Data protection against worms, trojans and intentional data destruction
Hello, I am testing Acronis True Image right now and I am considering buying a licence for all my PCs. I am planning to set up a non-stop backup plan that does incremental backups of my data every 5 minutes to a NAS on my network. In the future I may move the NAS to a different location.
I can see that the software can be set up to save to a NAS, but I have a few concerns regarding the security of the data it is protecting in the event that a worm (or a human physically at the PC for that matter) tries to sabotage the backups.
As far as I can tell by looking, it looks like the software is using windows itself for accessing the network share, and if that is correct, wouldn't that mean the worm can simply use the same credientals to access the NAS and destroy the backups present there? Or alternatively, it may use the UI of acronis true image itself to manage and destroy the backups.
With trojans like Cryptolocker floating around these days, I am actually more concerned about intentional damage than hardware failure or accidental deletion, and Acronis True Image just doesn't seem to defend itself very well from such sabotage.
What are your thoughts about this?
John,
I share your belief that malware/ransomeware/CryptoWall are more of a threat than hardware failure or accidental deletes.
I am not experienced with Windows networks or NAS...I have one laptop with a USB hard drive attached. The USB hard drive is only used to store backup files. I am taking extra steps to protect my backup data files. Here's my write up from another post:
"Personally, I run ATI from a separate user account. That account is the only acccount on my computer with Admin privileges. The folder that I use for the backup files is not shared with any other accounts. ATI performs the backups with no problems. However, if I try any other operation, such as restore, or validate, ATI generates error messages similar to the ones you were getting. However, when I boot with rescue media, ATI has absolutely no problems.
I do this to protect the backup data files from malware attacks. Since the account I use for surfing and e-mails only has standard user priveleges, any processes spawned by that account would only have standard user priveleges. I believe that any attempt to access the folder by malware process would generate an error message or request for administrator password."
Perhaps my one computer solution could be implemented across a network. Also, if you disagree with my logic, please advise.
I am interested in what you decide and how you proceed. If/when you devise a solution, please share.
Regards,
FtrPilot
Thanks for your reply.
My first impression is that Acronis haven't thought too much about making their software malware proof, which is a bit disappointing. Malware is a significant threat to data and shouldn't be neglected. In fact a lot of malware is programmed to attempt to disable security systems and backup software once it compromises a system. At first glance it seems like it needs an ugly workaround to be made secure.
I also thought of the same idea as you with setting up a separate user account with only ATI running, and with only that account knowing the credientals for the network share. My problem is just that having a standard user account for day to day use isn't feasible as even some of the games I play require admin privilege, so I'm hoping to find a workaround where my main account can still be admin. A pitfall to consider is that even if the malware is "sandboxed" in a restricted account, it's still easy to accidentally give it admin privileges without realising you're dealing with malware.
My hope is to make the backup happen without any manual work, so I can simply set it up and forget about it. If not I will probably just leave it for a while and postpone the backup until the day when it is too late and the damage has already happened.
I contacted Acronis' support who suggested to encrypt the backup data, as that will require a password before changes to the backup can be made. Maybe this will somewhat prevent the malware from controlling ATI directly to do any damage, however unfortunately it still doesn't deal with the network share issue.
Ideally the software should have been in 2 pieces, one for the client system to protect, and one for the remote storage system. Then the client end sends the backup data to the server and tells it to store it, without any option for the client to ever to tell the server software to delete anything.
Some comments...
I believe Acronis is missing a huge marketing opportunity. Data security? According to Acronis, that's the user's responsibility.
With regard to needing admin privileges for your normal day-to-day computing... When I originally set up my separate Acronis only account, my day to day account did have admin privileges. Whenever I tried to access the protected folder from my normal account, it did pop up the warning window. So, you may want to do a trial, keeping your normal account with admin privileges. The problem is that if you access the protected folder from your normal account, it removes the protection, which then requires logging back into the Acronis account and reinstating the restrictions.
