiyandi:
so have you gone into the app and gone to,
Prasanna Malaiyandi:
have you gone into the app, gone to support and said other issue?
W. Curtis Preston:
other that, because the only thing I've seen
W. Curtis Preston:
is, is schedule service call
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Uh, yeah.
Prasanna Malaiyandi:
So if you do schedule service, I think you can also do other, and
Prasanna Malaiyandi:
then just enter your, your questions.
W. Curtis Preston:
So you're saying my greatest disappointment doesn't exist.
W. Curtis Preston:
Is that what you're telling me?
Prasanna Malaiyandi:
I,
W. Curtis Preston:
You're looking at the, you're looking at the
W. Curtis Preston:
app right now, aren't you?
Prasanna Malaiyandi:
I am looking at the app right now.
Prasanna Malaiyandi:
Yes, I am.
Prasanna Malaiyandi:
Um, I think it could work.
Prasanna Malaiyandi:
I, so I've never done this.
W. Curtis Preston:
Yeah.
W. Curtis Preston:
I mean, if I could just, if I could, yeah, if I could just have an email chat.
W. Curtis Preston:
Cuz a lot of 'em are just like, you know, You know, questions, right?
W. Curtis Preston:
Like, I'm, I'm like, I can't find this thing, right?
W. Curtis Preston:
I'm looking for the thing and I can't find the thing because there's
W. Curtis Preston:
37 menus and, um, you know, I need
Prasanna Malaiyandi:
You know there's a search now, right?
Prasanna Malaiyandi:
Yes.
W. Curtis Preston:
I, I know there's a search, but it doesn't
W. Curtis Preston:
always find, there's a search.
Prasanna Malaiyandi:
First world problems.
Prasanna Malaiyandi:
Curtis First World
W. Curtis Preston:
never ending, the, the, the never ending search for
W. Curtis Preston:
looking for what I'm trying to find.
W. Curtis Preston:
Um, yeah, I did find the most important app though.
W. Curtis Preston:
You know, I, we've discussed this already, the, the admission
W. Curtis Preston:
testing app, otherwise known
Prasanna Malaiyandi:
Speaker:
Otherwise known as Spart
W. Curtis Preston:
fart noise.
Prasanna Malaiyandi:
Oh,
W. Curtis Preston:
could, you could literally, you, you,
W. Curtis Preston:
you can configure it so that.
W. Curtis Preston:
Whenever you push a button on the steering wheel, it makes a random fart noise,
W. Curtis Preston:
uh, to other passengers in the car.
W. Curtis Preston:
By the way, my wife not a big fan, not a big fan of the fart
Prasanna Malaiyandi:
Curtis, are you like a little kid in a candy store?
W. Curtis Preston:
I am inside, inside, every grown man is a five-year-old boy,
W. Curtis Preston:
just, just begging to get out and, uh, I'm a five year old boy with a $40,000 car.
W. Curtis Preston:
That wants to, that wants to try every little part, right?
W. Curtis Preston:
The only difference between men and boys is the price of their toys, right?
W. Curtis Preston:
uh, yeah.
W. Curtis Preston:
So tomorrow it'll be, it'll be a week, uh, that I've had my, my lovely
W. Curtis Preston:
new car and, uh, yes, I've put a
Prasanna Malaiyandi:
Speaker:
And, and oh, we should.
Prasanna Malaiyandi:
Speaker:
We should, yeah.
Prasanna Malaiyandi:
Speaker:
We should also tell the listeners also about your, uh, experience
Prasanna Malaiyandi:
Speaker:
going through a car wash.
W. Curtis Preston:
I went to a car wash and you know, it's one of
W. Curtis Preston:
these things, things that you take for granted when you drive, uh, you
W. Curtis Preston:
know, what I now call an ice car?
W. Curtis Preston:
That's a internal combustion engine.
W. Curtis Preston:
A gas car is, you know, you just, it's super easy to put into neutral and,
W. Curtis Preston:
and, and Tesla's super easy to put into neutral if you know how to do it.
W. Curtis Preston:
And, uh, so I'm sitting there and I had rolled up to the, to the thing
W. Curtis Preston:
where the, you know, where the.
W. Curtis Preston:
The, the, I don't know, the conveyor belt's gonna grab my car.
W. Curtis Preston:
And then the guy's like, you know, he's pointing to the thing up there
W. Curtis Preston:
that says, you know, put it in neutral.
W. Curtis Preston:
And I'm like, oh yeah, I'm supposed to put it in neutral.
W. Curtis Preston:
I shut down the whole thing.
W. Curtis Preston:
I shut down the whole car wash because I had no idea how
W. Curtis Preston:
to put my car into neutral.
W. Curtis Preston:
And then I thought I had it into neutral.
W. Curtis Preston:
They turned it on again.
W. Curtis Preston:
Nope, shut it down again.
W. Curtis Preston:
Um, the, the only, the only nice thing I can say is thank
W. Curtis Preston:
God my wife was not in the car.
W. Curtis Preston:
She would've just been flipping out.
W. Curtis Preston:
Uh, but yeah, I, I did, luckily the manager was like, you know, rolled
W. Curtis Preston:
down the window and he's like, um, go to the menu and it's car wash mode.
W. Curtis Preston:
I'm like, sweet.
W. Curtis Preston:
Um,
Prasanna Malaiyandi:
not the first time that this has happened at that
W. Curtis Preston:
I am not the, I'm not the first idiot with a brand new
W. Curtis Preston:
Tesla to take it into a car wash and not know how to put it in neutral.
W. Curtis Preston:
Anyway, uh, so enough test Tesla talk for the day, gonna bring on our guest.
W. Curtis Preston:
He's been specializing in it, uh, for over 30 years and specializes
W. Curtis Preston:
in storage and backup and security as well as it architecture.
W. Curtis Preston:
He's now the CTO at Continuity Software.
W. Curtis Preston:
The industry's only cybersecurity solution for enterprise storage and backup systems.
W. Curtis Preston:
Welcome to the pod, Doran Pinhas.
Doron Pinhas:
Hi.
Doron Pinhas:
Good to be here.
W. Curtis Preston:
So you're, you're currently in Israel, right?
W. Curtis Preston:
Doran?
Doron Pinhas:
Yep, that's true.
W. Curtis Preston:
What, what, what, what?
W. Curtis Preston:
It's, it's still sunny.
W. Curtis Preston:
What, uh, what part are you in?
Doron Pinhas:
it's 7:00 PM over here.
Doron Pinhas:
Uh, just, you know, it's a very, very small country.
Doron Pinhas:
It's the, the size of New Jersey maybe.
Doron Pinhas:
So, uh, anywhere you put your finger, it's where I am.
Doron Pinhas:
So
W. Curtis Preston:
yeah.
Doron Pinhas:
in the area of Tel Aviv.
Doron Pinhas:
Yes.
Doron Pinhas:
So give or take, which is in the middle of the country.
W. Curtis Preston:
I've been to, I've been to Tel Aviv,
W. Curtis Preston:
uh, Jerusalem, and, uh, a lot.
W. Curtis Preston:
I went and did scuba diving there, uh, which was very, very nice.
W. Curtis Preston:
Um, scuba diving in the
Doron Pinhas:
a good start for a first visit.
W. Curtis Preston:
Yeah, absolutely, absolutely.
W. Curtis Preston:
I wanna do our usual disclaimer, uh, Prasanna and I work for different
W. Curtis Preston:
companies, and this is an independent podcast and is the opinions that you
W. Curtis Preston:
hear are ours and don't necessarily reflect the opinions of our employers.
W. Curtis Preston:
Also, if you, uh, like the show, please rate us, go to your favorite pod catcher
W. Curtis Preston:
and give us all the stars and comments.
W. Curtis Preston:
We'd love to hear comments from you, and also if you'd like to
W. Curtis Preston:
join the conversation or just send us, you know, Kudos or whatever.
W. Curtis Preston:
Uh, you can reach me at w Curtis Preston gmail or uh, uh, WC Preston on Twitter
W. Curtis Preston:
or linkedin.com/in/mr backup Um, so, you know, when I, when I saw your, you know,
W. Curtis Preston:
I went to the Continuity's website and the first thing that popped up, Was this, uh,
W. Curtis Preston:
paper that you've done recently, which it looks like you've been doing for a couple
W. Curtis Preston:
of years on, uh, that that basically is a study of, uh, what, why don't,
W. Curtis Preston:
why don't you tell, tell us about it?
W. Curtis Preston:
That this paper,
Doron Pinhas:
Oh, you mean the storage and backup?
Doron Pinhas:
Um, you know, state of the industry
W. Curtis Preston:
yes.
W. Curtis Preston:
Yes.
Doron Pinhas:
That's the one.
Doron Pinhas:
Yeah.
Doron Pinhas:
Okay.
Doron Pinhas:
So it's the tradition.
Doron Pinhas:
We started several years back.
Doron Pinhas:
Uh, we were fortunate enough to meet, you know, we are in the IT business as a
Doron Pinhas:
whole and, and generate, uh, management tools for, uh, large enterprises.
Doron Pinhas:
We can talk about that later if there's any interest.
Doron Pinhas:
Uh, and we were fortunate enough to get about with some of the
Doron Pinhas:
world's largest enterprises, and we started talking years back about
Doron Pinhas:
securing storage and backup systems.
Doron Pinhas:
Lo and behold, and uh, it's dawned on us eventually that there is
Doron Pinhas:
no standard research that tests the maturity level of the market.
Doron Pinhas:
As it were, so several years back we started, uh, running surveys.
Doron Pinhas:
We have a technology that then collect that can collect configuration,
Doron Pinhas:
data, off storage and backup devices, appliances, media servers and stuff like
W. Curtis Preston:
Mm.
Doron Pinhas:
and then review the configuration to see
Doron Pinhas:
if it's done well or not.
Doron Pinhas:
That's pretty easy.
Doron Pinhas:
So we collected data from, uh, everyone we talked with and many of
Doron Pinhas:
those organizations were gracious enough to allow us to anonymize
Doron Pinhas:
the data and generate reports.
Doron Pinhas:
So to cut a long story short, um, this year we scanned the around 10,000 storage
Doron Pinhas:
devices in around 250 large enterprises.
Doron Pinhas:
Most of them are relatively large.
Doron Pinhas:
Organizations with north of 10,000 people.
Doron Pinhas:
Some of them has half a million employees.
Doron Pinhas:
So it's a interesting demographics.
Doron Pinhas:
60% in the United States, almost 40% in the eu, and some in Asia Pacific.
Doron Pinhas:
Um, and we did find that, uh, the majority of environments.
Doron Pinhas:
Did have grave misconfigurations that relate to storage and backup systems,
W. Curtis Preston:
Shocked
Doron Pinhas:
means that, you know, we're not shocked, but now we have
Doron Pinhas:
the proof, the writing is on the wall.
Doron Pinhas:
We can't ignore it anymore.
Doron Pinhas:
We knew in this secret of our heart that things might go wrong, but
Doron Pinhas:
now we know they are not great.
Doron Pinhas:
And, you know, stored and backup means are awesome at so many things.
Doron Pinhas:
They know how to increase capacity and deal with ever shrinking backup
Doron Pinhas:
windows and you know, ingest new technologies and move from on-prem to
Doron Pinhas:
cloud storage and all that fun stuff.
Doron Pinhas:
But there are not necessarily security experts.
Doron Pinhas:
And it is important to become more knowledgeable about security
Doron Pinhas:
because the outcomes of two lacks security in restorative
Doron Pinhas:
backup system can be devastating.
Doron Pinhas:
You know, that's something I'd love to be able to talk about and then
Doron Pinhas:
maybe, uh, we can have some practical advice around how can you do better?
Doron Pinhas:
You know, once people get convinced, it is important.
Prasanna Malaiyandi:
Yeah, so just a quick question.
Prasanna Malaiyandi:
Um, When you were, uh, looking at these backup and storage systems,
Prasanna Malaiyandi:
what sort of things were you looking for when you're evaluating
Prasanna Malaiyandi:
figure out were they secure or not?
Doron Pinhas:
So there, there are several dimensions to establishing
Doron Pinhas:
where whether, uh, uh, storage and backup infrastructure are secure.
Doron Pinhas:
So all the way from the very mundane, for example, are those,
Doron Pinhas:
uh, pieces of equipment and software laying around patched.
Doron Pinhas:
So surprisingly enough, uh, you know when people look at backup software
Doron Pinhas:
like Veeam and Veritas and you know, forgive me for all the rest and
Doron Pinhas:
Rubrik and others, these are piece of commercial software vendors will discover
Doron Pinhas:
security vulnerabilities, whether the code they have created or third party
Doron Pinhas:
libraries they use, everyone does that.
Doron Pinhas:
And they will write security bullet, public security
Doron Pinhas:
bulletins and issue patches.
Doron Pinhas:
So the question is, do you update your software?
Doron Pinhas:
Now when it comes to the software bit, That's a little easier because
Doron Pinhas:
the traditional vulnerability management engine you might
Doron Pinhas:
already have on on, on the floor.
Doron Pinhas:
We'll probably catch that.
Doron Pinhas:
Uh, but when you look at the stored and backup ecosystems, there are
Doron Pinhas:
all sorts of bizarre components there that are never scanned, right?
Doron Pinhas:
So we have, if you have a large shop, you have a sun fabric, and you have N
Doron Pinhas:
dmp and you have NetApp, and you have, uh, whatever storage, OSS and various
Doron Pinhas:
mix, no, HP and LMC and ibm, and.
Doron Pinhas:
Pure.
Doron Pinhas:
Um, these devices are never scanned by vulnerability managed engines.
Doron Pinhas:
And so, but it's pretty easy to determine if they are exposed or not.
Doron Pinhas:
So one of the trivial bits we've done is just retrieve the configuration baseline
Doron Pinhas:
of all the devices we have scanned.
Doron Pinhas:
Where there is are backup appliances and archiving appliances.
Doron Pinhas:
And shockingly you'll find that, uh, patches have been out there
Doron Pinhas:
for things like log four j.
Doron Pinhas:
That can impact the storage arrays.
Doron Pinhas:
Definitely can.
Doron Pinhas:
So, uh, but they haven't been patched.
Doron Pinhas:
And when you talk to professionals, say, oh, I didn't
Doron Pinhas:
know that I have that exposure.
Doron Pinhas:
I've run my scan with one of the big names, whatever, tenable Ines and Rapid
Doron Pinhas:
Seven and others, and they're all great companies, but they just don't scan.
Doron Pinhas:
The storage ecosystem to that level of detail, and people have
Doron Pinhas:
a blind spot and it's, it's bad.
Doron Pinhas:
So one thing is, that's mundane, right?
Doron Pinhas:
So, and, and around that category, I can count several other aspects.
Doron Pinhas:
Like, you know, you want to have your software patch, you want to have some
Doron Pinhas:
of the ridiculous stuff cleaned up.
Doron Pinhas:
Like, you know, you, you buy a backup appliance, it has a default
Doron Pinhas:
factory account like Root, root.
Doron Pinhas:
Did you close that account?
Doron Pinhas:
Oops.
Doron Pinhas:
So many organizations fail to do those.
Doron Pinhas:
Very simple, you know, it's not just the root root account.
Doron Pinhas:
There are service accounts.
Doron Pinhas:
There are default called home configurations that by and large, Are
Doron Pinhas:
not restricted to specific IP addresses.
Doron Pinhas:
And if I'm a hacker, I can spoof those.
Doron Pinhas:
So there are basic things you can do when you get a device, whether
Doron Pinhas:
that's a medial library or whatever, an archiving appliances or set up
Doron Pinhas:
a softer element that you can do to do the basics of hardening them.
Doron Pinhas:
So, so this is one area.
Doron Pinhas:
Another relates to a little bit more convoluted best practices.
Doron Pinhas:
You know, vendors will publish best practices for security, but by and
Doron Pinhas:
large it gurus tends to ignore them.
Doron Pinhas:
We want to go to the meet, how can we set up our first job?
Doron Pinhas:
But there are things, uh, that should be done.
Doron Pinhas:
Again, some of them are pretty mundane, right?
Doron Pinhas:
I'll give you just one example and you tell me if I'm going to, uh,
Prasanna Malaiyandi:
No,
Doron Pinhas:
uh, technical too quickly.
Doron Pinhas:
But, um, you know, time.
Doron Pinhas:
We all know about time it passes, right?
Doron Pinhas:
So, but when you set up a storage or a backup appliance, you
Doron Pinhas:
need to set up so it up with an authoritative time server, right?
Doron Pinhas:
Um, if I'm a hacker and I, uh, realize that it didn't harden the time
Doron Pinhas:
settings, I can spoof the time server and then I can issue all sorts of
Doron Pinhas:
attacks, like time's up attacks where, you know, I persuade your archiving
Doron Pinhas:
appliance that 12 years have passed.
Doron Pinhas:
Just in the span of a minute.
Doron Pinhas:
Of course, you can defeat that by setting up an authorized time server and using
Doron Pinhas:
authentication and stuff like that, but it's not set up out of the box.
Doron Pinhas:
Now if I'm not setting up my time correctly.
Doron Pinhas:
Of course, encryption keys can go stale and elapse, you know,
Doron Pinhas:
really bad stuff can happen.
Doron Pinhas:
So this is a trivial thing.
Doron Pinhas:
If you look at, uh, at reality from the security wearing the security hat or
Doron Pinhas:
security glasses, you'll realize that you have to harden some basic, uh, components
Doron Pinhas:
like time services and dns, and you have to close default accounts and set
Doron Pinhas:
up centrally managed authentication.
Doron Pinhas:
All of these are best practices.
Doron Pinhas:
Vendors will publish.
Doron Pinhas:
They will also tell you that, Hey, we are shipping this box
Doron Pinhas:
out of the gate with some initial security configurations like we.
Doron Pinhas:
Do allow you to decide if you want to configure SIFs one, two, whatever.
Doron Pinhas:
Uh, which Cipher Suites do you want to support?
Doron Pinhas:
Do you support in Fs version three and four and above?
Doron Pinhas:
Do you want to limit some of those?
Doron Pinhas:
So it's your job to decide, you know, we are selling you a Tesla.
Doron Pinhas:
You need to drive it out of the factory and you need to
Doron Pinhas:
do it as safely as you can.
Doron Pinhas:
You can of course drive it's hard, but you can try, you can
Doron Pinhas:
still force it into a tree.
Doron Pinhas:
So, The vendors will tell you, you may want to consider to
Doron Pinhas:
close some of the protocols.
Doron Pinhas:
If you're not using nfs, close it please.
Doron Pinhas:
If you're using nfs, maybe you want to disable NFS version three.
Doron Pinhas:
So we want to review some of those settings and follow
Doron Pinhas:
the vendor best practices.
Doron Pinhas:
So we start to see a picture emerging.
Doron Pinhas:
So we check for the basic vulnerabilities and the locking down of default
Doron Pinhas:
accounts, and then we go ahead and read the various vendor recommendations and
Doron Pinhas:
make them into a structured library of.
Doron Pinhas:
Things you should be looking into, and we just have a platform
Doron Pinhas:
that can automate those checks.
Doron Pinhas:
Now there, there are some other components to that.
Doron Pinhas:
For example, there are several standards that are today not legally binding,
Doron Pinhas:
but there are standards out there to regulate how stuff can be secured, right?
Doron Pinhas:
So we have the NIST framework.
Doron Pinhas:
We have the ISO framework.
Doron Pinhas:
Within NIST and iso.
Doron Pinhas:
There are families of, uh, uh, documents that regulate various aspects of security,
Doron Pinhas:
but specifically in recent years, there is more guidance for storage.
Doron Pinhas:
Right?
Doron Pinhas:
NIST has published, uh, the special publication 802 0 9, which
Doron Pinhas:
talks about storage and backup systems, security guidelines.
Doron Pinhas:
Right.
Doron Pinhas:
Just.
Doron Pinhas:
Spell it out differently, but you know, uh, and we were fortunate enough
Doron Pinhas:
to take part in shaping, uh, this particular piece ISO are publishing.
Doron Pinhas:
Um, there is a, a document called, uh, ISO 27 0 40, which, uh, outlines,
Doron Pinhas:
uh, guidelines for storage security.
Doron Pinhas:
So the current version is dated 2015.
Doron Pinhas:
Uh, it was great at the time.
Doron Pinhas:
It's not great anymore, but they are working on a new release.
Doron Pinhas:
Which is going to come out any week now, and we are fortunate enough
Doron Pinhas:
to see some of the drafts and even comment and it's awesome, right?
Doron Pinhas:
So we have guidance around what could serve as a framework for having better
Doron Pinhas:
security for storage and backup.
Doron Pinhas:
Um, so the last, maybe that's the last source.
Doron Pinhas:
We also, uh, review all of those guidelines and then we pick the
Doron Pinhas:
ones that are relevant to the average user and turn them into a
Doron Pinhas:
comprehensive automated checklist.
Doron Pinhas:
If you're curious, we have about whatever, three to 4,000 automated checks.
Doron Pinhas:
So when
Prasanna Malaiyandi:
gonna say, yeah.
