The ransomware attack on UnitedHealth earlier this year has highlighted serious vulnerabilities within the healthcare industry’s cyber defenses, drawing comparisons to the infamous Colonial Pipeline breach. It has prompted congressional testimony, intense scrutiny from lawmakers, and potential new legislation aimed at protecting critical infrastructure. Over the past few months, there have been two congressional hearings on the UnitedHealth attack—one in the Senate and one in the House. Calls from multiple senators have pushed for detailed investigations into the government’s response to the incident. Even more criticism has been directed at UnitedHealth’s Chief Information Security Officer, Steven Martin, who joined the company in June 2023, for the company’s apparent lack of preparedness.
After paying a hefty ransom of $22 million to prevent the leak of stolen data, UnitedHealth had no choice but to completely rebuild its systems even after decrypting the locked files. CEO Andrew Witty’s testimony brought to light that the company’s backups were not isolated with network segmentation or infrastructure gapping, allowing the attackers to compromise those as well. This revelation has fundamentally changed how organizations are looking at their backup and recovery strategies. Now, more than ever, protecting backups has become a critical component of cybersecurity frameworks against ransomware attacks. Here are five key tips emerging from the lessons learned by UnitedHealth that IT infrastructure and security teams should consider to bolster the security of their backups.
Network Segmentation and Air-Gapped Backup
In the ransomware attack that hit UnitedHealth earlier this year, the company admitted that their backups were not sequestered with network segmentation or infrastructure gapping, which allowed the attackers to lock those as well, blocking any recovery path from the initial attack. Network segmentation is an effective tactic to minimize the spread and impact of a ransomware attack. By dividing the network into smaller, distinct areas, it contains the malicious software, preventing it from spreading throughout the entire system if one area is compromised.
An air-gapped backup entails keeping a copy of the backup data disconnected from the live network. This physical separation ensures that even if the main network is compromised, the air-gapped backups remain untouched. Implementing such strategies means that organizations not only need to create these isolated backup systems but also regularly test and verify their effectiveness. This additional layer of defense can significantly reduce the chances of a complete system lockdown, providing an assured pathway for recovery.
Multi-Factor Authentication (MFA)
The lack of multi-factor authentication (MFA) was at the center of the UnitedHealth ransomware attack. Hackers managed to infiltrate the company’s systems by leveraging stolen credentials from accounts that lacked MFA. Solutions like StorageGuard can audit and verify that MFA is implemented and enforced across all backup systems. Consistently applying and maintaining MFA is crucial as it safeguards sensitive data from unauthorized access even in cases where user credentials are compromised.
Incorporating MFA in backup systems is a straightforward yet effective measure. MFA ensures an additional verification step beyond just passwords, which can easily be stolen or guessed by hackers. This second layer of security, whether it be through a code sent to a mobile device or biometric verification, greatly enhances the integrity of access control. This is especially vital for IT systems that handle sensitive data, ensuring that even if one line of defense is breached, additional measures are in place to protect the overall system integrity.
Restricting Administrative Access
Restricting administrative privileges is a vital part of a robust backup security strategy, as these privileges can be a primary target for attackers. Ensuring that only individuals who truly need admin access have it can significantly reduce the attack surface. Administrative access should be strictly limited and monitored, applying principles such as the two-person rule for critical backup changes and IP access control lists (ACLs) for administrative interfaces.
Creating a principle of least privilege, where users are given only the access necessary for their roles, limits the potential vectors through which an attacker can gain high-level access. By incorporating a two-person rule for any critical changes to the backup systems, organizations can ensure that no single individual holds unchecked power to alter these systems. Implementing IP ACLs further restricts access to backup systems based on predefined network addresses, ensuring only trusted devices can engage with administrative interfaces.
Immutable Backup
Ensuring at least one of your backup copies is stored on immutable storage is crucial in maintaining data integrity. Immutable backups are not alterable, deletable, or encryptable by any means, including ransomware. This guarantees the integrity and availability of the backup data when needed for cyber recovery. Using immutable backups provides organizations with a tamper-proof layer that can withstand sophisticated attacks aimed at corrupting or erasing backup data.
Immutable storage solutions are designed to protect data from malicious activities and human error. These types of storage systems typically provide write-once-read-many (WORM) capabilities, meaning data can be written only once and then read many times without the possibility of alteration. By using these solutions, organizations ensure that they have a reliable copy of data immune to both cyber-attacks and inadvertent changes. Consequently, in the event of a ransomware attack, this immutable copy serves as a clean source for system recovery.
Secure Configuration Baseline
As recently mandated by DORA and previously by NIST, establishing a secure configuration baseline for your backup and storage environment is critical. Using tools to detect baseline deviations ensures adherence to security principles and practices. Regular auditing of backup systems against a secure configuration baseline helps verify they are hardened against tampering or unauthorized access.
Auditing should include multifactor authentication, immutability best practices, and CISA #StopRansomware guidelines. Other measures such as dual authorization for critical changes, logging best practices, account lockout settings, and strict backup isolation standards add multiple layers of security. Additionally, adhering to frameworks like NIST, ISO, or industry-specific regulations like HIPAA ensures comprehensive protection measures are in place.