With regard to "My hope is to make the backup happen without any manual work, so I can simply set it up and forget about it." Now that everything is set up, it is running flawlessly. I am running incremental backup every 4 hours. I don't have to log onto the Acronis account unless I need to do something with the data files, which is seldom. Once a day, I bring up Acronis from my normal account, it asks for the Acronis account password, and I check the log file.
With regard to Acronis suggestion to password protect the backup data...That would not protect against malware if the malware somehow got write privileges in the data folder. It would not take much to corrupt an image file.
Based on internet research, which may or may not be true, the latest version of Cryptowall (and all previous versions) only attack network drives that have been mapped to a drive letter. I believe this is an attempt by the malware developers to keep popup windows from appearing. So, I am now looking at NAS so I can store on a network drive that is not mapped to a drive letter. I am currently using an external USB drive (E: drive). And, of course, future malware could certainly attack network drives, mapped or not.
So, if you continue your Acronis 2016 test, please let me know how it works out.
Regards,
FtrPilot
I share the concern over data security but am not sure that this is an issue that Acronis can or should be responsible for addressing within their products. The real responsibility lies with Microsoft in the design of their operating system and with the glut of programs / applications that give far too much privilege to parts of the system that shouldn't be needed.
My personal concern is that the data on my system could be infected with the likes of cryptowall or other encryption-ware and that this is then propogated to my backups without my being aware in time. To this end, I try to avoid having any directly mapped drive letters to my NAS storage device, have a separate offline backup of critical data and have installed protection tools such as CryptoPrevent and Malwarebytes Anti-Exploit, plus keep my security programs updated.
One thing that CryptoPrevent has demonstrated is just how many programs install themselves into the same places where these virus / trojan / ransomware programs like to inject themselves, i.e. User \ AppData\ Local, LocalLow or Roaming folders.
FtrPilot / Steve Smith:
Perhaps this is not the market Acronis are trying to meet with ATI, indeed, and some would argue that it is the responsibility of antivirus software to protect your data against malware. But as most experienced users know, AV-software is rubbish and will only protect you if you are infected with malware already known in the AV-software's malware database. That is not always the case. The other week my aunt got all her business documents encrypted by an unknown variation of cryptolocker. She had MC-Afee installed, but of course it didn't kick it until it was too late. She lost everything, and didn't have any backups. Now imagine if she did have ATI installed, but the malware was designed to destroy those backups, the backup would also be useless.
In my opinion, I don't think it is a matter of what it "should" and "shouldn't" protect against, and what is whose "responsibility". It's a matter of the structure of the system you choose, and the potential vulnerabilities with each structure. The problem is that the structure of Acronis True Image isn't suitable for what I am trying to do in this case, as it is designed to only be run "stand-alone" on a single system, without communicating with an actual backup server in the other end. From Acronis' point of view, I can understand that they are going for this approach, as most average users want a simple and easy setup, and most don't have a dedicated backup server running in their cellar. Unfortunately, it offers false security to users who haven't thought of malware or sabotage as a threat.
When choosing a backup solution, you want one that is universally proof in any scenario, not just accidental deletion or hardware faults, and a stand-alone client can't do that alone. I might have to look around for something else. Unfortunately the only things I can find are subscription/cloud based, or don't have [near] continous data protection and can only be set up with schedules.
The kind of backup system needed to achieve full protection in any scenario, is one that is structured in such a way that the backup software installed on the client PC talks to some kind of backup server software installed on a secondary storage computer. The secondary system then takes care of securely storing this data, either on hard drives its own hard drives, or to a NAS that only the secondary system has access to. Once the client PC has sent a bunch of data for backup, the client shouldn't have any way of altering the backed up data once it is sent, at least not without properly authenticating with the backup server first. Doing it like that, will make it universally proof against anything, it be hardware faults, theft, people physically at the PC trying to destoy your work, malware, accidental deletion or corruption. I know that this is somewhat how clouds work, but I want to pay a one-off fee and manage the storage myself instead of renting a cloud.
The only other consideration is the physical location of the secondary storage system, and perhaps the security of the data stored there.