Doron Pinhas:
go, go ahead and collect the configuration, you
Doron Pinhas:
know, we just need read only access.
Doron Pinhas:
That's how we work with, uh, the organizations.
Doron Pinhas:
We advise.
Doron Pinhas:
We ask them to let us, uh, have a readonly role.
Doron Pinhas:
We collect the data, we keep it in, it doesn't have to leave.
Doron Pinhas:
We run our tool and it's just create a dashboard and score cards saying This is
Doron Pinhas:
what you're doing well and here is where you, uh, can improve or might have failed.
Doron Pinhas:
And now, uh, uh, uh, many of those organizations are really gracious
Doron Pinhas:
allowing us to take the stats out.
Doron Pinhas:
So that's how we came across with a sample of around 10,000 components and component
Doron Pinhas:
could be a media server, archiving device, master server storage appliance.
Doron Pinhas:
And when, when you talk about backup, of course everyone realizes today
Doron Pinhas:
that the, when you want to recover something, you have multiple.
Doron Pinhas:
Layers of defense.
Doron Pinhas:
So the, the quickest recovery can be done from live on disk storage,
Doron Pinhas:
whether that's snapshots or replicas.
Doron Pinhas:
Uh uh, and then you have a progressing line now where you know the list quick
Doron Pinhas:
recoveries from offsite and you know, offline, maybe even offline tapes.
Doron Pinhas:
So we have a progression of, uh, mediums and when we want to protect backup, we
Doron Pinhas:
have to look at all those two components.
Doron Pinhas:
So we want to protect our.
Doron Pinhas:
A master server or media servers or archiving appliances, our online
Doron Pinhas:
storage, the snapshots, the replica engines, all of these have to be hardened
Doron Pinhas:
and there is a bit more than that.
Doron Pinhas:
Uh, so, uh,
Prasanna Malaiyandi:
Speaker:
that's very comprehensive.
Doron Pinhas:
Yeah.
Doron Pinhas:
Yeah.
Doron Pinhas:
So to, this was a very long-winded way of saying, yeah.
Doron Pinhas:
So these, these are some of the areas we gather together
Doron Pinhas:
to compile that list of checks.
Doron Pinhas:
And that's how we can come about with a.
Doron Pinhas:
Pretty comprehensive set of, uh, scores and in the report we, we try to make
Doron Pinhas:
it easy and friendly to the user.
Doron Pinhas:
We divided the findings into the top.
Doron Pinhas:
Five categories that were common in almost all environments.
Doron Pinhas:
We also, uh, dedicated the section to some of the less frequent issues
Doron Pinhas:
that are extremely lethal, as it were.
Doron Pinhas:
So, you know, not many people do that, but if you do, that can be devastating.
Doron Pinhas:
So you might want to watch out.
Doron Pinhas:
And I think what can be really actionable if, if I'm interested to see
Doron Pinhas:
that, just take that list of the top five or top six and ask yourself, I.
Doron Pinhas:
Am I free from those?
Doron Pinhas:
You probably will find that for some of those, even in your own organizations.
Doron Pinhas:
There is something here to take a closer look at, uh,
Doron Pinhas:
which I think can be valuable.
Doron Pinhas:
This is why our way of sharing, um, the generosity of the organization
Doron Pinhas:
work with, in, in, in freely sharing what they do well and what they don't.
Doron Pinhas:
So, you know, everyone can actually, uh, use that as a benchmark.
W. Curtis Preston:
I, I, I really like that Doran.
W. Curtis Preston:
Um, in fact, the, the, the, you know, we're recording this
W. Curtis Preston:
in the middle of June, the.
W. Curtis Preston:
The episode that went live this morning was, uh, an se that was sort
W. Curtis Preston:
of bemoaning the fact that companies don't share, um, security, especially
W. Curtis Preston:
when a security incident happens.
W. Curtis Preston:
They don't share with the rest of the world what happened, why it happened.
W. Curtis Preston:
Basically, you know, information that can help people.
W. Curtis Preston:
And I think in this case, this is really helpful, uh, in that.
W. Curtis Preston:
Uh, there's two things in here.
W. Curtis Preston:
One, one, you know, I, I, you know, early in the said, I sh I said, shocked.
W. Curtis Preston:
Shocked.
W. Curtis Preston:
I am, uh, I, I, you know, I'm not shocked, right?
W. Curtis Preston:
Because of the, the, um, you know, because, you know, I've been in the
W. Curtis Preston:
back space for a while and storage and backup due kind of get the back of the
W. Curtis Preston:
bus status for, for a lot of reasons.
W. Curtis Preston:
They just don't get the, many of the tools aren't looking at that.
W. Curtis Preston:
Many of the people aren't thinking about that.
W. Curtis Preston:
And the, but the reality is storage and backup.
W. Curtis Preston:
That's where it's at.
W. Curtis Preston:
That's where the data is, right?
W. Curtis Preston:
It, it's the, it is the thing that you're protecting.
W. Curtis Preston:
In fact, um, you know, in this episode that went live, um, uh,
W. Curtis Preston:
today we, you know, we were talking about, well, we're not really.
W. Curtis Preston:
I, I don't think of myself as a cybersecurity person.
W. Curtis Preston:
I think of myself as a backup and, and data person.
W. Curtis Preston:
And, and he made the point of saying, well, without data, there's
W. Curtis Preston:
no point in having cybersecurity.
W. Curtis Preston:
Right.
W. Curtis Preston:
Uh, which is, which is, which is really good.
W. Curtis Preston:
Right.
W. Curtis Preston:
Um, I, I am curious, w with this survey that you did, um, or study whatever,
W. Curtis Preston:
whatever you'd like to call it, what.
W. Curtis Preston:
When you went out there, can you speak at all to like the percentage
W. Curtis Preston:
that you would find, like if you, if you were at a hundred companies,
W. Curtis Preston:
how many of them had something that you would consider truly scary?
W. Curtis Preston:
Uh, a misconfiguration that was
Doron Pinhas:
Are you sitting tightly?
W. Curtis Preston:
Uh, I'm sitting tightly.
Doron Pinhas:
Yeah.
Doron Pinhas:
Well, you know, pretty much all of them.
W. Curtis Preston:
I knew you were
Doron Pinhas:
the average, right, so, so the average device on average, A
Doron Pinhas:
device, and again, we define a device as either truly physical device, like a
Doron Pinhas:
sand fabric switch, or a storage array or back backup appliance or archiving
Doron Pinhas:
appliance or stuff like that through a media server, which is a, you know, hosted
Doron Pinhas:
a piece of software and a master server.
Doron Pinhas:
Each one is a device, so the average device will have 14.
Doron Pinhas:
Risks out of which three are critical or major, meaning that if I'm a hacker,
Doron Pinhas:
I, I can get in and take your data out.
Doron Pinhas:
So it's, that's not to say that 100% of the organizations were, uh, in a poor
Doron Pinhas:
situation, you know, maybe two or 3%.
Doron Pinhas:
Did actually better than others, but by and large, I think the state of the
Doron Pinhas:
industry is not great yet to be mild.
