Air-Gapped Storage vs. Image Guardian Options


Author
Message
jimhill10
jimhill10
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)
Group: Forum Members
Posts: 6, Visits: 10
Background:  For some of my employees I am using an air-gapped USB storage device, meaning that has either a power switch or a USB switch which removes it from the system. This then prevents malware from reaching the drive.  The issue is that employees have to enable the USB storage device in order to create their Macrium images.  I know that Macrium provides both Image Guardian and also a way to set a password in the advanced settings for the image.  
My questions for the excellent users on this forum are as follows:
1. Do you trust the Image Guardian alone when you create an image to a hot connected USB storage device? Do you also set a password as standard practice? Is this then enough to prevent malware from encrypting the image files?  Note, we have a computer policy which prevents the execution of Powershell scripts as part of our malware prevention program.
2. Has anyone figured out an easy way to software disable their USB storage device say perhaps via a script that would then enable it only for the purpose of Macrium writing the image file? I would then have to figure out a way to reenable it for recovery purposes as we use both the Windows boot option in Macrium and the recovery disk method.
3. Are others using the USB switched device or powering off their USB storage devices? 
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (14K reputation)Macrium Evangelist (14K reputation)Macrium Evangelist (14K reputation)Macrium Evangelist (14K reputation)Macrium Evangelist (14K reputation)Macrium Evangelist (14K reputation)Macrium Evangelist (14K reputation)Macrium Evangelist (14K reputation)Macrium Evangelist (14K reputation)Macrium Evangelist (14K reputation)
Group: Forum Members
Posts: 9.7K, Visits: 63K
Right off the bat, password protecting your backups should not be seen as any form of ransomware protection. Ransomware does not have to be able to interpret your files in order to be able to encrypt them. It would simply apply its own encryption on top of the encryption used within the backup files.  The purpose of password protecting backups is to restrict the ability to access the contents of the backups, e.g. to prevent random people from being able to access confidential/sensitive data, especially if the backup drive were to fall into the wrong hands.  It is NOT to protect against malicious modification.

With that out of the way, Image Guardian in my view is certainly an improvement over not having Image Guardian.  But it cannot protect backups as effectively as an air gap can.  No software could.  Most ransomware does not run with elevated privileges because it typically does not need them to do its damage, and in those scenarios Image Guardian would be a highly effective tool.  But if ransomware DID gain elevated privileges by tricking the user into accepting a UAC prompt or by exploiting a privilege escalation vulnerability, then there's no way that Image Guardian or anything else could guarantee the security of your data, because at that point you have one admin-level bit of software fighting another one.  Also, Image Guardian specifically does not attempt to prevent ALL possible means of affecting your backups.  I mentioned recently in another thread that Image Guardian will do nothing to stop you or malware from formatting a volume that contains Reflect backups, or applying full volume encryption to it.  That is simply not what it is designed to do.  Both of those operations require admin-level privileges, however.  (My post is in this thread if you care for some reading.)

That said, security and convenience are often diametrically opposed goals, so everyone has to decide what level of security they actually need and are willing to live with.  I personally use Image Guardian for my external hard drive that is connected all the time, but I also have a mostly-offline drive that serves as a clone of my external drive but only gets updated periodically.  And I also back up my truly crucial data to the cloud.

In terms of a software solution to take a partition offline and then bring it back just for Reflect, there's no secure way to do that.  I've seen a few users here ask for a way to have Reflect remove a drive letter assignment from a destination drive after sending a backup to it.  And I even wrote a PowerShell script once that would do that, as well as finding the correct volume and creating the drive letter assignment before the backup started, mostly just to see if I could make it work.  But that is security by obscurity, which is no real security at all.  And ransomware has been shown not to spare hidden volumes.

Bottom line: There is no substitute for a proper air gap.  But if you want it, then there are no shortcuts either, at least not any that preserve the security of an air gap that made it attractive to you in the first place.

Edited 8 June 2021 4:07 PM by jphughan
jimhill10
jimhill10
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)
Group: Forum Members
Posts: 6, Visits: 10
Thanks so much, your feedback is extremely helpful.  I am going to evaluate my assets on a machine by machine basis in light of this.  I can see that an air gap offers the maximum advantage for protection of data. Thanks again. 
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search