Re: [gpfsug-discuss] Ransom attacks
Take a look at IAM nodes. Sent from my iPhone > On 28 May 2021, at 01:10, Henrik Morsing wrote: > > > Hi, > > It struck me that switching a Spectrum Protect solution from tapes to a GPFS > filesystem offers much less protection against ransom encryption should the > SP server be compromised. Same goes really for compromising an ESS node > itself, it is an awful lot of data that can be encrypted very quickly. > > Is there anything that can protect the GPFS filesystem against this kind of > attack? > > Regards, > Henrik > ___ > gpfsug-discuss mailing list > gpfsug-discuss at spectrumscale.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] Ransom attacks
On 28/05/2021 07:46, Henrik Morsing wrote: That might not make sense if GPFS is holding the SP backup data, but SP can do its own replication too - and could replicate using storage from a second GPFS file system off-site. Take snapshots of this second storage, as well as SP database, and again manage with a second sysadmin team. Thanks all for some useful replies, something to take forward. In this case, SP is using GPFS for storing backup data, this solution was meant to replace the tape libraries completely. If your backup is for disaster recovery that's fine. If you expand your disaster to include ransom attacks then disk based backups are IMHO inadequate simply because they can be gone forever in the blink of an eye. We protect the storage pools cross-site, but our solutions are identical, so if you hacked one, you have hacked both. Currently we use a home grown disk based system for the backup (home grown because it's cheap) however we are looking to augment it with tape because tape is firstly ransom attack resistant, second tape is "green" with a very low carbon footprint. From a TSM perspective backup goes to the disk run as a bunch of sequential access files like "tapes", and the copy pool will exists on tape. We get the benefit of having the backup on disk aka the short access times to files, with the protection offered by tape should we get hit by a ransom attack. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] Ransom attacks
On Thu, May 27, 2021 at 03:20:08PM +, Anderson Ferreira Nobre wrote: Henrik, One way would integrate Scale with QRadar. If I'm not wrong, you can configure QRadar to take a snapshot when it detects there's an attack happening. The details you can take from here: [1]https://www.redbooks.ibm.com/redpapers/pdfs/redp5560.pdf [2]https://www.youtube.com/watch?v=Zyw84dvoFR8 Hi, Looking at the video (not read the document yet) I'm not sure QRadar is advanced enough to detect someone encrypting a storage pool from the SP server. It's a single file pretty much access 24x7, but I will look into it further, thanks. Regards, Henrik ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] Ransom attacks
On Thu, May 27, 2021 at 02:17:37PM -0400, Lindsay Todd wrote: That might not make sense if GPFS is holding the SP backup data, but SP can do its own replication too - and could replicate using storage from a second GPFS file system off-site. Take snapshots of this second storage, as well as SP database, and again manage with a second sysadmin team. Thanks all for some useful replies, something to take forward. In this case, SP is using GPFS for storing backup data, this solution was meant to replace the tape libraries completely. We protect the storage pools cross-site, but our solutions are identical, so if you hacked one, you have hacked both. Regards, Henrik ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] Ransom attacks
Henrik, Generally you need to begin with a good backup or replica, as well as suitable air-gaps to isolate contamination. You also need to be able to quickly detect unusual activity - an SIEM tool like QRadar might help. Assume that a cyber-incident will happen and plan accordingly. Use in-depth security. But you are right - you lose one of the advantages of tape - you can make duplicate copies, maybe even a WORM copy, and store it offsite. You might at very least want to take snapshots of the storage being used by Spectrum Protect, and have separate administrators for the ESS and SP server (to reduce inside risk). If it was actually GPFS being backed up to SP, you could have a second GPFS file system that is a point-in-time synchronized copy of the original GPFS file system - with its own snapshots. It could have yet another sysadmin, and you could isolate the second copy from the network when not actively synchronizing. See https://www.redbooks.ibm.com/abstracts/redp5559.html?Open That might not make sense if GPFS is holding the SP backup data, but SP can do its own replication too - and could replicate using storage from a second GPFS file system off-site. Take snapshots of this second storage, as well as SP database, and again manage with a second sysadmin team. *Lindsay Todd, PhD* *Spectrum Scale (GPFS) Solution Architect* *IBM Advanced Technology Group – Storage* *Mobile:** 1-518-369-6108* *E-mail:* *lind...@us.ibm.com* On Thu, May 27, 2021 at 11:10 AM Henrik Morsing wrote: > > Hi, > > It struck me that switching a Spectrum Protect solution from tapes to a > GPFS filesystem offers much less protection against ransom encryption > should the SP server be compromised. Same goes really for compromising an > ESS node itself, it is an awful lot of data that can be encrypted very > quickly. > > Is there anything that can protect the GPFS filesystem against this kind > of attack? > > Regards, > Henrik > ___ > gpfsug-discuss mailing list > gpfsug-discuss at spectrumscale.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss > ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] Ransom attacks
On 27/05/2021 16:23, Skylar Thompson wrote: [SNIP] at the end of the day, nothing beats the air-gap of tape backups, IMHO. Changing/deleting lots of data on tape takes time. So tape is a really good starting point even if you never take the tapes out the library except to dispose of them. Your backup is your get out of jail card. Protect it like it's Fort Knox. A bit of security through obscurity by using Power and AIX will not go amiss. Even if it only buys you a couple of hours that can be enough to save the backup from harm. Passwords on the Spectrum Protect server should be good *never* be used anywhere else, and only a handful of trusted people should have access to them. Make sure you have a reuse delay on those tapes so even if the bastards do a del filespace (if they even know how to use TSM) you can roll back the database. I also have the notion that you should be able to cut the power to the Spectrum Protect server and tape libraries such that it requires an on site visit to manually power them backup by flicking a nice big molly switch. I have a notion in my mind of tripping a residual-current device/ground fault circuit interrupter by using a relay to create a neutral earth fault. First sign of trouble disconnect the backup system :-) JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] Ransom attacks
You can get clever/complicated (the interpretation could go either way) with ACLs and SELinux but, at the end of the day, nothing beats the air-gap of tape backups, IMHO. You might consider a belt&suspenders approach that includes all of the above plus other controls (2FA, network security, etc.), and in my experience combining multiple solutions gives flexibility in that it can be easier to avoid the higher-cost aspects of one solution taken to an extreme by having one layer mitigate the shortcomings of another layer. On Thu, May 27, 2021 at 04:10:39PM +0100, Henrik Morsing wrote: > > Hi, > > It struck me that switching a Spectrum Protect solution from tapes to a GPFS > filesystem offers much less protection against ransom encryption should the > SP server be compromised. Same goes really for compromising an ESS node > itself, it is an awful lot of data that can be encrypted very quickly. > > Is there anything that can protect the GPFS filesystem against this kind of > attack? -- -- Skylar Thompson (skyl...@u.washington.edu) -- Genome Sciences Department (UW Medicine), System Administrator -- Foege Building S046, (206)-685-7354 -- Pronouns: He/Him/His ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] Ransom attacks
Henrik, One way would integrate Scale with QRadar. If I'm not wrong, you can configure QRadar to take a snapshot when it detects there's an attack happening. The details you can take from here: https://www.redbooks.ibm.com/redpapers/pdfs/redp5560.pdf https://www.youtube.com/watch?v=Zyw84dvoFR8 Abraços / Regards / Saludos, Anderson NobrePower and Storage ConsultantIBM Systems Hardware Client Technical Team – IBM Systems Lab Services Phone: 55-19-2132-4317E-mail: ano...@br.ibm.com - Original message -From: Henrik Morsing Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: gpfsug-discuss@spectrumscale.orgCc:Subject: [EXTERNAL] [gpfsug-discuss] Ransom attacksDate: Thu, May 27, 2021 12:10 Hi,It struck me that switching a Spectrum Protect solution from tapes to a GPFS filesystem offers much less protection against ransom encryption should the SP server be compromised. Same goes really for compromising an ESS node itself, it is an awful lot of data that can be encrypted very quickly.Is there anything that can protect the GPFS filesystem against this kind of attack?Regards,Henrik___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss