Information Backup
Description
Backup copies of information, software, and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
⚠️ Risk Impact
Ransomware specifically targets backups. Backups in same account/region as production are encrypted in same attack. Modern adversaries verify backup destruction before triggering encryption.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
Cross-account, cross-region, write-once-read-many backups. Quarterly restore test. MFA-required deletion. Cloud-native immutable backup (S3 Object Lock, GCS Bucket Lock, Azure Blob Lock).
💀 Real-World Attack Scenario
A SaaS company hit by LockBit 3.0 had backups in same AWS account as production. Attackers (with admin) encrypted backups too. Forced $3.4M ransom negotiation. Air-gapped backups would have eliminated the leverage.
💰 Cost of Non-Compliance
Ransomware + destroyed backups: avg $5.13M (Coveware 2024). Without ransom paid: avg 23 days downtime.
📋 Audit Questions
- 1.Backup storage — same account/region as production?
- 2.MFA required for deletion?
- 3.Last restore test?
- 4.Immutability configuration?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Backups in same account as production
- ⛔Restore procedures never tested
- ⛔Backup retention met but immutability not enforced
📈 Business Value
Air-gapped, tested backups convert ransomware from existential to operational.
⏱️ Effort Estimate
40-80 hours initial architecture + quarterly DR test
EchelonGraph monitors backup configuration + alerts on gaps
🔗 Cross-Framework References
Automate ISO 27001 A.8.13 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →