Commentary on Veeam security vulnerability patches from Semperis
September 2024 by Mickey Bresman, CEO, Semperis
The commentary from Mickey Bresman, CEO, Semperis on Veeam’s warning of critical RCE flaw in backup and replication software.
Veeam’s issuing patches for several vulnerabilities discovered in its software is a reminder for bad actors that to encrypt an organisation’s backup and recovery system, they first need to access it. The first step in ransomware defence for the defender, then, needs to be attack path analysis and reduction of the attack surface. And because most attack path analysis tools on the market are built from the point of view of an attacker, to better defend itself, organisations need a defender-oriented attack path analysis capability for backup and recovery systems line with a "permission-defined perimeter" approach. First, defenders need to map out the backup and recovery system components because most backup and recovery systems have several components, such as a management server and distributed backup storage devices. During this first step, we want to make sure that the organisation is fully aware of the different components that comprise their backup and recovery solution.
Second, analyse which users in the environment have access to the backup and recovery components and in what way. In most organisations, access to resources is not granted to a user directly, but instead is assigned to a group that the user belongs to. As many backup and recovery systems have different components, we expect to find different groups with different permissions in the system, based on the responsibilities they have (for example, backup operators versus administrators). During this step, we want to make sure that we map the groups to users and analyse the type of access these users have. We should, of course, also look for direct user permissions. And last, reduce the number of users that have access to the backup and recovery system. During this step, we review the mapped users and analyse whether they indeed need the access they’ve been given or whether their access can be reduced to a less privileged one. Through this process, we reduce the attack surface available to bad actors. The result of this activity defines the backup and recovery system tier.