You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/backup-plan-to-protect-against-ransomware.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -94,7 +94,7 @@ Ransomware can attack while you're planning for an attack so your first priority
94
94
95
95
In our experience, the five most important applications to customers fall into the following categories in this priority order:
96
96
97
-
- Identity systems – required for users to access any systems (including all others described below) such as Active Directory, [Microsoft Entra Connect](/entra/identity/hybrid/whatis-azure-ad-connect.md), AD domain controllers
97
+
- Identity systems – required for users to access any systems (including all others described below) such as Active Directory, [Microsoft Entra Connect](/entra/identity/hybrid/whatis-azure-ad-connect), AD domain controllers
98
98
- Human life – any system that supports human life or could put it at risk such as medical or life support systems, safety systems (ambulance, dispatch systems, traffic light control), large machinery, chemical/biological systems, production of food or personal products, and others
99
99
- Financial systems – systems that process monetary transactions and keep the business operating, such as payment systems and related databases, financial system for quarterly reporting
100
100
- Product or service enablement – any systems that are required to provide the business services or produce/deliver physical products that your customers pay you for, factory control systems, product delivery/dispatch systems, and similar
@@ -118,7 +118,7 @@ Apply these best practices before an attack.
118
118
| Protect (or print) supporting documents and systems required for recovery such as restoration procedure documents, CMDB, network diagrams, and SolarWinds instances. | Attackers deliberately target these resources because it impacts your ability to recover. |
119
119
| Ensure you have well-documented procedures for engaging any third-party support, particularly support from threat intelligence providers, antimalware solution providers, and from the malware analysis provider. Protect (or print) these procedures. | Third-party contacts may be useful if the given ransomware variant has known weaknesses or decryption tools are available. |
120
120
| Ensure backup and recovery strategy includes: <br><br>Ability to back up data to a specific point in time. <br><br>Multiple copies of backups are stored in isolated, offline (air-gapped) locations. <br><br>Recovery time objectives that establish how quickly backed up information can be retrieved and put into production environment. <br><br>Rapid restore of back up to a production environment/sandbox. | Backups are essential for resilience after an organization has been breached. Apply the 3-2-1 rule for maximum protection and availability: 3 copies (original + 2 backups), 2 storage types, and 1 offsite or cold copy. |
121
-
| Protect backups against deliberate erasure and encryption: <br><br>Store backups in offline or off-site storage and/or immutable storage. <br><br>Require out of band steps (such as [MFA](/entra/identity/authentication/concept-mfa-howitworks.md) or a security PIN) before permitting an online backup to be modified or erased. <br><br>Create private endpoints within your Azure Virtual Network to securely back up and restore data from your Recovery Services vault. | Backups that are accessible by attackers can be rendered unusable for business recovery. <br><br>Offline storage ensures robust transfer of backup data without using any network bandwidth. Azure Backup supports [offline backup](../../backup/offline-backup-overview.md), which transfers initial backup data offline, without the use of network bandwidth. It provides a mechanism to copy backup data onto physical storage devices. The devices are then shipped to a nearby Azure datacenter and uploaded onto a [Recovery Services vault](../../backup/backup-azure-recovery-services-vault-overview.md). <br><br>Online immutable storage (such as [Azure Blob](../../storage/blobs/immutable-storage-overview.md)) enables you to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. <br><br>[Multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks.md) should be mandatory for all admin accounts and is strongly recommended for all users. The preferred method is to use an authenticator app rather than SMS or voice where possible. When you set up Azure Backup you can configure your recovery services to enable MFA using a security PIN generated in the Azure portal. This ensures that a security pin is generated to perform critical operations such as updating or removing a recovery point. |
121
+
| Protect backups against deliberate erasure and encryption: <br><br>Store backups in offline or off-site storage and/or immutable storage. <br><br>Require out of band steps (such as [MFA](/entra/identity/authentication/concept-mfa-howitworks) or a security PIN) before permitting an online backup to be modified or erased. <br><br>Create private endpoints within your Azure Virtual Network to securely back up and restore data from your Recovery Services vault. | Backups that are accessible by attackers can be rendered unusable for business recovery. <br><br>Offline storage ensures robust transfer of backup data without using any network bandwidth. Azure Backup supports [offline backup](../../backup/offline-backup-overview.md), which transfers initial backup data offline, without the use of network bandwidth. It provides a mechanism to copy backup data onto physical storage devices. The devices are then shipped to a nearby Azure datacenter and uploaded onto a [Recovery Services vault](../../backup/backup-azure-recovery-services-vault-overview.md). <br><br>Online immutable storage (such as [Azure Blob](../../storage/blobs/immutable-storage-overview.md)) enables you to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. <br><br>[Multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks) should be mandatory for all admin accounts and is strongly recommended for all users. The preferred method is to use an authenticator app rather than SMS or voice where possible. When you set up Azure Backup you can configure your recovery services to enable MFA using a security PIN generated in the Azure portal. This ensures that a security pin is generated to perform critical operations such as updating or removing a recovery point. |
122
122
| Designate [protected folders](/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). | Makes it more difficult for unauthorized applications to modify the data in these folders. |
123
123
| Review your permissions: <br><br>Discover broad write/delete permissions on file shares, SharePoint, and other solutions. Broad is defined as many users having write/delete permissions for business-critical data. <br><br>Reduce broad permissions while meeting business collaboration requirements. <br><br>Audit and monitor to ensure broad permissions don’t reappear. | Reduces risk from broad access-enabling ransomware activities. |
124
124
| Protect against a phishing attempt: <br><br>Conduct security awareness training regularly to help users identify a phishing attempt and avoid clicking on something that can create an initial entry point for a compromise. <br><br>Apply security filtering controls to email to detect and minimize the likelihood of a successful phishing attempt. | The most common method used by attackers to infiltrate an organization is phishing attempts via email. [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes. <br><br>An example of a security filtering control for email is [Safe Links](/microsoft-365/security/office-365-security/safe-links). Safe Links is a feature in Defender for Office 365 that provides scanning and rewriting of URLs and links in email messages during inbound mail flow, and time-of-click verification of URLs and links in email messages and other locations (Microsoft Teams and Office documents). Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in EOP. Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks. <br><br>Learn more about [anti-phishing protection](/microsoft-365/security/office-365-security/tuning-anti-phishing). |
0 commit comments