Doron Pinhas:
And if you want to be more brutal, it's dismal.
Prasanna Malaiyandi:
Do you feel though that some of this is because storage and
Prasanna Malaiyandi:
backup, it's kind of like a web, right?
Prasanna Malaiyandi:
A very complex tangled web that no one really knows how everything
Prasanna Malaiyandi:
is all connected together, which leads to some of these issues?
Prasanna Malaiyandi:
Or do you think it's some other situation why companies are doing poorly?
Doron Pinhas:
Yeah, I'd love to debug that notion by the way that it's a
Doron Pinhas:
web, which is too complex for the human intellect to grasp, right?
Doron Pinhas:
You didn't say that exactly.
Doron Pinhas:
Like I'm, uh, but, but, uh, no.
Doron Pinhas:
So there, there is a way to put structure on top, you know, roll up
Doron Pinhas:
your sleeves and you can apply a clear methodology to, to be much better.
Doron Pinhas:
It's actually.
Doron Pinhas:
Not very difficult.
Doron Pinhas:
We, you know, if time allows, we can talk a little bit about what
Doron Pinhas:
you can do to be much more secure.
Doron Pinhas:
So, uh, I and I object to making it something really intangible
Doron Pinhas:
that's, you know, incomprehensible.
Doron Pinhas:
It's just a little bit of work.
Doron Pinhas:
We have all the foundation.
Doron Pinhas:
So what, but what are your, to
Prasanna Malaiyandi:
Speaker:
oh, sorry, sorry, sorry.
Prasanna Malaiyandi:
Speaker:
Uh, my question though wasn't necessarily about security guidelines being complex,
Prasanna Malaiyandi:
Speaker:
it was more the infrastructure that are deployed in customers environments
Prasanna Malaiyandi:
Speaker:
such that maybe when you're backing up, you don't know necessarily how all
Prasanna Malaiyandi:
Speaker:
the devices are connected together.
Prasanna Malaiyandi:
Speaker:
Right.
Prasanna Malaiyandi:
Speaker:
Or the different IT groups or things like that.
Doron Pinhas:
Yeah.
Doron Pinhas:
So you, you do have a point.
Doron Pinhas:
And I'll give an example, but it's still no reason not to, uh, you know,
Doron Pinhas:
uh, get a good handle of things, right?
Doron Pinhas:
So it can be complex, right?
Doron Pinhas:
So let's first prove your point, right?
Doron Pinhas:
Um, and I, again, I'm thinking like a hacker, right?
Doron Pinhas:
I want to attack your, uh, favorite backup software.
Doron Pinhas:
Mm.
Doron Pinhas:
And there are many ways I can go about it if it's not patched.
Doron Pinhas:
We mentioned some I can use, uh, default accounts maybe didn't really separate.
Doron Pinhas:
There was a principle of separation of, uh, authorities.
Doron Pinhas:
You don't want to have an admin account that can actually
Doron Pinhas:
manage, uh, the backup server.
Doron Pinhas:
You have to separate those entities into separate planes.
Doron Pinhas:
Some will argue that the, uh, backup admin should be part of active directory.
Doron Pinhas:
There are merits to that line of thought.
Doron Pinhas:
Um, you know, but it has to be strictly separated because the
Doron Pinhas:
first thing a hacker will do once they, they, they first get in.
Doron Pinhas:
Now they do a little bit of a, uh, uh, reconnaissance eventually, you
Doron Pinhas:
should assume they'll get admin level, uh, credentials, domain
Doron Pinhas:
admin level cred that will happen.
Doron Pinhas:
So when they do that, they should not be able to attack the backup software.
Doron Pinhas:
So now we can do that.
Doron Pinhas:
But let's say you did a really good job.
Doron Pinhas:
I'm at a loss now you talked about convoluted uh, dependencies.
Doron Pinhas:
Well, you know, in many cases, probably people have something like VMware.
Doron Pinhas:
VMware has a trust relationship with the backup software because when
Doron Pinhas:
we want to take consistent backups, every piece of software does that.
Doron Pinhas:
We use APIs for the Visser infrastructure to tell us when it's ready.
Doron Pinhas:
To, uh, back up consistently, whatever a vm.
Doron Pinhas:
Or a volume or whatever to do federated consistency.
Doron Pinhas:
Uh, in some cases we want to even delegate the infrastructure, the ability to tell
Doron Pinhas:
the backup software when to start a job, what would be the content of the job.
Doron Pinhas:
So we have some sort of a federated trust relationship Most.
Doron Pinhas:
Organizations we talk with don't really do that, uh, granularly.
Doron Pinhas:
So you, you, you have to think zero trust.
Doron Pinhas:
So they don't do that.
Doron Pinhas:
And if I can attack the vSphere infrastructure, let's say, if that hasn't
Doron Pinhas:
been secure, I can maybe use that to stop the backup jobs to alter the backup jobs.
Doron Pinhas:
So think about it, you're using immutable backup.
Doron Pinhas:
I really want to destroy it because I want to encrypt your files and demand my
Doron Pinhas:
ransom, and I want you to have to pay.
Doron Pinhas:
But you have immutable backups.
Doron Pinhas:
Ah, I can't really delete that.
Doron Pinhas:
Of course, there are ways to actually delete that.
Doron Pinhas:
If you didn't set it up, if you didn't set up immutability correctly, you didn't
Doron Pinhas:
enable retention log and stuff like that.
Doron Pinhas:
And I can maybe tamper with your system, but let's say you've done a good job.
Doron Pinhas:
Um, so I want to actually, my last research, which is very effective,
Doron Pinhas:
is to poison your backups.
Doron Pinhas:
How do I do that?
Doron Pinhas:
I break into vSphere.
Doron Pinhas:
I.
Doron Pinhas:
I find that it has the ability to alter the backup job, so I alter the content.
Doron Pinhas:
I'm starting to back up.
Doron Pinhas:
Instead of actual production VMs, I'm backing up jump my
Doron Pinhas:
temp directory, my swap file.
Doron Pinhas:
I just wanna make sure it's the same amount of data go that goes nightly.
Doron Pinhas:
So, Now I wait for two or three months.
Doron Pinhas:
So the backup jobs continue to run.
Doron Pinhas:
The backup admins, is that the job?
Doron Pinhas:
If you're not alert enough to find that the content has been changed, it's
Doron Pinhas:
successful, and after 90 days or whatever I deem necessary, I lock your files.
Doron Pinhas:
Um, now you go to the backup environment and say, oh, fine,
Doron Pinhas:
I have 90 days full of backup.
Doron Pinhas:
But none of them, it's all crap.
Doron Pinhas:
So the only valid backup you have if youre a bank is 90 days old.
Doron Pinhas:
Imagine you're calling your bank to say, where are my funds?
Doron Pinhas:
And they're saying, Hmm,
Prasanna Malaiyandi:
Sorry.
Doron Pinhas:
do you have a paper receipt?
Doron Pinhas:
Sorry, we don't know.
Doron Pinhas:
Um, so that can be bad, right?
Doron Pinhas:
So I can.
Doron Pinhas:
To your point, they are convoluted.
Doron Pinhas:
Trust, relationship, API gateways and services.
Doron Pinhas:
To name a few examples, we scan an environment and we find, you
Doron Pinhas:
know, you can find the management APIs of management consoles.
Doron Pinhas:
You just scan for the REST API and through IP address and you find,
Doron Pinhas:
you find, they say we have one management console and you find three.
Doron Pinhas:
One of them is, is in the lab.
Doron Pinhas:
Where they used to do testing two years ago, they never shut down that instance.
Doron Pinhas:
And it's not protected.
Doron Pinhas:
And it's, there is no time server, there is no cookie session cookie timeout,
Doron Pinhas:
and it still can control production.
Doron Pinhas:
So we want, so there are, it is convoluted, so I totally agree.
Doron Pinhas:
The only thing I, um, I would suggest is that you can become good at fi thinking
Doron Pinhas:
like a criminal, uh, or expecting what a, don't think like a criminal, but expect,
Doron Pinhas:
you know, be able to expect what I do.
Doron Pinhas:
And if you are at a loss, you can refer to some of the guidelines I've provided.
Doron Pinhas:
Go and go ahead and read the NIST Guide.
Doron Pinhas:
Go ahead and read.
Doron Pinhas:
The coming is a guide.
Doron Pinhas:
Snia has a lot of good re amazing resources around storage,
Doron Pinhas:
security, and you'll find you can.
Doron Pinhas:
Pretty easily compile a checklist of the i questions you should ask.
Doron Pinhas:
And these are relatively straightforward questions.
Doron Pinhas:
Where are my, where, where is, you know, one of the big areas is the control plane.
Doron Pinhas:
How do I control all that stuff?
Doron Pinhas:
Like we have API gateways, we have management consoles, we
Doron Pinhas:
have, uh, URLs, the, I lock it down, it boils down to a list of.
Doron Pinhas:
Finite amount of questions.
Doron Pinhas:
So you have to roll up your sleeve and do that.
Doron Pinhas:
Um, and, and as just, I don't want to talk much.
Doron Pinhas:
It's not an advertisement to our company.
Doron Pinhas:
We have tools that allow you to automate some of that stuff, so that
Doron Pinhas:
might prove useful, but, As always in life, you don't have to use our tools.
Doron Pinhas:
If you know what you're doing, you can do a good job with
Doron Pinhas:
manual tools, it's still okay.
Doron Pinhas:
Um, you know, woodworking, myself, you know, there are a lot of things
Doron Pinhas:
you can do with manual tools.
Doron Pinhas:
Power tools can save you some effort and increase predictability, but you know,
Doron Pinhas:
it can, you do a fine job manually.
Doron Pinhas:
So that's, that's,
Doron Pinhas:
still fine.
Doron Pinhas:
So, to her question, it's complex, but it's possible to, to actually
Doron Pinhas:
build a framework to add it your environment in, in a more, uh,
Doron Pinhas:
Comprehensive way and, and, and, and reduce the attack surface noticeably.
W. Curtis Preston:
The, cuz I, you know, you were saying, you know, you don't
W. Curtis Preston:
necessarily want to plug your company, but at the same time that, that's where I
W. Curtis Preston:
wanted to go next because I, I'm curious.
W. Curtis Preston:
So you, you're able to do this, um, you know, this, uh, automated check
W. Curtis Preston:
to check all of these settings.
W. Curtis Preston:
I, is that the service that your company provides or what, what else do
W. Curtis Preston:
you, you know, where, where do you go
Doron Pinhas:
yeah, so ultimately one of those days, you know, we
Doron Pinhas:
hope that organizations that want to automate a framework to check.
Doron Pinhas:
On a daily basis or an ongoing basis or after exchange that
Doron Pinhas:
they're always locked down.
Doron Pinhas:
They might be looking into something like what Continuity provides, which is an.
Doron Pinhas:
Engine that automates all of those checks that gets automated.
Doron Pinhas:
It's like an antivirus if you want it, or like a vulnerability management tools.
Doron Pinhas:
It gets automatic updates where all the vendor best practices, the latest
Doron Pinhas:
CVEs, the latest recommendations from framework like NIST and niso
Doron Pinhas:
and PCI and HIPAA are implemented.
Doron Pinhas:
And you, you can get automated compliance reports and if you've done something
Doron Pinhas:
wrong, you'll know what went wrong.
Doron Pinhas:
What is this syntax I need to use to fix the problem?
Doron Pinhas:
And you can start over.
Doron Pinhas:
So you, you know, we provide those tools to automate a frequent
Doron Pinhas:
mode of validation, right?
Doron Pinhas:
So that's something, uh, that can be helpful and we advocate that.
Doron Pinhas:
Uh, so, so that's how we make our living.
Doron Pinhas:
But we are also working with organizations to do one-off assessments.
Doron Pinhas:
Uh, no strings attached.
Doron Pinhas:
If you want to understand how material you are.
Doron Pinhas:
You know, we can definitely talk and first of all, share with you.
Doron Pinhas:
We'll happily do that because we learn so much from the, those interactions.
Doron Pinhas:
And we want to give some of that back, right?
Doron Pinhas:
So, uh, if you want to just run a one-time scan, you can approach us.
Doron Pinhas:
You can even approach your, uh, trusted, uh, security consultant and
Doron Pinhas:
ask them if they can do a scan for you.
Doron Pinhas:
Um, there are not too many options.
Doron Pinhas:
We are, we know, pretty unique, but they can use our software.
Doron Pinhas:
A lot of, uh, um, uh, there are many consultant firms out there that
Doron Pinhas:
have access to our technology and can use it to run a scan for you.
Doron Pinhas:
And even if that's a one time scan, you will understand.
Doron Pinhas:
What you're doing well, where you have issues, what are the
Doron Pinhas:
priorities of those issues?
Doron Pinhas:
What does it mean to your business in terms of, you know, not adhering
Doron Pinhas:
to industry standards and regulations If you are in a regulated segment,
Doron Pinhas:
uh, sometimes that's enough.
Doron Pinhas:
That's just, that's a starting point that can, uh, get you going
Doron Pinhas:
because now you have a better clarity instead of understanding that,
Doron Pinhas:
you know, I'm probably not good.
Doron Pinhas:
You'll know exactly what works well for you and where do you have issues.
Doron Pinhas:
So that's, In a sense, this is what our, uh, product does, and we make a living
Doron Pinhas:
out of selling it to those organizations.
Doron Pinhas:
Choose to be standardized 24 7 and be accountable.
Doron Pinhas:
We hope, uh,
W. Curtis Preston:
For what it's worth, uh, you know, I'm a fan of that, right?
W. Curtis Preston:
I'm a fan of automation.
W. Curtis Preston:
I'm a fan of, uh, you know, I mean, I, I like the fact that you
W. Curtis Preston:
have the check first off period.
W. Curtis Preston:
Right?
W. Curtis Preston:
I'm a fan of that.
W. Curtis Preston:
The idea, and, and, and those are good, right?
W. Curtis Preston:
Those, those one time checks are good.
W. Curtis Preston:
It's good to have a consultant look at your stuff once in a while to make
W. Curtis Preston:
sure that you're doing the right stuff.
W. Curtis Preston:
But there's nothing like just having something continually checking because,
W. Curtis Preston:
you know, um, there are always new CVEs, there are always new vulnerabilities
W. Curtis Preston:
and things that you need to patch.
W. Curtis Preston:
I think patching is the thing that most people get behind on the most, right?
W. Curtis Preston:
There's that one time configuration of making sure we separate this and that
W. Curtis Preston:
and we're using MFA and we're using.
W. Curtis Preston:
Um, you know, the, the proper, uh, usernames and passwords and not
W. Curtis Preston:
using root root, you know, you, that should hopefully be a one-time thing.
W. Curtis Preston:
I think it's the, the patch management, uh, and other things,
W. Curtis Preston:
maybe recommendations change over time.
W. Curtis Preston:
Uh, that, that's the one where it's like, it, it would be nice to have something
W. Curtis Preston:
that just tells me, Hey, a new CBE came out, you know, and, and, uh, you know,
W. Curtis Preston:
the vendor has patched it already.
W. Curtis Preston:
You need to go, you know, you need to go patch it right
W. Curtis Preston:
away or else you're at risk.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
I think
Doron Pinhas:
So you, you'll get that.
Doron Pinhas:
Yeah, go ahead,
W. Curtis Preston:
Yeah.
Prasanna Malaiyandi:
I think the other thing, Curtis too, and I
Prasanna Malaiyandi:
know we've talked about this in previous podcasts, is like people's
Prasanna Malaiyandi:
environment is never static, right?
Prasanna Malaiyandi:
You're always getting new devices in some group or another, right?
Prasanna Malaiyandi:
New applications being spun up, right?
Prasanna Malaiyandi:
New deployments, new servers, and so having that ongoing check where it's
Prasanna Malaiyandi:
like, Hey, we can now make it more efficient for you to bring online these
Prasanna Malaiyandi:
applications rather than going through sort of the entire security audit
Prasanna Malaiyandi:
and everything else that you might.
Prasanna Malaiyandi:
Have to do, which might elongate the time you need by weeks.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
The other thing also I was thinking is there's also, from what I've read, and
Prasanna Malaiyandi:
I don't know, Darron, if your product supports, I'm guessing it supports
Prasanna Malaiyandi:
public clouds as well as endpoints.
Doron Pinhas:
Yep.
Prasanna Malaiyandi:
Okay.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
So as people are looking to go to the cloud, right, sometimes they're also
Prasanna Malaiyandi:
looking at multi-cloud strategies.
Prasanna Malaiyandi:
Right where maybe they're an expert at AWS and they're trying to figure
Prasanna Malaiyandi:
out, can I use Azure GCP for certain workloads or because of regionality
Prasanna Malaiyandi:
or services being available and, but they're not the experts.
Prasanna Malaiyandi:
And so to get up to speed and learn, okay, what is the mapping and what are the
Prasanna Malaiyandi:
best practices in AW or in GCP or Azure takes time and they're not the experts.
Prasanna Malaiyandi:
They don't have the resources.
Prasanna Malaiyandi:
And having a tool like this that can automate.
Prasanna Malaiyandi:
And say like, Hey, here are your best practices.
Prasanna Malaiyandi:
Are you doing things in the right way or not?
Prasanna Malaiyandi:
And giving you that guidance and be like, yep, this is how you should be doing
Prasanna Malaiyandi:
things, I think can go a long way as well.
Doron Pinhas:
Yeah, I totally agree, and I just want to add that over the
Doron Pinhas:
course of running a business, right, I've been in this position for 17 years.
Doron Pinhas:
I'm proud of that.
Doron Pinhas:
You know, people stay at an organization for years and over the span of years.
Doron Pinhas:
You know, if you take a look at the, if you're running a, an IT shop
Doron Pinhas:
and you take a look at how you have run your business five years ago.
Doron Pinhas:
Four years ago, three, two years ago.
Doron Pinhas:
You'll see that there are sometimes, there are tectonic
Doron Pinhas:
changes over those spans, right?
Doron Pinhas:
We change one of our major vendors.
Doron Pinhas:
We move from one backup vendor to another.
Doron Pinhas:
We change from tapes to discs.
Doron Pinhas:
We start adding cloud.
Doron Pinhas:
Tertiary copies now, each one of those, and, and if you look three, four years
Doron Pinhas:
back, you'll see tectonic changes.
Doron Pinhas:
But each one of those steps, they happen on a monthly basis.
Doron Pinhas:
You know, we throw away our own library and bring in a new vtl and,
Doron Pinhas:
you know, something like, and, and.
Doron Pinhas:
And we have like five of those.
Doron Pinhas:
So you know, they live like four or five years.
Doron Pinhas:
So, you know, every year we change one and we have tapes and we have
Doron Pinhas:
discs, and we've, every new release, we have different frameworks, we have
Doron Pinhas:
new releases, management consoles.
Doron Pinhas:
Every four or five years the architecture changes.
Doron Pinhas:
So whenever something like that happens, for me, it's new.
Doron Pinhas:
But if you are relying on an industry backed whatever, uh, library of
Doron Pinhas:
checks that, you know, should cover everything, and we learn a
Doron Pinhas:
lot from our, uh, user community.
Doron Pinhas:
They'll tell us, oh, we started looking into this.
Doron Pinhas:
Are you familiar with it?
Doron Pinhas:
Say, Hmm, interesting.
Doron Pinhas:
Let's take a look.
Doron Pinhas:
Let's take a look together.
Doron Pinhas:
What did you find?
Doron Pinhas:
Some of them are, so there is a sort of a community feedback here and uh,
Doron Pinhas:
maybe it's new for your organization, but it's probably not new for others.
Doron Pinhas:
And there is definitely an opportunity to have a much better starting point.
Doron Pinhas:
So, you know, I'm deploying.
Doron Pinhas:
Uh, a cloud target backup, you know, and I wanna make sure that I pass
Doron Pinhas:
all of the checks so I run a quick scan when it's not yet production,
Doron Pinhas:
and I find what I'm doing well.
Doron Pinhas:
And if there is room for improvement, usually there is.
Doron Pinhas:
So, you know, an ounce of prevention is worth, uh, a pound of KiOR, right?
Doron Pinhas:
So think about your, uh, immune system.
Doron Pinhas:
Let's say it would've run once a year for a day, and then it would stop shut
Doron Pinhas:
down for a day the rest of the year.
Doron Pinhas:
That's not great.
Doron Pinhas:
It's better than nothing, but so that's so, so to, to Curtis's point.
Doron Pinhas:
Yeah.
Doron Pinhas:
One time scan is awesome.
Doron Pinhas:
It's important to know if something is wrong, but you know you have to
Doron Pinhas:
be, or it's better to be continual.
Prasanna Malaiyandi:
Yeah.
W. Curtis Preston:
Speaker:
Yeah, I like that a lot.
W. Curtis Preston:
Speaker:
Um, so the, you know, I'd, I'd like to wrap up, but what I, what I am curious
W. Curtis Preston:
Speaker:
about early on, you alluded to, I mean, we've kind of discussed some of the
W. Curtis Preston:
Speaker:
things that you recommend that people do.
W. Curtis Preston:
Speaker:
Besides obviously running the continual scan.
W. Curtis Preston:
Speaker:
Um, are there some other things that you recommend people do to secure
W. Curtis Preston:
Speaker:
their storage and backup environment?
Doron Pinhas:
Yeah, sure.
Doron Pinhas:
So I think.
Doron Pinhas:
The first thing to do is to get to know a little bit more about I, I would even read
Doron Pinhas:
a little bit about the business threats.
Doron Pinhas:
What can possibly go wrong, right?
Doron Pinhas:
So maybe, uh, I'm not sure we'll have time to go there today.
Doron Pinhas:
Why is it important?
Doron Pinhas:
Really get a good grasp.
Doron Pinhas:
Uh, it's not a difficult read.
Doron Pinhas:
If you go to the Snea site, you go and, uh, take a look at the NIST or IZO guide.
Doron Pinhas:
You'll have a framework for, in the NIST guide, there are about
Doron Pinhas:
30 different areas you should be looking into, get familiar with.
Doron Pinhas:
What are the components you need to consider to build.
Doron Pinhas:
Secure framework, choose.
Doron Pinhas:
So, you know, so the first step is, you know, get a little bit more
Doron Pinhas:
knowledge about storage security.
Doron Pinhas:
Five years ago, it was not accessible to datas.
Doron Pinhas:
There are plenty of resources in our site, you know, it's
Doron Pinhas:
www.continuitysoftware.com resources.
Doron Pinhas:
You'll find a library of research and guidelines and advice and
Doron Pinhas:
useful links to other sites.
Doron Pinhas:
So there is plenty of material out there to get educated.
Doron Pinhas:
The second thing I would encourage to do is to define, at least at
Doron Pinhas:
a high level, a set of security standards you'd expect to have.
Doron Pinhas:
And you can draw, uh, um, uh, intuition or, or, or guidelines from the set
Doron Pinhas:
documents, either or NIST or other frameworks, build a set of baselines
Doron Pinhas:
like, so I want to lock down devices, I want to have password complexities.
Doron Pinhas:
I want to whatever, set up session cookies or session timeouts.
Doron Pinhas:
I want to, you know, these are my baselines.
W. Curtis Preston:
Mm-hmm.
Doron Pinhas:
Define those baselines and then, you know, find a way to
Doron Pinhas:
periodically review your settings.
Doron Pinhas:
You know, it's, um, it takes a little, uh, doing, but all the
Doron Pinhas:
building blocks are out there.
Doron Pinhas:
If you want to use automation, then we would be very happy
Doron Pinhas:
to help you achieve that.
Doron Pinhas:
You can even script that yourself, right?
Doron Pinhas:
So it's not everyone has to buy a power saw, right?
Doron Pinhas:
You can rent it.
Doron Pinhas:
Right?
Doron Pinhas:
So, but you know, Close the knowledge gap, understand what is there to check.
Doron Pinhas:
It's a finalist.
Doron Pinhas:
There are 13 different areas.
Doron Pinhas:
There are different ways to look at it.
Doron Pinhas:
It's structured.
Doron Pinhas:
Pick and choose the, the things that are important to your business
Doron Pinhas:
and find a way to put repetition into validating that you're clean.
Doron Pinhas:
This way whenever you roll out something new and it always happens,
Doron Pinhas:
you have a, at least a point where you can, you know, validate your design.
Doron Pinhas:
So these are three things that you can easily do.
Doron Pinhas:
Um, and again, our sites has a lot of nice videos that simulate
Doron Pinhas:
how, you know, how hackers thinks.
Doron Pinhas:
What they can do in a specific scenario.
Doron Pinhas:
Uh, when you start thinking like that, uh, it can be even interesting
Doron Pinhas:
is to to think a little bit like a hacker and, and build better designs.
Doron Pinhas:
If you want to make your house burglar proof, you should just take
Doron Pinhas:
a look outside and think critical and say, I can get in through here.
Doron Pinhas:
What about the basement door?
Doron Pinhas:
What about my Tesla keys?
Doron Pinhas:
And so on.
Doron Pinhas:
So, uh, I can hide in the Tesla.
Doron Pinhas:
Uh, yeah, back seat and wait for you to open the garage doors.
W. Curtis Preston:
Yeah, I,
Doron Pinhas:
that, that's my advice.
Doron Pinhas:
It's pretty straightforward, so.
W. Curtis Preston:
yeah, I like the, um, I, I think, uh, we'll put some
W. Curtis Preston:
links in the show notes, uh, to the, to the things that you talked about.
W. Curtis Preston:
I like that idea a lot.
W. Curtis Preston:
Um, basically just make yourself more knowledgeable.
W. Curtis Preston:
Is, is the key.
W. Curtis Preston:
Cuz I, I do think that, you know, our folks tend to be backup centric,
W. Curtis Preston:
um, security, you know, they're learning security and a lot of backup
W. Curtis Preston:
folks are often junior folks, right?
W. Curtis Preston:
The, this is the job they were able to get.
W. Curtis Preston:
And mainly because nobody else wanted it, right?
W. Curtis Preston:
Um, yeah.
W. Curtis Preston:
I mean, that's how, that's how I got my first job in backup.
W. Curtis Preston:
And so yeah, this is definitely the part of that, the part of the world
W. Curtis Preston:
that you really need to go to, right?
W. Curtis Preston:
You really need to increase your cybersecurity knowledge.
W. Curtis Preston:
If you don't have that, if you were listening to this episode and these,
W. Curtis Preston:
uh, acronyms that, that, uh, we were, you know, rattling off like nist, if
W. Curtis Preston:
those are foreign to you, Definitely follow the links in the show guides
W. Curtis Preston:
to, um, to, to learn more about that.
W. Curtis Preston:
Well, uh, Doran, I want to thank you for, for coming on the show
Doron Pinhas:
Perfect.
Doron Pinhas:
It was my pleasure.
Doron Pinhas:
Thank you for having me.
W. Curtis Preston:
and Prasanna.
W. Curtis Preston:
You, uh, continue to get all the blame for my Tesla, but,
W. Curtis Preston:
uh, I'm glad you're here anyway.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Thanks Curtis and nice to meet you Doran, and thanks for
Prasanna Malaiyandi:
answering all the questions.
Prasanna Malaiyandi:
I think it's a very compelling, uh, solution, right.
Prasanna Malaiyandi:
And solves a very specific problem that I think there's, like you mentioned, right?
Prasanna Malaiyandi:
There's a huge blind spot to this.
Prasanna Malaiyandi:
So I think it's very valuable.
Prasanna Malaiyandi:
And Curtis, I hope one day that you will thank me that, that you bought your Tesla.
Prasanna Malaiyandi:
So I'll just, uh, I'm not gonna hold my breath for that day, but.
W. Curtis Preston:
There's this, there's this other person in my
W. Curtis Preston:
house that is still blaming you, but, uh, we'll, we'll, we'll see.
W. Curtis Preston:
Maybe, maybe one day.
W. Curtis Preston:
Uh, well, anyway, I, I want to thank our listeners.
W. Curtis Preston:
You know, you, you are why we do this, and remember to subscribe
Listen On
